warden_ra/README.ejbca

+EJBCA backend for Warden 3.# Registration Authority
+===================================================
+
+Introduction
+------------
+
+EJBCA_ is an open source CA management software. To use this backend
+with Warden RA, you need to have it already installed and running.
+Tested with EJBCA_ 3.9.
+
+.. _EJBCA: https://www.ejbca.org/
+
+
+Configuration
+-------------
+
+    Options for "Registry: EjbcaRegistry" section.
+
+    url: EJBCA API URL, for example "https://ejbca.example.org/ejbca/ejbcaws/ejbcaws?wsdl"
+    cert: certificate for authentication to EJBCA, defaults to "warden_ra.cert.pem"
+    key: key for authentication to EJBCA, defaults to "warden_ra.key.pem"
+    ca_name: name of the CA, dedicated for Warden, defaults to "Example CA"
+    certificate_profile_name: name of the EJBCA certificate profile, defaults to "Example"
+    end_entity_profile_name: name of the EJBCA entity profile, defaults to "Example EE"
+    subject_dn_template: template for the DN generation, defaults to "DC=cz,DC=example-ca,DC=warden,CN=%s"
+    username_suffix: suffix, which will be added to EJBCA entities, defaults to "@warden"
+
+
+------------------------------------------------------------------------------
+
+Copyright (C) 2017 Cesnet z.s.p.o

warden_ra/README.openssl

+OpenSSL local backed for Warden 3.# Registration Authority
+==========================================================
+
+Introduction
+------------
+
+This backend allows using basic `openssl ca`_ facility for certificate
+emission. Client information is kept as plain config files within "clients"
+subdirectory. Also, received CSRs and issued certificates are saved in "csr"
+and "newcerts" subdirectories, respectively. File "lock" is used to conduct
+concurrent access to running openssl binary.
+
+.. _openssl ca: https://www.openssl.org/docs/manmaster/man1/openssl-ca.html
+
+
+Installation
+------------
+
+Choose directory where OpenSSL CA structure will reside (for example
+"ca").
+
+    # mkdir ca
+    # cd ca/
+    /ca# mkdir certs crl newcerts private clients csr
+    /ca# chmod 700 private
+    /ca# touch index.txt
+    /ca# echo 1024 > serial
+
+Adjust permissions.
+
+   # s-bit, so newly created files receive permissions of parent
+   # directory, not of creator
+   ca# find . -type d | xargs chmod g+s
+   # owner - apache group (this is for Debian, adjust accordingly for
+   # different distribution)
+   ca# chgrp -R www-data .
+
+Generate CA root certificate.
+
+    ca# openssl genrsa -out private/ca.key.pem 4096
+    ca# openssl req -config openssl.cnf \
+                -key private/ca.key.pem \
+                -new -x509 -days 7300 -sha256 -extensions v3_ca \
+                -out certs/ca.cert.pem
+    ca# chmod 444 private/ca.key.pem certs/ca.cert.pem
+
+Create "openssl.cnf" in base directory. You can use "openssl.cnf.example" as
+a basis.
+
+
+Configuration
+-------------
+
+    Options for "Registry: OpenSSLRegistry" section.
+
+    base_dir: Base directory where OpenSSL CA environment is managed
+    subject_dn_template: Template for DN of issued certs, defaults to "DC=cz,DC=example-ca,DC=warden,CN=%s"
+    openssl_sign: OpenSSL command and arguments to run for signing, defaults to "openssl ca -config %(cnf)s -batch -extensions server_cert -days 375 -notext -md sha256 -in %(csr)s -subj '%(dn)s'"
+
+
+
+------------------------------------------------------------------------------
+
+Copyright (C) 2017 Cesnet z.s.p.o

warden_ra/apache22.conf

+SSLEngine on
+
+SSLVerifyClient optional
+SSLOptions +StdEnvVars +ExportCertData
+
+SSLCertificateFile      /opt/warden_server/cert.pem
+SSLCertificateKeyFile   /opt/warden_server/key.pem
+SSLCACertificateFile    /opt/warden_server/chain_TERENA_SSL_CA_3.pem
+
+WSGIScriptAlias /warden_ra /opt/warden-ra/warden_ra.wsgi
+
+<Directory /opt/warden-ra/warden_ra.wsgi>
+    Order allow,deny
+    Allow from all
+</Directory>

warden_ra/apache24.conf

+SSLEngine on
+
+SSLVerifyClient optional
+SSLOptions +StdEnvVars +ExportCertData
+
+SSLCertificateFile      /opt/warden_server/cert.pem
+SSLCertificateKeyFile   /opt/warden_server/key.pem
+SSLCACertificateFile    /opt/warden_server/chain_TERENA_SSL_CA_3.pem
+
+WSGIScriptAlias /warden_ra /opt/warden-ra/warden_ra.wsgi
+
+<Directory /opt/warden-ra/warden_ra.wsgi>
+    Require all granted
+</Directory>

warden3/contrib/warden_ra/ejbcaws.py → warden_ra/ejbcaws.py

@@ -4,8 +4,7 @@
 # Copyright (c) 2016, CESNET, z. s. p. o.
 # Use of this source is governed by an ISC license, see LICENSE file.
 
-import urllib2
-import httplib
+import sys
 import socket
 import base64
 import suds.transport.http
@@ -13,6 +12,20 @@ import suds.client
 import M2Crypto
 
 
+if sys.version_info[0] >= 3:
+    import urllib.request, urllib.error, urllib.parse
+    import http.client
+
+    def get_https_handler():
+        return urllib.request.HTTPSHandler
+else:
+    import urllib2
+    import httplib
+
+    def get_https_handler():
+        return urllib2.HTTPSHandler
+
+
 STATUS_FAILED = 11
 STATUS_GENERATED = 40
 STATUS_HISTORICAL = 60
@@ -139,10 +152,10 @@ REVOKATION_REASON_PRIVILEGESWITHDRAWN = 9
 REVOKATION_REASON_AACOMPROMISE = 10
 
 
-class HTTPSClientAuthHandler(urllib2.HTTPSHandler):
+class HTTPSClientAuthHandler(get_https_handler()):
 
     def __init__(self, key, cert):
-        urllib2.HTTPSHandler.__init__(self)
+        get_https_handler().__init__(self)
         self.key = key
         self.cert = cert
 
@@ -150,7 +163,10 @@ class HTTPSClientAuthHandler(urllib2.HTTPSHandler):
         return self.do_open(self.get_connection, req)
 
     def get_connection(self, host, timeout=5):
-        return httplib.HTTPSConnection(host, key_file=self.key, cert_file=self.cert, timeout=timeout)
+        if sys.version_info[0] >= 3:
+            return http.client.HTTPSConnection(host, key_file=self.key, cert_file=self.cert, timeout=timeout)
+        else:
+            return httplib.HTTPSConnection(host, key_file=self.key, cert_file=self.cert, timeout=timeout)
 
 
 class HTTPSClientCertTransport(suds.transport.http.HttpTransport):
@@ -160,9 +176,12 @@ class HTTPSClientCertTransport(suds.transport.http.HttpTransport):
         self.key = key
         self.cert = cert
 
-    def u2open(self, u2request):
-        tm = self.options.timeout
-        url = urllib2.build_opener(HTTPSClientAuthHandler(self.key, self.cert))
+    def u2open(self, u2request, timeout=None):
+        tm = timeout or self.options.timeout
+        if sys.version_info[0] >= 3:
+            url = urllib.request.build_opener(HTTPSClientAuthHandler(self.key, self.cert))
+        else:
+            url = urllib2.build_opener(HTTPSClientAuthHandler(self.key, self.cert))
         if self.u2ver() < 2.6:
             socket.setdefaulttimeout(tm)
             return url.open(u2request)

warden_ra/openssl.cnf.example

+# OpenSSL root CA configuration file.
+# Copy to `/root/ca/openssl.cnf`.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /var/spool/example-ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+unique_subject    = no
+
+# The root key and root certificate.
+private_key       = $dir/private/ca.key.pem
+certificate       = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+[ policy_loose ]
+# Allow the CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = CZ
+stateOrProvinceName_default     = Czech Republic
+localityName_default            =
+0.organizationName_default      = Example
+organizationalUnitName_default  =
+emailAddress_default            =
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client
+nsComment = "OpenSSL Generate Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth
+

