Skip to content
Permalink
Browse files

Add "fullpem" and "pkcs12" actions to sec and usr objects

Which out the key and certchain data in their respective format.
These command generate the key and certchain keys if not already present,
so they can be used right after object create.

$ om system/usr/lva create
$ om system/usr/lva fullpem
  • Loading branch information...
cvaroqui committed Jun 29, 2019
1 parent 6778523 commit 183c3df21929e1f89e846c6070ce61279d6abc92
@@ -120,3 +120,48 @@ def gen_cert(self):
def get_cert_expire(self):
buff = self.decode_key("certificate")
return get_expire(buff)

def pkcs12(self):
print(self._pkcs12())

def _pkcs12(self):
required = set(["private_key", "certificate_chain"])
if required & set(self.data_keys()) != required:
self.gen_cert()
from subprocess import Popen, PIPE
import tempfile
_tmpcert = tempfile.NamedTemporaryFile()
_tmpkey = tempfile.NamedTemporaryFile()
tmpcert = _tmpcert.name
tmpkey = _tmpkey.name
_tmpcert.close()
_tmpkey.close()
try:
with open(tmpkey, "w") as _tmpkey:
os.chmod(tmpkey, 0o600)
_tmpkey.write(self.decode_key("private_key"))
with open(tmpcert, "w") as _tmpcert:
os.chmod(tmpcert, 0o600)
_tmpcert.write(self.decode_key("certificate_chain"))
cmd = ["openssl", "pkcs12", "-export", "-in", tmpcert, "-inkey", tmpkey, "-passout", "stdin"]
proc = Popen(cmd, stdout=PIPE, stderr=PIPE, stdin=PIPE)
out, err = proc.communicate(input="\n")
if err:
print(err)
return out
finally:
if os.path.exists(tmpcert):
os.unlink(tmpcert)
if os.path.exists(tmpkey):
os.unlink(tmpkey)

def fullpem(self):
print(self._fullpem())

def _fullpem(self):
required = set(["private_key", "certificate_chain"])
if required & set(self.data_keys()) != required:
self.gen_cert()
buff = self.decode_key("private_key")
buff += self.decode_key("certificate_chain")
return buff
@@ -45,6 +45,12 @@
"gen_cert": {
"msg": "Create a x509 certificate using information in the secret configuration.",
},
"fullpem" : {
"msg": "Print to stdout a ascii pem-formatted concatenation of the private key and certificate. This format is accepted by opensvc context configuration. If certificate and private key are not generated yet, run the gen_cert action.",
},
"pkcs12" : {
"msg": "Print to stdout a binary pkcs12-formatted concatenation of the private key and certificate. This format is accepted by most browsers certificate store. If certificate and private key are not generated yet, run the gen_cert action.",
},
"decode": {
"msg": "Decode a secret key from the secret object.",
"options": mp.ACTION_OPTS + [
@@ -45,6 +45,12 @@
"gen_cert": {
"msg": "Create a x509 certificate using information in the secret configuration.",
},
"fullpem" : {
"msg": "Print to stdout a ascii pem-formatted concatenation of the private key and certificate. This format is accepted by opensvc context configuration. If certificate and private key are not generated yet, run the gen_cert action.",
},
"pkcs12" : {
"msg": "Print to stdout a binary pkcs12-formatted concatenation of the private key and certificate. This format is accepted by most browsers certificate store. If certificate and private key are not generated yet, run the gen_cert action.",
},
"revoke": {
"msg": "Revoke the user certificate, if generated by the cluster CA.",
},

0 comments on commit 183c3df

Please sign in to comment.
You can’t perform that action at this time.