import traceback
import os
import os.path
+import warnings
+import xmlrpclib
from OpenSSL import crypto
try:
@staticmethod
def new(algo):
if algo == 'sha1':
+ # TODO: jude: was warnings even available in 2.4 ?
+ warnings.warn("sha1 is deprecated", DeprecationWarning)
return sha.new()
raise ValueError, "Bad checksum type"
if not os.path.exists(s_cadir):
os.makedirs(s_cadir)
if not os.path.exists(s_ca_key_file) and not os.path.exists(s_ca_cert_file):
- certs.create_ca(CN=mycn, ca_key_file=s_ca_key_file, ca_cert_file=s_ca_cert_file)
+ certs.create_ca(CN=mycn, ca_key_file=s_ca_key_file, ca_cert_file=s_ca_cert_file, hash_function=a_ca.hash_function)
except (IOError, OSError), e:
print 'Cannot make certmaster certificate authority keys/certs for CA %s, aborting: %s' % (s_caname, e)
sys.exit(1)
def wait_for_cert(self, csrbuf, ca_name, with_triggers=True):
"""
takes csr as a string
- returns True, caller_cert, ca_cert
- returns False, '', ''
+ returns True, caller_cert, ca_cert, warning
+ returns False, '', '', ''
"""
try:
certauth = self.cfg.ca[ca_name]
except:
+ self.logger.info("Unknown cert authority: %s " % (ca_name))
raise codes.CMException("Unknown cert authority: %s" % ca_name)
try:
csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csrbuf)
except crypto.Error, e:
+ self.logger.info("crypto error: %s " % (e))
#XXX need to raise a fault here and document it - but false is just as good
- return False, '', ''
+ return False, '', '', ''
+
+ ret_warning = ''
+ if certauth.hash_function == "md5":
+ ca_suffix = ''
+ if ca_name != '':
+ ca_suffix = ': ' + ca_name
+ fault = "md5 hash function is unsupported%s" % ca_suffix
+ self.logger.error(fault)
+ raise xmlrpclib.Fault(1001,fault)
+ elif certauth.hash_function == "sha1":
+ ret_warning = "Deprecated hash function of sha1: %s\n" % ca_name
requesting_host = self._sanitize_cn(csrreq.get_subject().CN)
if os.path.exists(csrfile):
oldfo = open(csrfile)
oldcsrbuf = oldfo.read()
- oldsha = hashlib.new('sha1')
+ oldsha = hashlib.new(certauth.hash_function)
oldsha.update(oldcsrbuf)
olddig = oldsha.hexdigest()
- newsha = hashlib.new('sha1')
+ newsha = hashlib.new(certauth.hash_function)
newsha.update(csrbuf)
newdig = newsha.hexdigest()
if not newdig == olddig:
self.logger.info("A cert for %s already exists and does not match the requesting cert" % (requesting_host))
# XXX raise a proper fault
- return False, '', ''
+ return False, '', '', ret_warning
# look for a cert:
cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, certauth.cacert)
if with_triggers:
self._run_triggers(requesting_host,'/var/lib/certmaster/triggers/request/post/*')
- return True, cert_buf, cacert_buf
+ return True, cert_buf, cacert_buf, ret_warning
# if we don't have a cert then:
# if we're autosign then sign it, write out the cert and return True, etc, etc
self.logger.info("cert for %s for ca %s was autosigned" % (requesting_host,ca_name))
if with_triggers:
self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*')
- return True, cert_buf, cacert_buf
+ return True, cert_buf, cacert_buf, ret_warning
else:
# write the csr out to a file to be dealt with by the admin
self.logger.info("cert for %s for CA %s created and ready to be signed" % (requesting_host, ca_name))
if with_triggers:
self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*')
- return False, '', ''
+ return False, '', '', ret_warning
- return False, '', ''
+ return False, '', '', ret_warning
def get_csrs_waiting(self, certauth):
hosts = []
certfile = '%s/%s.cert' % (certauth.certroot, requesting_host)
self.logger.info("Signing for csr %s requested" % certfile)
- thiscert = certs.create_slave_certificate(csrreq, certauth.cakey, certauth.cacert, certauth.cadir)
+ thiscert = certs.create_slave_certificate(csrreq, certauth.cakey, certauth.cacert, certauth.cadir, hash_function=certauth.hash_function)
destfo = open(certfile, 'w')
destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, thiscert))