| |
@@ -21,13 +21,12 @@
|
| |
#
|
| |
# Written by Matt Prahl <mprahl@redhat.com> except for the test functions
|
| |
|
| |
+ import random
|
| |
from flask_script import Manager
|
| |
from functools import wraps
|
| |
import flask_migrate
|
| |
import logging
|
| |
import os
|
| |
- import ssl
|
| |
- from shutil import rmtree
|
| |
import getpass
|
| |
|
| |
from module_build_service import app, conf, db, create_app
|
| |
@@ -86,13 +85,8 @@
|
| |
if not os.path.exists(value):
|
| |
raise OSError("%s: %s file not found." % (attribute, value))
|
| |
|
| |
- # Then, establish the ssl context and return it
|
| |
- ssl_ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
|
| |
- ssl_ctx.load_cert_chain(conf.ssl_certificate_file,
|
| |
- conf.ssl_certificate_key_file)
|
| |
- ssl_ctx.verify_mode = ssl.CERT_OPTIONAL
|
| |
- ssl_ctx.load_verify_locations(cafile=conf.ssl_ca_certificate_file)
|
| |
- return ssl_ctx
|
| |
+ return (os.path.abspath(conf.ssl_certificate_file),
|
| |
+ os.path.abspath(conf.ssl_certificate_key_file))
|
| |
|
| |
|
| |
@console_script_help
|
| |
@@ -153,108 +147,10 @@
|
| |
module_build_service.scheduler.main([], stop)
|
| |
|
| |
|
| |
- @manager.command
|
| |
- def gendevfedmsgcert(pki_dir='/etc/module_build_service', force=False):
|
| |
- """ Creates a CA, a certificate signed by that CA, and generates a CRL.
|
| |
- """
|
| |
- from OpenSSL import crypto
|
| |
-
|
| |
- if os.path.exists(pki_dir):
|
| |
- if force:
|
| |
- rmtree(pki_dir)
|
| |
- else:
|
| |
- print('The directory "{}" already exists'.format(pki_dir))
|
| |
- return
|
| |
-
|
| |
- os.mkdir(pki_dir)
|
| |
-
|
| |
- ca_crt_path = os.path.join(pki_dir, 'ca.crt')
|
| |
- ca_key_path = os.path.join(pki_dir, 'ca.key')
|
| |
- msg_key_path = os.path.join(pki_dir, 'localhost.key')
|
| |
- msg_crt_path = os.path.join(pki_dir, 'localhost.crt')
|
| |
- ca_crl = os.path.join(pki_dir, 'ca.crl')
|
| |
-
|
| |
- # Create a key pair for the CA
|
| |
- ca_key = crypto.PKey()
|
| |
- ca_key.generate_key(crypto.TYPE_RSA, 2048)
|
| |
-
|
| |
- with open(ca_key_path, 'w') as ca_key_file:
|
| |
- ca_key_file.write(
|
| |
- crypto.dump_privatekey(crypto.FILETYPE_PEM, ca_key))
|
| |
-
|
| |
- # Create a self-signed CA cert
|
| |
- ca_cert = crypto.X509()
|
| |
- ca_subject = ca_cert.get_subject()
|
| |
- ca_subject.C = 'US'
|
| |
- ca_subject.ST = 'MA'
|
| |
- ca_subject.L = 'Boston'
|
| |
- ca_subject.O = 'Development'
|
| |
- ca_subject.CN = 'Dev-CA'
|
| |
- ca_cert.set_serial_number(1)
|
| |
- ca_cert.gmtime_adj_notBefore(0)
|
| |
- ca_cert.gmtime_adj_notAfter(315360000) # 10 years
|
| |
- ca_cert.set_issuer(ca_cert.get_subject())
|
| |
- ca_cert.set_pubkey(ca_key)
|
| |
- ca_cert.add_extensions([
|
| |
- crypto.X509Extension('basicConstraints', True, 'CA:true')])
|
| |
- ca_cert.sign(ca_key, 'sha256')
