1
0
mirror of https://github.com/moepman/acertmgr.git synced 2025-01-01 06:41:51 +01:00

Refactor ssl functionality

use pyopenssl for certificate validty and requests
This commit is contained in:
David Klaftenegger 2016-04-04 01:08:24 +02:00 committed by Markus Hauschild
parent e39c3cf298
commit 9dc7941658
2 changed files with 42 additions and 28 deletions

View File

@ -6,9 +6,9 @@
import acme_tiny import acme_tiny
import acertmgr_ssl
import acertmgr_web import acertmgr_web
import datetime import datetime
import dateutil.parser
import dateutil.relativedelta import dateutil.relativedelta
import grp import grp
import os import os
@ -49,20 +49,7 @@ def cert_isValid(crt_file, ttl_days):
if not os.path.isfile(crt_file): if not os.path.isfile(crt_file):
return False return False
else: else:
# check validity using OpenSSL (valid_from, valid_to) = acertmgr_ssl.cert_valid_times(crt_file)
vc = subprocess.check_output(['openssl', 'x509', '-in', crt_file, '-noout', '-dates'])
m = re.search(b"notBefore=(.+)", vc)
if m:
valid_from = dateutil.parser.parse(m.group(1), ignoretz=True)
else:
raise InvalidCertificateError("No notBefore date found")
m = re.search(b"notAfter=(.+)", vc)
if m:
valid_to = dateutil.parser.parse(m.group(1), ignoretz=True)
else:
raise InvalidCertificateError("No notAfter date found")
now = datetime.datetime.now() now = datetime.datetime.now()
if valid_from > now: if valid_from > now:
@ -104,19 +91,10 @@ def cert_get(domain, settings):
server = acertmgr_web.ACMEHTTPServer(port) server = acertmgr_web.ACMEHTTPServer(port)
server.start() server.start()
try: try:
allnames = domain.split(' ') key_fd = open(key_file, "r")
if len(allnames) == 1: key = key_fd.read()
cr = subprocess.check_output(['openssl', 'req', '-new', '-sha256', '-key', key_file, '-out', csr_file, '-subj', '/CN=%s' % domain]) key_fd.close()
else: cr = acertmgr_ssl.cert_request(domains.split(), key)
cnt = 0
altnames = []
for alias in allnames[1:]
cnt = cnt + 1
altnames.append('DNS.%d=%s' % cnt, alias)
subject = '/CN=%s subjectAltName=%s' % allnames[0], ','.join(altnames)
cr = subprocess.check_output(['openssl', 'req', '-new', '-sha256', '-key', key_file, '-out', csr_file, '-reqexts', 'SAN', '-subj', subject])
# get certificate
crt = acme_tiny.get_crt(acc_file, csr_file, challenge_dir) crt = acme_tiny.get_crt(acc_file, csr_file, challenge_dir)
with open(crt_file, "w") as crt_fd: with open(crt_file, "w") as crt_fd:
crt_fd.write(crt) crt_fd.write(crt)

36
acertmgr_ssl.py Normal file
View File

@ -0,0 +1,36 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# acertmgr - ssl management functions
# Copyright (c) Markus Hauschild & David Klaftenegger, 2016.
# available under the ISC license, see LICENSE
from OpenSSL import crypto
# @brief retrieve notBefore and notAfter dates of a certificate file
# @param cert_file the path to the certificate
# @return the tuple of dates: (notBefore, notAfter)
def cert_valid_times(cert_file):
with open(cert_file) as f:
cert_data = f.read()
cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_data)
asn1time = str('%Y%m%d%H%M%SZ'.encode('utf8'))
not_before = datetime.datetime.strptime(str(cert.get_notBefore()), asn1time)
not_after = datetime.datetime.strptime(str(cert.get_notAfter()), asn1time)
return (not_before, not_after)
# @brief create a certificate signing request
# @param names list of domain names the certificate should be valid for
# @param key_data the key to use with the certificate in PEM format
# @return the CSR in PEM format
def cert_request(names, key_data):
req = crypto.X509Req()
req.get_subject().commonName = names[0]
entries = ['DNS:'+name for name in names]
extensions = [crypto.X509Extension('subjectAltName', False, ', '.join(entries))]
req.add_extensions(extensions)
key = crypto.load_privatekey(crypto.FILETYPE_PEM, key_data)
req.set_pubkey(key)
req.sign(key, 'sha256')
return crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)