Commit f10dc3c2 authored by godog's avatar godog

fix _getpw() usage and pass password over stdin

don't put the CA password on the command line, pass it in to openssl via stdin
parent aec84c5c
......@@ -100,7 +100,8 @@ class CA(object):
# Generate keys if they do not exist.
if not os.path.exists(self.files.private_key):
log.info('creating new RSA private key')
openssl_wrap.run('genrsa', '-des3',
openssl_wrap.run_with_stdin(self._getpw(),
'genrsa', '-des3', '-passout', 'stdin',
'-out', self.files.private_key,
self.config['bits'])
......@@ -110,19 +111,19 @@ class CA(object):
csr_file = os.path.join(tmpdir, 'ca.csr')
log.info('creating new temporary RSA CA CSR')
openssl_wrap.run_with_config(
self.basedir, self.files.conf,
'req', '-new',
'-passout', 'pass:%s' % self._getpw(),
'-keyout', self.files.private_key, '-out', csr_file)
self.basedir, self.files.conf, self._getpw(),
'req', '-new', '-key', self.files.private_key,
'-out', csr_file)
log.info('self-signing RSA CA certificate')
openssl_wrap.run_with_config(
self.basedir, self.files.conf,
'ca', '-keyfile', self.files.private_key,
'-key', self._getpw(),
self.basedir, self.files.conf, self._getpw(),
'ca', '-selfsign',
'-keyfile', self.files.private_key,
'-in', csr_file,
'-out', self.files.public_key,
'-md', self.config['signature_algorithm'],
'-extensions', 'v3_ca', '-out', self.files.public_key,
'-days', self.config.get('days', self.config['default_days']),
'-selfsign', '-infiles', csr_file)
'-extensions', 'v3_ca',
'-days', self.config.get('days', self.config['default_days']))
shutil.rmtree(tmpdir)
os.umask(old_umask)
......@@ -144,9 +145,9 @@ class CA(object):
# Write the CRL in PEM format to a temporary file.
tmpf = self.files.crl + '.tmp'
openssl_wrap.run_with_config(
self.basedir, self.files.conf,
self.basedir, self.files.conf, self._getpw(),
'ca', '-gencrl', '-out', tmpf,
'-key', self._getpw())
'-keyfile', self.files.private_key)
# Convert to DER format for distribution.
openssl_wrap.run(
'crl', '-inform', 'PEM', '-outform', 'DER',
......@@ -157,9 +158,9 @@ class CA(object):
def revoke(self, cert):
log.info('revoking certificate %s', cert.name)
openssl_wrap.run_with_config(
self.basedir, self.files.conf,
self.basedir, self.files.conf, self._getpw(),
'ca', '-revoke', cert.public_key_file,
'-key', self._getpw())
'-keyfile', self.files.private_key)
self.gencrl()
def verify(self, path):
......@@ -200,15 +201,14 @@ class CA(object):
utils.render(conf_file, 'openssl_config', conf)
utils.render(ext_file, 'ext_config', conf)
openssl_wrap.run_with_config(
self.basedir, conf_file,
self.basedir, conf_file, self._getpw(),
'req', '-new', '-keyout', cert.private_key_file,
'-' + self.config['signature_algorithm'],
'-nodes', '-out', csr_file)
os.chmod(cert.private_key_file, 0600)
openssl_wrap.run_with_config(
self.basedir, conf_file,
self.basedir, conf_file, self._getpw(),
'ca', '-days', conf['days'],
'-key', self._getpw(),
'-md', self.config['signature_algorithm'],
'-policy', 'policy_anything', '-out', cert.public_key_file,
'-extfile', ext_file, '-infiles', csr_file)
......
......@@ -10,21 +10,34 @@ class CommandError(Exception):
def run(*args, **env_vars):
cmd = ['openssl']
return run_with_stdin(None, *args, **env_vars)
def run_with_stdin(stdin, *args, **env_vars):
cmd = ['/usr/bin/openssl']
cmd.extend(args)
env = dict(os.environ)
env.update(env_vars)
log.debug('executing "%s"' % ' '.join(cmd))
pipe = subprocess.Popen(cmd, env=env, stdout=subprocess.PIPE)
stdout, _ = pipe.communicate()
popen_kwargs = {'env': env, 'stdout': subprocess.PIPE}
if stdin is not None:
popen_kwargs.update({'stdin': subprocess.PIPE})
pipe = subprocess.Popen(cmd, **popen_kwargs)
stdout, _ = pipe.communicate(stdin)
if pipe.returncode != 0:
raise CommandError('openssl exited with status %d' % (
pipe.returncode,))
return stdout
def run_with_config(caroot, config_file, *args):
def run_with_config(caroot, config_file, ca_pass=None, *args, **env_vars):
cmd = args[0]
args = args[1:]
caroot = os.path.abspath(caroot)
return run(cmd, '-config', config_file, '-batch', *args, CAROOT=caroot)
env = {'CAROOT': caroot}
env.update(env_vars)
run_args = ['-config', config_file, '-batch']
if ca_pass is not None:
run_args.extend(['-passin', 'stdin'])
run_args = run_args + list(args)
return run_with_stdin(ca_pass, cmd, *run_args, **env)
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment