gnuviech/gvasalt
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Port rsa_key and x509_certificate to cryptography

Browse source
This commit is contained in:
Jan Dittberner 2016-09-24 21:51:02 +02:00
parent 56fc0d65b8
commit 1cf93b8f30
4 changed files with 33 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

27
states/_states/rsa_key.py
View file

@ -2,7 +2,9 @@
#
# some internal functions are copied from salt.states.file
from Crypto.PublicKey import RSA
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
import os
@ -86,10 +88,17 @@ def valid_key(name, bits=2048, user=None, group=None, mode='0700'):
return ret
if not os.path.isfile(name):
rsa = RSA.generate(bits)
rsakey = rsa.generate_private_key(
public_exponent=65537,
key_size=bits,
backend=default_backend())
oldumask = os.umask(_calculate_umask(mode))
with open(name, 'w') as rsafile:
rsafile.write(rsa.exportKey())
rsafile.write(rsakey.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
))
os.umask(oldumask)
ret['comment'] = 'created new RSA key and saved PEM file {0}'.format(
name)
@ -98,20 +107,22 @@ def valid_key(name, bits=2048, user=None, group=None, mode='0700'):
return ret
try:
with open(name, 'r') as rsafile:
rsa = RSA.importKey(rsafile.read())
rsakey = serialization.load_pem_private_key(
rsafile.read(),
password=None,
backend=default_backend())
except Exception as e:
ret['comment'] = 'error loading RSA key from file {0}: {1}'.format(
name, e)
ret['result'] = False
return ret
keysize = rsa.size() + 1
if keysize < bits:
if rsakey.key_size < bits:
ret['comment'] = (
'RSA key in {0} is only {1} bits, which is less than the '
'required {2} bits'.format(name, keysize, bits))
'required {2} bits'.format(name, rsakey.key_size, bits))
ret['result'] = False
else:
ret['comment'] = 'RSA key in file {0} is ok ({1} bits)'.format(
name, keysize)
name, rsakey.key_size)
ret['result'] = True
return ret

22
states/_states/x509_certificate.py
View file

@ -5,10 +5,11 @@ Manage X.509 certificate life cycle
This state is useful for managing X.509 certificates' life cycles.
Copyright (c) 2014 Jan Dittberner <jan@dittberner.info>
Copyright (c) 2014, 2016 Jan Dittberner <jan@dittberner.info>
'''
from M2Crypto import X509
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from datetime import datetime
import os
@ -39,14 +40,15 @@ def valid_certificate(
if not os.path.isfile(name):
return _error(
ret, 'certificate file {0} does not exist'.format(name))
try:
cert = X509.load_cert(name)
except Exception as e:
return _error(
ret,
'error loading certificate {0}: {1}'.format(name, e))
notafter = cert.get_not_after().get_datetime()
delta = notafter - datetime.now(notafter.tzinfo)
with open(name) as pemfile:
try:
cert = x509.load_pem_x509_certificate(pemfile.read(),
default_backend())
except Exception as e:
return _error(
ret, 'error loading certificate {0}: {1}'.format(name, e))
notafter = cert.not_valid_after
delta = notafter - datetime.utcnow()
if delta.days < mindays:
return _error(
ret,

2
states/gnuviechadmin/webinterface.sls
View file

@ -11,7 +11,7 @@ gnuviechadmin-dev-packages:
- require_in:
- pkg: gnuviechadmin-packages
python-m2crypto:
python-cryptography:
pkg.installed:
- reload_modules: true

2
states/webserver/sslcert.macros.sls
View file

@ -23,7 +23,7 @@
- require:
- file: {{ nginx_ssl_certdir }}
- cmd: {{ certfile }}
- pkg: python-m2crypto
- pkg: python-cryptography
- require_in:
- file: /etc/nginx/sites-available/{{ domain_name }}
- service: nginx