From de10f2e64cb7faf0ba0222a22035b81ca07e7426 Mon Sep 17 00:00:00 2001 From: Narayan Desai Date: Wed, 8 Apr 2009 01:19:11 +0000 Subject: Implement ssl certificate split, in preparation for SSL client cert auth git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@5155 ce84e21b-d406-0410-9b95-82705330c041 --- src/lib/Component.py | 15 +++++++++------ src/lib/Options.py | 2 ++ src/lib/Proxy.py | 20 +++++++++++++++++--- src/lib/Server/Admin/Fingerprint.py | 5 ++++- src/sbin/bcfg2-server | 2 ++ 5 files changed, 34 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/lib/Component.py b/src/lib/Component.py index aca74f7d1..b76b1bd33 100644 --- a/src/lib/Component.py +++ b/src/lib/Component.py @@ -93,17 +93,19 @@ class CobaltXMLRPCRequestHandler(SimpleXMLRPCServer.SimpleXMLRPCRequestHandler): class TLSServer(Bcfg2.tlslite.api.TLSSocketServerMixIn, BaseHTTPServer.HTTPServer): '''This class is an tlslite-using SSLServer''' - def __init__(self, address, keyfile, handler, checker=None, + def __init__(self, address, keyfile, certfile, handler, checker=None, reqCert=False): + print keyfile, certfile self.sc = Bcfg2.tlslite.api.SessionCache() self.rc = reqCert self.master = os.getpid() x509 = Bcfg2.tlslite.api.X509() - s = open(keyfile).read() - x509.parse(s) + cdata = open(certfile).read() + x509.parse(cdata) self.checker = checker + kdata = open(keyfile).read() try: - self.key = Bcfg2.tlslite.api.parsePEMKey(s, private=True) + self.key = Bcfg2.tlslite.api.parsePEMKey(kdata, private=True) except: raise ComponentKeyError self.chain = Bcfg2.tlslite.api.X509CertChain([x509]) @@ -148,7 +150,7 @@ class Component(TLSServer, fork_funcs = [] child_limit = 32 - def __init__(self, keyfile, password, location): + def __init__(self, keyfile, certfile, password, location): # need to get addr self.shut = False signal.signal(signal.SIGINT, self.start_shutdown) @@ -162,7 +164,8 @@ class Component(TLSServer, self.password = password try: - TLSServer.__init__(self, sock_loc, keyfile, CobaltXMLRPCRequestHandler) + TLSServer.__init__(self, sock_loc, keyfile, certfile, + CobaltXMLRPCRequestHandler) except socket.error: self.logger.error("Failed to bind to socket") raise ComponentInitError diff --git a/src/lib/Options.py b/src/lib/Options.py index 8f3df5f39..c992d17d2 100644 --- a/src/lib/Options.py +++ b/src/lib/Options.py @@ -200,6 +200,8 @@ SERVER_STATIC = Option('Server runs on static port', cf=('components', 'bcfg2'), default=False, cook=bool_cook) SERVER_KEY = Option('Path to SSL key', cf=('communication', 'key'), default=False, cmd='-K', odesc='') +SERVER_CERT = Option('Path to SSL certificate', default='/etc/bcfg2.key', + cf=('communication', 'certificate'), odesc='') SERVER_PASSWORD = Option('Communication Password', cmd='-x', odesc='', cf=('communication', 'password'), default=False) INSTALL_PREFIX = Option('Installation location', cf=('server', 'prefix'), diff --git a/src/lib/Proxy.py b/src/lib/Proxy.py index 24dbf5ee8..8275f9a7c 100644 --- a/src/lib/Proxy.py +++ b/src/lib/Proxy.py @@ -12,6 +12,8 @@ __revision__ = '$Revision: $' from ConfigParser import SafeConfigParser, NoSectionError import logging, socket, urlparse, time, Bcfg2.tlslite.errors from Bcfg2.tlslite.integration.XMLRPCTransport import XMLRPCTransport +import Bcfg2.tlslite.X509, Bcfg2.tlslite.X509CertChain +import Bcfg2.tlslite.utils.keyfactory import xmlrpclib from xmlrpclib import _Method @@ -48,7 +50,8 @@ class RetryMethod(_Method): # sorry jon xmlrpclib._Method = RetryMethod -def ComponentProxy (url, user=None, password=None, fingerprint=None): +def ComponentProxy (url, user=None, password=None, fingerprint=None, + key=None, cert=None): """Constructs proxies to components. @@ -63,6 +66,17 @@ def ComponentProxy (url, user=None, password=None, fingerprint=None): newurl = "%s://%s:%s@%s" % (method, user, password, path) else: newurl = url - return xmlrpclib.ServerProxy(newurl, allow_none=True, - transport=XMLRPCTransport(x509Fingerprint=fingerprint)) + if key and cert: + pdata = open(key).read() + pemkey = Bcfg2.tlslite.utils.keyfactory.parsePEMKey(pdata, private=True) + xcert = Bcfg2.tlslite.X509.X509() + cdata = open(cert).read() + xcert.parse(cdata) + certChain = Bcfg2.tlslite.X509CertChain.X509CertChain([xcert]) + else: + certChain = None + pemkey = None + ssl_trans = XMLRPCTransport(x509Fingerprint=fingerprint, certChain=certChain, + privateKey=pemkey) + return xmlrpclib.ServerProxy(newurl, allow_none=True, transport=ssl_trans) diff --git a/src/lib/Server/Admin/Fingerprint.py b/src/lib/Server/Admin/Fingerprint.py index 39a180d51..07c67bc72 100644 --- a/src/lib/Server/Admin/Fingerprint.py +++ b/src/lib/Server/Admin/Fingerprint.py @@ -18,7 +18,10 @@ class Fingerprint(Bcfg2.Server.Admin.Mode): def getFingerprint(self): '''calculate key fingerprint''' - keypath = self.cfp.get('communication', 'key') + try: + keypath = self.cfp.get('communication', 'certificate') + except: + keypath = self.cfp.get('communication', 'key') x509 = Bcfg2.tlslite.api.X509() x509.parse(open(keypath).read()) return x509.getFingerprint() diff --git a/src/sbin/bcfg2-server b/src/sbin/bcfg2-server index 3a1a1aa91..bf850d8e5 100755 --- a/src/sbin/bcfg2-server +++ b/src/sbin/bcfg2-server @@ -63,6 +63,7 @@ class Bcfg2Serv(Bcfg2.Component.Component): continue try: Bcfg2.Component.Component.__init__(self, setup['key'], + setup['cert'], setup['password'], setup['location']) except Bcfg2.Component.ComponentInitError: @@ -211,6 +212,7 @@ if __name__ == '__main__': 'filemonitor': Bcfg2.Options.SERVER_FILEMONITOR, }) OPTINFO.update({'key' : Bcfg2.Options.SERVER_KEY, + 'cert' : Bcfg2.Options.SERVER_CERT, 'location' : Bcfg2.Options.SERVER_LOCATION, 'passwd' : Bcfg2.Options.SERVER_PASSWORD, 'static' : Bcfg2.Options.SERVER_STATIC, -- cgit v1.2.3-1-g7c22