3 commits - certmaster/certmaster.py certmaster/certs.py certmaster/SSLCommon.py scripts/certmaster-sync

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 certmaster/SSLCommon.py  |    5 ++++-
 certmaster/certmaster.py |   18 +++++++++++++++---
 certmaster/certs.py      |   12 ++++++++++--
 scripts/certmaster-sync  |   16 ++++++++++++++--
 4 files changed, 43 insertions(+), 8 deletions(-)

New commits:
commit 8d70412c35fb1f0538577ec578e5f0568421dcf0
Author: Seth Vidal <skvidal@xxxxxxxxxxxxxxxxx>
Date:   Thu Apr 22 17:07:59 2010 -0400

    - add BasicConstraints CA:TRUE for a ca cert, false for the others
    - make signature digest sha - instead of md5
    - make certs ver 3 not ver 1
    - closes rh bug: https://bugzilla.redhat.com/show_bug.cgi?id=583047

diff --git a/certmaster/certs.py b/certmaster/certs.py
index 554822e..81409f3 100644
--- a/certmaster/certs.py
+++ b/certmaster/certs.py
@@ -96,7 +96,11 @@ def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_f
     cacert.set_issuer(careq.get_subject())
     cacert.set_subject(careq.get_subject())
     cacert.set_pubkey(careq.get_pubkey())
-    cacert.sign(cakey, 'md5')
+    cacert.set_version(2)
+    xt = crypto.X509Extension('basicConstraints',1,'CA:TRUE')
+    # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
+    cacert.add_extensions((xt,))
+    cacert.sign(cakey, 'sha1')
     if ca_cert_file:
         destfo = open(ca_cert_file, 'w')
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert))
@@ -134,7 +138,11 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
     cert.set_issuer(cacert.get_subject())
     cert.set_subject(csr.get_subject())
     cert.set_pubkey(csr.get_pubkey())
-    cert.sign(cakey, 'md5')
+    cert.set_version(2)
+    xt = crypto.X509Extension('basicConstraints', False ,'CA:False')
+    # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)    
+    cacert.add_extensions((xt,))
+    cert.sign(cakey, 'sha1')
     if slave_cert_file:
         destfo = open(slave_cert_file, 'w')
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))


commit 5bdd42c1534a196d6be9104543e4a9a9b0442324
Author: Seth Vidal <skvidal@xxxxxxxxxxxxxxxxx>
Date:   Thu Apr 22 17:07:13 2010 -0400

    make the sha import use hashlib and make the hashlib import work sanely
    on versions of python that don't have a hashlib (python < 2.5)

diff --git a/certmaster/certmaster.py b/certmaster/certmaster.py
index 9548b8b..b0a216b 100644
--- a/certmaster/certmaster.py
+++ b/certmaster/certmaster.py
@@ -22,7 +22,19 @@ import traceback
 import os
 import os.path
 from OpenSSL import crypto
-import sha
+
+try:
+    import hashlib
+except ImportError:
+    # Python-2.4.z ... gah! (or even 2.3!)
+    import sha
+    class hashlib:
+        @staticmethod
+        def new(algo):
+            if algo == 'sha1':
+                return sha.new()
+            raise ValueError, "Bad checksum type"
+
 import glob
 import socket
 import exceptions
@@ -123,10 +135,10 @@ class CertMaster(object):
         if os.path.exists(csrfile):
             oldfo = open(csrfile)
             oldcsrbuf = oldfo.read()
-            oldsha = sha.new()
+            oldsha = hashlib.new('sha1')
             oldsha.update(oldcsrbuf)
             olddig = oldsha.hexdigest()
-            newsha = sha.new()
+            newsha = hashlib.new('sha1')
             newsha.update(csrbuf)
             newdig = newsha.hexdigest()
             if not newdig == olddig:
diff --git a/scripts/certmaster-sync b/scripts/certmaster-sync
index bd27af5..fd1db93 100644
--- a/scripts/certmaster-sync
+++ b/scripts/certmaster-sync
@@ -7,7 +7,19 @@
 
 import os
 import sys
-import sha
+try:
+    import hashlib
+except ImportError:
+    # Python-2.4.z ... gah! (or even 2.3!)
+    import sha
+    class hashlib:
+        @staticmethod
+        def new(algo):
+            if algo == 'sha1':
+                return sha.new()
+            raise ValueError, "Bad checksum type"
+
+
 import xmlrpclib
 from glob import glob
 from time import sleep
@@ -72,7 +84,7 @@ def local_certs():
     return results
 
 def checksum(f):
-    thissum = sha.new()
+    thissum = hashlib.new('sha1')
     if os.path.exists(f):
         fo = open(f, 'r')
         data = fo.read()


commit c6eb51dbc3be8ef1b97ad66ac5f218d5d48c9ec0
Author: Seth Vidal <skvidal@xxxxxxxxxxxxxxxxx>
Date:   Thu Apr 22 17:06:20 2010 -0400

    optionally allow a passwd callback for opening the ssl keys

diff --git a/certmaster/SSLCommon.py b/certmaster/SSLCommon.py
index 6959749..e93ff63 100644
--- a/certmaster/SSLCommon.py
+++ b/certmaster/SSLCommon.py
@@ -29,13 +29,16 @@ def our_verify(connection, x509, errNum, errDepth, preverifyOK):
     return preverifyOK
 
 
-def CreateSSLContext(pkey, cert, ca_cert):
+def CreateSSLContext(pkey, cert, ca_cert, passwd_callback=None):
     for f in pkey, cert, ca_cert:
         if f and not os.access(f, os.R_OK):
             print "%s does not exist or is not readable." % f
             os._exit(1)
 
     ctx = SSL.Context(SSL.SSLv3_METHOD)   # SSLv3 only
+    if passwd_callback:
+        ctx.set_passwd_cb = passwd_callback
+
     ctx.use_certificate_file(cert)
     ctx.use_privatekey_file(pkey)
     ctx.load_client_ca(ca_cert)


_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux