Port rsa_key and x509_certificate to cryptography

This commit is contained in:
Jan Dittberner 2016-09-24 21:51:02 +02:00
parent 56fc0d65b8
commit 1cf93b8f30
4 changed files with 33 additions and 20 deletions

View file

@ -2,7 +2,9 @@
# #
# some internal functions are copied from salt.states.file # some internal functions are copied from salt.states.file
from Crypto.PublicKey import RSA from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
import os import os
@ -86,10 +88,17 @@ def valid_key(name, bits=2048, user=None, group=None, mode='0700'):
return ret return ret
if not os.path.isfile(name): if not os.path.isfile(name):
rsa = RSA.generate(bits) rsakey = rsa.generate_private_key(
public_exponent=65537,
key_size=bits,
backend=default_backend())
oldumask = os.umask(_calculate_umask(mode)) oldumask = os.umask(_calculate_umask(mode))
with open(name, 'w') as rsafile: with open(name, 'w') as rsafile:
rsafile.write(rsa.exportKey()) rsafile.write(rsakey.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
))
os.umask(oldumask) os.umask(oldumask)
ret['comment'] = 'created new RSA key and saved PEM file {0}'.format( ret['comment'] = 'created new RSA key and saved PEM file {0}'.format(
name) name)
@ -98,20 +107,22 @@ def valid_key(name, bits=2048, user=None, group=None, mode='0700'):
return ret return ret
try: try:
with open(name, 'r') as rsafile: with open(name, 'r') as rsafile:
rsa = RSA.importKey(rsafile.read()) rsakey = serialization.load_pem_private_key(
rsafile.read(),
password=None,
backend=default_backend())
except Exception as e: except Exception as e:
ret['comment'] = 'error loading RSA key from file {0}: {1}'.format( ret['comment'] = 'error loading RSA key from file {0}: {1}'.format(
name, e) name, e)
ret['result'] = False ret['result'] = False
return ret return ret
keysize = rsa.size() + 1 if rsakey.key_size < bits:
if keysize < bits:
ret['comment'] = ( ret['comment'] = (
'RSA key in {0} is only {1} bits, which is less than the ' 'RSA key in {0} is only {1} bits, which is less than the '
'required {2} bits'.format(name, keysize, bits)) 'required {2} bits'.format(name, rsakey.key_size, bits))
ret['result'] = False ret['result'] = False
else: else:
ret['comment'] = 'RSA key in file {0} is ok ({1} bits)'.format( ret['comment'] = 'RSA key in file {0} is ok ({1} bits)'.format(
name, keysize) name, rsakey.key_size)
ret['result'] = True ret['result'] = True
return ret return ret

View file

@ -5,10 +5,11 @@ Manage X.509 certificate life cycle
This state is useful for managing X.509 certificates' life cycles. This state is useful for managing X.509 certificates' life cycles.
Copyright (c) 2014 Jan Dittberner <jan@dittberner.info> Copyright (c) 2014, 2016 Jan Dittberner <jan@dittberner.info>
''' '''
from M2Crypto import X509 from cryptography import x509
from cryptography.hazmat.backends import default_backend
from datetime import datetime from datetime import datetime
import os import os
@ -39,14 +40,15 @@ def valid_certificate(
if not os.path.isfile(name): if not os.path.isfile(name):
return _error( return _error(
ret, 'certificate file {0} does not exist'.format(name)) ret, 'certificate file {0} does not exist'.format(name))
try: with open(name) as pemfile:
cert = X509.load_cert(name) try:
except Exception as e: cert = x509.load_pem_x509_certificate(pemfile.read(),
return _error( default_backend())
ret, except Exception as e:
'error loading certificate {0}: {1}'.format(name, e)) return _error(
notafter = cert.get_not_after().get_datetime() ret, 'error loading certificate {0}: {1}'.format(name, e))
delta = notafter - datetime.now(notafter.tzinfo) notafter = cert.not_valid_after
delta = notafter - datetime.utcnow()
if delta.days < mindays: if delta.days < mindays:
return _error( return _error(
ret, ret,

View file

@ -11,7 +11,7 @@ gnuviechadmin-dev-packages:
- require_in: - require_in:
- pkg: gnuviechadmin-packages - pkg: gnuviechadmin-packages
python-m2crypto: python-cryptography:
pkg.installed: pkg.installed:
- reload_modules: true - reload_modules: true

View file

@ -23,7 +23,7 @@
- require: - require:
- file: {{ nginx_ssl_certdir }} - file: {{ nginx_ssl_certdir }}
- cmd: {{ certfile }} - cmd: {{ certfile }}
- pkg: python-m2crypto - pkg: python-cryptography
- require_in: - require_in:
- file: /etc/nginx/sites-available/{{ domain_name }} - file: /etc/nginx/sites-available/{{ domain_name }}
- service: nginx - service: nginx