scripts/certmaster-ca

   1 #!/usr/bin/python -tt
   2 # sign/list keys
   3 # --sign hostname hostname hostname
   4 # --list # lists all csrs needing to be signed
   5 # --list-all ?
   6 # --clean? not sure what it will do
   7
   8 import sys
   9 import glob
  10 import optparse
  11 import os
  12
  13 import certmaster
  14 import certmaster.certs
  15 import certmaster.certmaster
  16
  17
  18
  19
  20 def errorprint(stuff):
  21     print >> sys.stderr, stuff
  22
  23 class CertmasterCAOptionParser(optparse.OptionParser):
  24     def get_version(self):
  25         return file("/etc/func/version").read().strip()
  26
  27 def parseargs(args):
  28     usage = 'certmaster-ca <option> [args]'
  29     parser = CertmasterCAOptionParser(usage=usage,version=True)
  30
  31     parser.add_option('-l', '--list', default=False, action="store_true",
  32           help='list signing requests remaining')
  33     parser.add_option('-s', '--sign', default=False, action="store_true",
  34           help='sign requests of hosts specified')
  35     parser.add_option('-c', '--clean', default=False, action="store_true",
  36           help="clean out all certs or csrs for the hosts specified")
  37     parser.add_option("", "--list-signed", default=False, action="store_true",
  38           help='list all signed certs')
  39     parser.add_option("", "--list-cert-hash", default=False, action="store_true",
  40           help="list the cert hash for signed certs")
  41
  42     (opts, args) = parser.parse_args()
  43
  44
  45     # gotta be a better way...
  46     if not opts.list and not opts.sign and not opts.clean \
  47             and not opts.list_signed and not opts.list_cert_hash:
  48         parser.print_help()
  49         sys.exit(1)
  50
  51     return (opts, args)
  52
  53 def main(args):
  54     if os.geteuid() != 0:
  55         errorprint('Must be root to run certmaster-ca')
  56         return 1
  57
  58     cm = certmaster.certmaster.CertMaster()
  59
  60     (opts, args) = parseargs(args)
  61
  62
  63     if opts.list:
  64         hns = cm.get_csrs_waiting()
  65         if hns:
  66             for hn in sorted(hns):
  67                 print hn
  68         else:
  69            print 'No certificates to sign'
  70
  71         return 0
  72
  73     if opts.sign:
  74         if not args:
  75             errorprint('Need hostnames to sign')
  76             return 1
  77
  78         for hn in args:
  79             csrglob = '%s/%s.csr' % (cm.cfg.csrroot, hn)
  80             csrs = glob.glob(csrglob)
  81             if not csrs:
  82                 errorprint('No match for %s to sign' % hn)
  83                 return 1
  84
  85             for fn in csrs:
  86                 certfile = cm.sign_this_csr(fn)
  87                 print '%s signed - cert located at %s' % (fn, certfile)
  88         return 0
  89
  90     if opts.clean:
  91         if not args:
  92             errorprint('Need hostname(s) to clean up')
  93             return 1
  94
  95         for hn in args:
  96             cm.remove_this_cert(hn)
  97
  98         return 0
  99
 100     if opts.list_signed:
 101         hostglobs = ["*"]
 102         if args:
 103             hostglobs = args
 104
 105         signed_certs = cm.get_signed_certs(args)
 106
 107         for i in sorted(signed_certs):
 108             print i
 109
 110         return 0
 111
 112     if opts.list_cert_hash:
 113         hostglobs = ["*"]
 114         if args:
 115             hostglobs = args
 116
 117         cert_hashes = cm.get_cert_hashes(hostglobs)
 118
 119         for i in sorted(cert_hashes):
 120             print i
 121
 122         return 0
 123
 124 if __name__ == "__main__":
 125     sys.exit(main(sys.argv[1:]))