|
| |
-
|
| |
- with open(ca_crt_path, 'w') as ca_crt_file:
|
| |
- ca_crt_file.write(
|
| |
- crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert))
|
| |
-
|
| |
- # Create a key pair for the message signing cert
|
| |
- msg_key = crypto.PKey()
|
| |
- msg_key.generate_key(crypto.TYPE_RSA, 2048)
|
| |
-
|
| |
- with open(msg_key_path, 'w') as msg_key_file:
|
| |
- msg_key_file.write(
|
| |
- crypto.dump_privatekey(crypto.FILETYPE_PEM, msg_key))
|
| |
-
|
| |
- # Create a cert signed by the CA
|
| |
- msg_cert = crypto.X509()
|
| |
- msg_cert_subject = msg_cert.get_subject()
|
| |
- msg_cert_subject.C = 'US'
|
| |
- msg_cert_subject.ST = 'MA'
|
| |
- msg_cert_subject.L = 'Boston'
|
| |
- msg_cert_subject.O = 'Development'
|
| |
- msg_cert_subject.CN = 'localhost'
|
| |
- msg_cert.set_serial_number(2)
|
| |
- msg_cert.gmtime_adj_notBefore(0)
|
| |
- msg_cert.gmtime_adj_notAfter(315360000) # 10 years
|
| |
- msg_cert.set_issuer(ca_cert.get_subject())
|
| |
- msg_cert.set_pubkey(msg_key)
|
| |
- cert_extensions = [
|
| |
- crypto.X509Extension(
|
| |
- 'keyUsage', True,
|
| |
- 'digitalSignature, keyEncipherment, nonRepudiation'),
|
| |
- crypto.X509Extension('extendedKeyUsage', True, 'serverAuth'),
|
| |
- crypto.X509Extension('basicConstraints', True, 'CA:false'),
|
| |
- crypto.X509Extension('crlDistributionPoints', False,
|
| |
- 'URI:http://localhost/crl/ca.crl'),
|
| |
- crypto.X509Extension('authorityInfoAccess', False,
|
| |
- 'caIssuers;URI:http://localhost/crl/ca.crt'),
|
| |
- crypto.X509Extension('subjectKeyIdentifier', False, 'hash',
|
| |
- subject=ca_cert)
|
| |
- ]
|
| |
- msg_cert.add_extensions(cert_extensions)
|
| |
- msg_cert.sign(ca_key, 'sha256')
|
| |
-
|
| |
- with open(msg_crt_path, 'w') as msg_crt_file:
|
| |
- msg_crt_file.write(
|
| |
- crypto.dump_certificate(crypto.FILETYPE_PEM, msg_cert))
|
| |
-
|
| |
- # Generate the CRL
|
| |
- with open(ca_crl, 'w') as ca_crl_file:
|
| |
- ca_crl_file.write(
|
| |
- crypto.CRL().export(ca_cert, ca_key, type=crypto.FILETYPE_PEM,
|
| |
- days=3650, digest='sha256'))
|
| |
-
|
| |
-
|
| |
@console_script_help
|
| |
@manager.command
|
| |
def generatelocalhostcert():
|
| |
- """ Creates a public/private key pair for message signing and the frontend
|
| |
+ """ Creates a public/private key pair for the frontend
|
| |
"""
|
| |
from OpenSSL import crypto
|
| |
cert_key = crypto.PKey()
|
| |
@@ -272,7 +168,7 @@
|
| |
msg_cert_subject.L = 'Boston'
|
| |
msg_cert_subject.O = 'Development'
|
| |
msg_cert_subject.CN = 'localhost'
|
| |
- cert.set_serial_number(2)
|
| |
+ cert.set_serial_number(random.randint(2, 99999999))
|
| |
cert.gmtime_adj_notBefore(0)
|
| |
cert.gmtime_adj_notAfter(315360000) # 10 years
|
| |
cert.set_issuer(cert.get_subject())
|
| |
I see this is already in the
.spec
file too.