scripts/certmaster-ca

   1 #!/usr/bin/python -tt
   2 # sign/list keys
   3 # --ca ca sign/list certs for the 'ca'
   4 # --sign hostname hostname hostname
   5 # --list # lists all csrs needing to be signed
   6 # --list-all ca list all certs for a given ca
   7 # --clean? not sure what it will do
   8
   9 import sys
  10 import glob
  11 import optparse
  12 import os
  13
  14 import certmaster
  15 import certmaster.certs
  16 import certmaster.certmaster
  17
  18
  19
  20
  21 def errorprint(stuff):
  22     print >> sys.stderr, stuff
  23
  24 class CertmasterCAOptionParser(optparse.OptionParser):
  25     def get_version(self):
  26         return file("/etc/func/version").read().strip()
  27
  28 def parseargs(args):
  29     usage = 'certmaster-ca <option> [args]'
  30     parser = CertmasterCAOptionParser(usage=usage,version=True)
  31
  32     parser.add_option("", '--ca', default='', action="store", dest="ca", metavar="CA",
  33           help="certificate authority used to sign/list certs")
  34     parser.add_option('-l', '--list', default=False, action="store_true",
  35           help='list signing requests remaining')
  36     parser.add_option('-s', '--sign', default=False, action="store_true",
  37           help='sign requests of hosts specified')
  38     parser.add_option('-c', '--clean', default=False, action="store_true",
  39           help="clean out all certs or csrs for the hosts specified")
  40     parser.add_option("", "--list-signed", default=False, action="store_true",
  41           help='list all signed certs')
  42     parser.add_option("", "--list-cert-hash", default=False, action="store_true",
  43           help="list the cert hash for signed certs")
  44
  45     (opts, args) = parser.parse_args()
  46
  47
  48     # gotta be a better way...
  49     if not opts.list and not opts.sign and not opts.clean \
  50             and not opts.list_signed and not opts.list_cert_hash:
  51         parser.print_help()
  52         sys.exit(1)
  53
  54     return (opts, args)
  55
  56 def main(args):
  57     if os.geteuid() != 0:
  58         errorprint('Must be root to run certmaster-ca')
  59         return 1
  60
  61     cm = certmaster.certmaster.CertMaster()
  62
  63     (opts, args) = parseargs(args)
  64
  65
  66     if opts.list:
  67         hns = cm.get_csrs_waiting(ca=opts.ca)
  68         if hns:
  69             for hn in sorted(hns):
  70                 print hn
  71         else:
  72            print 'No certificates to sign'
  73
  74         return 0
  75
  76     if opts.sign:
  77         if not args:
  78             errorprint('Need hostnames to sign')
  79             return 1
  80
  81         for hn in args:
  82             csrglob = '%s/%s.csr' % (cm.cfg.cas[opts.ca]['csrroot'], hn)
  83             csrs = glob.glob(csrglob)
  84             if not csrs:
  85                 errorprint('No match for %s to sign' % hn)
  86                 return 1
  87
  88             for fn in csrs:
  89                 certfile = cm.sign_this_csr(fn, ca=opts.ca)
  90                 print '%s signed - cert located at %s' % (fn, certfile)
  91         return 0
  92
  93     if opts.clean:
  94         if not args:
  95             errorprint('Need hostname(s) to clean up')
  96             return 1
  97
  98         for hn in args:
  99             cm.remove_this_cert(hn, ca=opts.ca)
 100
 101         return 0
 102
 103     if opts.list_signed:
 104         hostglobs = ["*"]
 105         if args:
 106             hostglobs = args
 107
 108         signed_certs = cm.get_signed_certs(args, ca=opts.ca)
 109
 110         for i in sorted(signed_certs):
 111             print i
 112
 113         return 0
 114
 115     if opts.list_cert_hash:
 116         hostglobs = ["*"]
 117         if args:
 118             hostglobs = args
 119
 120         cert_hashes = cm.get_cert_hashes(hostglobs, ca=opts.ca)
 121
 122         for i in sorted(cert_hashes):
 123             print i
 124
 125         return 0
 126
 127 if __name__ == "__main__":
 128     sys.exit(main(sys.argv[1:]))