Automatically download CA from AIA-data in certificate (fixes github.com/moepman/acertmgr/issues/12)

acertmgr.py

@@ -101,6 +101,9 @@ def cert_get(settings):
             crt_final = settings['cert_file']
             shutil.copy2(crt_file, crt_final)
             os.chmod(crt_final, stat.S_IREAD)
+            # download current ca file for the new certificate if no static ca is configured
+            if "static_ca" in settings and not config['static_ca']:
+                tools.download_issuer_ca(crt_final, settings['ca_file'])
 
     finally:
         os.remove(csr_file)

configuration.py

@@ -79,10 +79,14 @@ def parse_config_entry(entry, globalconfig):
     # SSL CA location
     ca_files = [x for x in entry if 'ca_file' in x]
     if len(ca_files) > 0:
+        config['static_ca'] = True
         config['ca_file'] = ca_files[0]
+    elif 'server_ca' in globalconfig:
+        config['static_ca'] = True
+        config['ca_file'] = globalconfig['server_ca']
     else:
-        config['ca_file'] = globalconfig.get('server_ca',
+        config['static_ca'] = False
-                                             os.path.join(config['cert_dir'], "{}.ca".format(config['id'])))
+        config['ca_file'] = os.path.join(config['cert_dir'], "{}.ca".format(config['id']))
 
     # SSL cert location
     cert_files = [x for x in entry if 'cert_file' in x]

tools.py

@@ -16,7 +16,12 @@ from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
-from cryptography.x509.oid import NameOID
+from cryptography.x509.oid import NameOID,ExtensionOID
+
+try:
+    from urllib.request import urlopen  # Python 3
+except ImportError:
+    from urllib2 import urlopen  # Python 2
 
 
 class InvalidCertificateError(Exception):
@@ -89,6 +94,32 @@ def new_rsa_key(path, key_size=4096):
         print('Warning: Could not set file permissions on {0}!'.format(path))
 
 
+# @brief download the issuer ca for a given certificate
+# @param cert_file certificate file
+# @param ca_file destination for the ca file
+def download_issuer_ca(cert_file, ca_file):
+    with open(cert_file, 'r') as f:
+        cert_data = f.read()
+    cert = x509.load_pem_x509_certificate(cert_data, default_backend())
+    aia = cert.extensions.get_extension_for_oid(ExtensionOID.AUTHORITY_INFORMATION_ACCESS)
+
+    ca_issuers = None
+    for data in aia.value:
+        if data.access_method == x509.OID_CA_ISSUERS:
+            ca_issuers = data.access_location.value
+            break
+
+    if not ca_issuers:
+        raise Exception("Could not determine issuer CA for {}".format(cert_file))
+
+    print("Downloading CA certificate from {} to {}".format(ca_issuers, ca_file))
+    cadata = urlopen(ca_issuers).read()
+    cacert = x509.load_der_x509_certificate(cadata, default_backend())
+    pem = cacert.public_bytes(encoding=serialization.Encoding.PEM)
+    with open(ca_file, 'wb') as pem_out:
+        pem_out.write(pem)
+
+
 # @brief convert certificate to PEM format
 # @param cert certificate object in pyopenssl format
 # @return the certificate in PEM format