Implement ssl certificate split, in preparation for SSL client cert auth

git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@5155 ce84e21b-d406-0410-9b95-82705330c041
author: Narayan Desai <desai@mcs.anl.gov> 2009-04-08 01:19:11 +0000
committer: Narayan Desai <desai@mcs.anl.gov> 2009-04-08 01:19:11 +0000
commit: de10f2e64cb7faf0ba0222a22035b81ca07e7426 (patch)
tree: 4730e5702aed17855a41dcf5a2e14f09247ecf93 /src
parent: 61d5b7caec10262206968e2dcbaf242806b5021e (diff)
download: bcfg2-de10f2e64cb7faf0ba0222a22035b81ca07e7426.tar.gz
bcfg2-de10f2e64cb7faf0ba0222a22035b81ca07e7426.tar.bz2
bcfg2-de10f2e64cb7faf0ba0222a22035b81ca07e7426.zip
5 files changed, 34 insertions, 10 deletions
diff --git a/src/lib/Component.py b/src/lib/Component.py
index aca74f7d1..b76b1bd33 100644
--- a/src/lib/Component.py
+++ b/src/lib/Component.py
@@ -93,17 +93,19 @@ class CobaltXMLRPCRequestHandler(SimpleXMLRPCServer.SimpleXMLRPCRequestHandler):
 class TLSServer(Bcfg2.tlslite.api.TLSSocketServerMixIn,
                 BaseHTTPServer.HTTPServer):
     '''This class is an tlslite-using SSLServer'''
-    def __init__(self, address, keyfile, handler, checker=None,
+    def __init__(self, address, keyfile, certfile, handler, checker=None,
                  reqCert=False):
+        print keyfile, certfile
         self.sc = Bcfg2.tlslite.api.SessionCache()
         self.rc = reqCert
         self.master = os.getpid()
         x509 = Bcfg2.tlslite.api.X509()
-        s = open(keyfile).read()
-        x509.parse(s)
+        cdata = open(certfile).read()
+        x509.parse(cdata)
         self.checker = checker
+        kdata = open(keyfile).read()
         try:
-            self.key = Bcfg2.tlslite.api.parsePEMKey(s, private=True)
+            self.key = Bcfg2.tlslite.api.parsePEMKey(kdata, private=True)
         except:
             raise ComponentKeyError
         self.chain = Bcfg2.tlslite.api.X509CertChain([x509])
@@ -148,7 +150,7 @@ class Component(TLSServer,
     fork_funcs = []
     child_limit = 32
 
-    def __init__(self, keyfile, password, location):
+    def __init__(self, keyfile, certfile, password, location):
         # need to get addr
         self.shut = False
         signal.signal(signal.SIGINT, self.start_shutdown)
@@ -162,7 +164,8 @@ class Component(TLSServer,
         self.password = password
 
         try:
-            TLSServer.__init__(self, sock_loc, keyfile, CobaltXMLRPCRequestHandler)
+            TLSServer.__init__(self, sock_loc, keyfile, certfile,
+                               CobaltXMLRPCRequestHandler)
         except socket.error:
             self.logger.error("Failed to bind to socket")
             raise ComponentInitError
diff --git a/src/lib/Options.py b/src/lib/Options.py
index 8f3df5f39..c992d17d2 100644
--- a/src/lib/Options.py
+++ b/src/lib/Options.py
@@ -200,6 +200,8 @@ SERVER_STATIC = Option('Server runs on static port', cf=('components', 'bcfg2'),
                        default=False, cook=bool_cook)
 SERVER_KEY = Option('Path to SSL key', cf=('communication', 'key'),
                        default=False, cmd='-K', odesc='<ssl key file>')
+SERVER_CERT = Option('Path to SSL certificate', default='/etc/bcfg2.key',
+                     cf=('communication', 'certificate'), odesc='<ssl cert>')
 SERVER_PASSWORD = Option('Communication Password', cmd='-x', odesc='<password>',
                          cf=('communication', 'password'), default=False)
 INSTALL_PREFIX = Option('Installation location', cf=('server', 'prefix'),
diff --git a/src/lib/Proxy.py b/src/lib/Proxy.py
index 24dbf5ee8..8275f9a7c 100644
--- a/src/lib/Proxy.py
+++ b/src/lib/Proxy.py
@@ -12,6 +12,8 @@ __revision__ = '$Revision: $'
 from ConfigParser import SafeConfigParser, NoSectionError
 import logging, socket, urlparse, time, Bcfg2.tlslite.errors
 from Bcfg2.tlslite.integration.XMLRPCTransport import XMLRPCTransport
+import Bcfg2.tlslite.X509, Bcfg2.tlslite.X509CertChain
+import Bcfg2.tlslite.utils.keyfactory
 import xmlrpclib
 from xmlrpclib import _Method
 
