Port rsa_key and x509_certificate to cryptography
This commit is contained in:
parent
56fc0d65b8
commit
1cf93b8f30
|
|
@ -2,7 +2,9 @@
|
||||||
#
|
#
|
||||||
# some internal functions are copied from salt.states.file
|
# some internal functions are copied from salt.states.file
|
||||||
|
|
||||||
from Crypto.PublicKey import RSA
|
from cryptography.hazmat.backends import default_backend
|
||||||
|
from cryptography.hazmat.primitives import serialization
|
||||||
|
from cryptography.hazmat.primitives.asymmetric import rsa
|
||||||
import os
|
import os
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -86,10 +88,17 @@ def valid_key(name, bits=2048, user=None, group=None, mode='0700'):
|
||||||
return ret
|
return ret
|
||||||
|
|
||||||
if not os.path.isfile(name):
|
if not os.path.isfile(name):
|
||||||
rsa = RSA.generate(bits)
|
rsakey = rsa.generate_private_key(
|
||||||
|
public_exponent=65537,
|
||||||
|
key_size=bits,
|
||||||
|
backend=default_backend())
|
||||||
oldumask = os.umask(_calculate_umask(mode))
|
oldumask = os.umask(_calculate_umask(mode))
|
||||||
with open(name, 'w') as rsafile:
|
with open(name, 'w') as rsafile:
|
||||||
rsafile.write(rsa.exportKey())
|
rsafile.write(rsakey.private_bytes(
|
||||||
|
encoding=serialization.Encoding.PEM,
|
||||||
|
format=serialization.PrivateFormat.PKCS8,
|
||||||
|
encryption_algorithm=serialization.NoEncryption()
|
||||||
|
))
|
||||||
os.umask(oldumask)
|
os.umask(oldumask)
|
||||||
ret['comment'] = 'created new RSA key and saved PEM file {0}'.format(
|
ret['comment'] = 'created new RSA key and saved PEM file {0}'.format(
|
||||||
name)
|
name)
|
||||||
|
|
@ -98,20 +107,22 @@ def valid_key(name, bits=2048, user=None, group=None, mode='0700'):
|
||||||
return ret
|
return ret
|
||||||
try:
|
try:
|
||||||
with open(name, 'r') as rsafile:
|
with open(name, 'r') as rsafile:
|
||||||
rsa = RSA.importKey(rsafile.read())
|
rsakey = serialization.load_pem_private_key(
|
||||||
|
rsafile.read(),
|
||||||
|
password=None,
|
||||||
|
backend=default_backend())
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
ret['comment'] = 'error loading RSA key from file {0}: {1}'.format(
|
ret['comment'] = 'error loading RSA key from file {0}: {1}'.format(
|
||||||
name, e)
|
name, e)
|
||||||
ret['result'] = False
|
ret['result'] = False
|
||||||
return ret
|
return ret
|
||||||
keysize = rsa.size() + 1
|
if rsakey.key_size < bits:
|
||||||
if keysize < bits:
|
|
||||||
ret['comment'] = (
|
ret['comment'] = (
|
||||||
'RSA key in {0} is only {1} bits, which is less than the '
|
'RSA key in {0} is only {1} bits, which is less than the '
|
||||||
'required {2} bits'.format(name, keysize, bits))
|
'required {2} bits'.format(name, rsakey.key_size, bits))
|
||||||
ret['result'] = False
|
ret['result'] = False
|
||||||
else:
|
else:
|
||||||
ret['comment'] = 'RSA key in file {0} is ok ({1} bits)'.format(
|
ret['comment'] = 'RSA key in file {0} is ok ({1} bits)'.format(
|
||||||
name, keysize)
|
name, rsakey.key_size)
|
||||||
ret['result'] = True
|
ret['result'] = True
|
||||||
return ret
|
return ret
|
||||||
|
|
|
||||||
|
|
@ -5,10 +5,11 @@ Manage X.509 certificate life cycle
|
||||||
|
|
||||||
This state is useful for managing X.509 certificates' life cycles.
|
This state is useful for managing X.509 certificates' life cycles.
|
||||||
|
|
||||||
Copyright (c) 2014 Jan Dittberner <jan@dittberner.info>
|
Copyright (c) 2014, 2016 Jan Dittberner <jan@dittberner.info>
|
||||||
'''
|
'''
|
||||||
|
|
||||||
from M2Crypto import X509
|
from cryptography import x509
|
||||||
|
from cryptography.hazmat.backends import default_backend
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
import os
|
import os
|
||||||
|
|
||||||
|
|
@ -39,14 +40,15 @@ def valid_certificate(
|
||||||
if not os.path.isfile(name):
|
if not os.path.isfile(name):
|
||||||
return _error(
|
return _error(
|
||||||
ret, 'certificate file {0} does not exist'.format(name))
|
ret, 'certificate file {0} does not exist'.format(name))
|
||||||
try:
|
with open(name) as pemfile:
|
||||||
cert = X509.load_cert(name)
|
try:
|
||||||
except Exception as e:
|
cert = x509.load_pem_x509_certificate(pemfile.read(),
|
||||||
return _error(
|
default_backend())
|
||||||
ret,
|
except Exception as e:
|
||||||
'error loading certificate {0}: {1}'.format(name, e))
|
return _error(
|
||||||
notafter = cert.get_not_after().get_datetime()
|
ret, 'error loading certificate {0}: {1}'.format(name, e))
|
||||||
delta = notafter - datetime.now(notafter.tzinfo)
|
notafter = cert.not_valid_after
|
||||||
|
delta = notafter - datetime.utcnow()
|
||||||
if delta.days < mindays:
|
if delta.days < mindays:
|
||||||
return _error(
|
return _error(
|
||||||
ret,
|
ret,
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@ gnuviechadmin-dev-packages:
|
||||||
- require_in:
|
- require_in:
|
||||||
- pkg: gnuviechadmin-packages
|
- pkg: gnuviechadmin-packages
|
||||||
|
|
||||||
python-m2crypto:
|
python-cryptography:
|
||||||
pkg.installed:
|
pkg.installed:
|
||||||
- reload_modules: true
|
- reload_modules: true
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@
|
||||||
- require:
|
- require:
|
||||||
- file: {{ nginx_ssl_certdir }}
|
- file: {{ nginx_ssl_certdir }}
|
||||||
- cmd: {{ certfile }}
|
- cmd: {{ certfile }}
|
||||||
- pkg: python-m2crypto
|
- pkg: python-cryptography
|
||||||
- require_in:
|
- require_in:
|
||||||
- file: /etc/nginx/sites-available/{{ domain_name }}
|
- file: /etc/nginx/sites-available/{{ domain_name }}
|
||||||
- service: nginx
|
- service: nginx
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue