Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

# Authors: Rob Crittenden <rcritten@redhat.com> 

# 

# Copyright (C) 2009    Red Hat 

# see file 'COPYING' for use and warranty information 

# 

# This program is free software; you can redistribute it and/or modify 

# it under the terms of the GNU General Public License as published by 

# the Free Software Foundation, either version 3 of the License, or 

# (at your option) any later version. 

# 

# This program is distributed in the hope that it will be useful, 

# but WITHOUT ANY WARRANTY; without even the implied warranty of 

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.    See the 

# GNU General Public License for more details. 

# 

# You should have received a copy of the GNU General Public License 

# along with this program.  If not, see <http://www.gnu.org/licenses/>. 

# 

 

from ipapython import ipautil 

from ipapython import nsslib 

from ipalib import pkcs10 

import tempfile 

from ipapython.compat import sha1 

import shutil 

import os 

 

CA_NICKNAME_FMT = "%s IPA CA" 

def get_ca_nickname(realm, format=CA_NICKNAME_FMT): 

    return format % realm 

 

class CertDB(object): 

    """ 

    To be used for temporary NSS databases only. If temporary is set then 

    this willcompletely remove the database it is working on when the 

    class is destroyed. 

    """ 

    def __init__(self, secdir, password=None, temporary=False): 

        if secdir is None: 

            secdir = tempfile.mkdtemp(prefix = "certdb-") 

        if password is None: 

            password = self.generate_random() 

        self.secdir = secdir 

        self.password = password 

        self.temporary = temporary 

        self.noise_file = secdir + "/noise" 

        self.pwd_file = secdir + "/pwd" 

        self.csr_file = secdir + "/csr.txt" 

 

        f = open(self.pwd_file, "w") 

        f.write(self.password) 

        f.close() 

 

        if not ipautil.file_exists(secdir + "/secmod.db"): 

            self.run_certutil(["-N", "-f", self.pwd_file]) 

 

    def __del__(self): 

        if self.temporary: 

            shutil.rmtree(self.secdir) 

        else: 

            # clean up 

            if ipautil.file_exists(self.noise_file): 

                os.remove(self.noise_file) 

 

    def run_certutil(self, args, stdin=None): 

        new_args = ["/usr/bin/certutil", "-d", self.secdir] 

        new_args = new_args + args 

        return ipautil.run(new_args, stdin) 

 

    def generate_random(self): 

        return sha1(ipautil.ipa_generate_password()).hexdigest() 

 

    def create_noise_file(self): 

        """ 

        Generate a noise file to be used when creating a key 

        """ 

        if ipautil.file_exists(self.noise_file): 

            os.remove(self.noise_file) 

 

        f = open(self.noise_file, "w") 

        f.write(self.generate_random()) 

        f.close() 

 

        return 

 

    def generate_csr(self, subject, keysize=2048, keytype="rsa"): 

        """ 

        Generate a Certificate Signing Request (CSR) and return as a 

        string the base-64 result with the BEGIN/END block. 

        """ 

        self.create_noise_file() 

        args = ["-R", "-s", subject, 

                "-o", self.csr_file, 

                "-k", keytype, 

                "-g", str(keysize), 

                "-z", self.noise_file, 

                "-f", self.pwd_file, 

                "-a"] 

        self.run_certutil(args) 

 

        # read in the CSR 

        f = open(self.csr_file, "r") 

        csr = f.readlines() 

        f.close() 

        csr = "".join(csr) 

 

        csr = pkcs10.strip_header(csr) 

 

        return csr 

 

    def add_certificate(self, cert_file, nickname="Server-Cert", is_ca=False): 

        """ 

        Add a certificate to our NSS database. 

 

        Only supports base64-encoded certificates, not DER-encoded. 

        """ 

        if is_ca: 

            trust_flag="CT,C,C" 

        else: 

            trust_flag="u,u,u" 

 

        # Import a certificate from an ASCII file 

        args = ["-A", 

                "-n", nickname, 

                "-t", trust_flag, 

                "-i", cert_file, 

                "-f", self.pwd_file, 

                "-a"] 

 

        self.run_certutil(args) 

 

    def create_pkcs12(self, pkcs12_file, nickname="Server-Cert", password=None): 

        if password is None: 

            password = self.password 

 

        p12pwd_file = self.secdir + "/pkcs12_pwd" 

        f = open(p12pwd_file, "w") 

        f.write(password) 

        f.close() 

 

        args = ["/usr/bin/pk12util", 

                "-d", self.secdir, 

                "-o", pkcs12_file, 

                "-n", nickname, 

                "-k", self.pwd_file, 

                "-w", p12pwd_file] 

        ipautil.run(args) 

 

        return password