@@ -48,7 +50,8 @@ class RetryMethod(_Method):
 # sorry jon
 xmlrpclib._Method = RetryMethod
 
-def ComponentProxy (url, user=None, password=None, fingerprint=None):
+def ComponentProxy (url, user=None, password=None, fingerprint=None,
+                    key=None, cert=None):
     
     """Constructs proxies to components.
     
@@ -63,6 +66,17 @@ def ComponentProxy (url, user=None, password=None, fingerprint=None):
         newurl = "%s://%s:%s@%s" % (method, user, password, path)
     else:
         newurl = url
-    return xmlrpclib.ServerProxy(newurl, allow_none=True,
-                                 transport=XMLRPCTransport(x509Fingerprint=fingerprint))
+    if key and cert:
+        pdata = open(key).read()
+        pemkey = Bcfg2.tlslite.utils.keyfactory.parsePEMKey(pdata, private=True)
+        xcert = Bcfg2.tlslite.X509.X509()
+        cdata = open(cert).read()
+        xcert.parse(cdata)
+        certChain = Bcfg2.tlslite.X509CertChain.X509CertChain([xcert])
+    else:
+        certChain = None
+        pemkey = None
+    ssl_trans = XMLRPCTransport(x509Fingerprint=fingerprint, certChain=certChain,
+                                privateKey=pemkey)
+    return xmlrpclib.ServerProxy(newurl, allow_none=True, transport=ssl_trans)
 
diff --git a/src/lib/Server/Admin/Fingerprint.py b/src/lib/Server/Admin/Fingerprint.py
index 39a180d51..07c67bc72 100644
--- a/src/lib/Server/Admin/Fingerprint.py
+++ b/src/lib/Server/Admin/Fingerprint.py
@@ -18,7 +18,10 @@ class Fingerprint(Bcfg2.Server.Admin.Mode):
 
     def getFingerprint(self):
         '''calculate key fingerprint'''
-        keypath = self.cfp.get('communication', 'key')
+        try:
+            keypath = self.cfp.get('communication', 'certificate')
+        except:
+            keypath = self.cfp.get('communication', 'key')
         x509 = Bcfg2.tlslite.api.X509()
         x509.parse(open(keypath).read())
         return x509.getFingerprint()
diff --git a/src/sbin/bcfg2-server b/src/sbin/bcfg2-server
index 3a1a1aa91..bf850d8e5 100755
--- a/src/sbin/bcfg2-server
+++ b/src/sbin/bcfg2-server
@@ -63,6 +63,7 @@ class Bcfg2Serv(Bcfg2.Component.Component):
                 continue
         try:
             Bcfg2.Component.Component.__init__(self, setup['key'],
+                                               setup['cert'],
                                                setup['password'],
                                                setup['location'])
         except Bcfg2.Component.ComponentInitError:
@@ -211,6 +212,7 @@ if __name__ == '__main__':
                     'filemonitor': Bcfg2.Options.SERVER_FILEMONITOR,
                     })
     OPTINFO.update({'key'      : Bcfg2.Options.SERVER_KEY,
+                    'cert'     : Bcfg2.Options.SERVER_CERT,
                     'location' : Bcfg2.Options.SERVER_LOCATION,
                     'passwd'   : Bcfg2.Options.SERVER_PASSWORD,
                     'static'   : Bcfg2.Options.SERVER_STATIC,
author	Narayan Desai <desai@mcs.anl.gov>	2009-04-08 01:19:11 +0000
committer	Narayan Desai <desai@mcs.anl.gov>	2009-04-08 01:19:11 +0000
commit	de10f2e64cb7faf0ba0222a22035b81ca07e7426 (patch)
tree	4730e5702aed17855a41dcf5a2e14f09247ecf93 /src
parent	61d5b7caec10262206968e2dcbaf242806b5021e (diff)
download	bcfg2-de10f2e64cb7faf0ba0222a22035b81ca07e7426.tar.gz bcfg2-de10f2e64cb7faf0ba0222a22035b81ca07e7426.tar.bz2 bcfg2-de10f2e64cb7faf0ba0222a22035b81ca07e7426.zip