warden_ra/warden_apply.sh

+#!/bin/bash
+
+key=key.pem
+csr=csr.pem
+cert=cert.pem
+result=${TMPDIR:-${TMP:-/tmp}}/cert.$$.$RANDOM
+config=${TMPDIR:-${TMP:-/tmp}}/conf.$$.$RANDOM
+if [ "$1" == "--cacert" ]; then
+  cacert="--cacert $2"
+  shift
+  shift
+fi
+url="$1"
+client="$2"
+password="$3"
+incert="$3"
+inkey="$4"
+
+trap 'rm -f "$config $result"' INT TERM HUP EXIT
+
+function flee { echo -e "$1"; exit $2; }
+
+[ -z "$client" -o -z "$password" ] && flee "Usage: ${0%.*} [--cacert CERT] url client.name password\n       ${0%.*} [--cacert CERT] url client.name cert_file key_file" 255
+
+url="${url%/}/getCert"
+
+for n in openssl curl; do
+    command -v "$n" 2>&1 >/dev/null || flee "Haven't found $n binary." 251
+done
+for n in "$csr" "$key" "$cert"; do
+    [ -e "$n" ] && flee "$n already exists, I won't overwrite, move them away first, please." 254
+done
+for n in "$result" "$config"; do
+    touch "$n" || flee "Error creating temporary file ($n)." 253
+done
+
+echo -e "default_bits=2048\ndistinguished_name=rdn\nprompt=no\n[rdn]\ncommonName=dummy" > "$config"
+
+openssl req -new -nodes -batch -keyout "$key" -out "$csr" -config "$config" || flee "Error generating key/certificate request." 252
+
+if [ -z "$inkey" ]; then
+    curl --progress-bar $cacert --request POST --data-binary '@-' "$url?name=$client&password=$password" < "$csr" > "$result"
+else
+    # local cert file name may be interpreted as a "nickname", add "./" to force interpretation as a file
+    if [[ ! "$incert" =~ "/" ]]; then
+        incert="./$incert"
+    fi
+    curl --progress-bar $cacert --request POST --data-binary '@-' --cert "$incert" --key "$inkey" "$url?name=$client" < "$csr" > "$result"
+fi
+
+case $(<$result) in '-----BEGIN CERTIFICATE-----'*)
+    mv "$result" "$cert"
+    flee "Succesfully generated key ($key) and obtained certificate ($cert)." 0
+esac
+
+flee "$(<$result)\n\nCertificate request failed. Please save all error messages for communication with registration authority representative." 252

warden_ra/warden_ra.cfg.dist

+{
+    "Log": {
+        "filename": "/var/log/warden_ra.log",
+        "level": "info"
+    },
+    "Registry": {
+
+// Example configuration for OpenSSL CA backend
+//        "type": "OpenSSLRegistry",
+//        "base_dir": "/var/spool/example-ca",
+//        "subject_dn_template": "DC=cz,DC=example-ca,DC=warden,CN=%s"
+
+// Example configuration for EJBCA backend
+//        "type": "EjbcaRegistry",
+//        "url": "https://ejbca.example.org/ejbca/ejbcaws/ejbcaws?wsdl",
+//        "cert": "warden_ra.cert.pem",
+//        "key": "warden_ra.key.pem",
+//        "ca_name": "Example CA",
+//        "certificate_profile_name": "Example",
+//        "end_entity_profile_name": "Example EE",
+//        "subject_dn_template": "DC=cz,DC=example-ca,DC=warden,CN=%s",
+//        "username_suffix": "@warden"
+
+    }
+}

warden_ra/warden_ra.wsgi

+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+from sys import path
+from os.path import dirname, join
+
+path.append(dirname(__file__))
+from warden_ra import build_server
+
+## JSON configuration with line comments (trailing #)
+from warden_ra import read_cfg
+application = build_server(read_cfg(join(dirname(__file__), "warden_ra.cfg")))

warden3/warden_server/README → warden_server/README

 +-------------------------+
-| Warden Server 3.0-beta2 |
+| Warden Server 3.0-beta3 |
 +-------------------------+
 
 Content
@@ -46,6 +46,10 @@ B. Dependencies
     python-m2crypto 0.20+
     jsonschema 2.4+
 
+ 3. Database
+
+    MySQL | MariaDB >= 5.5
+
 ------------------------------------------------------------------------------
 C. Installation
 
@@ -54,29 +58,32 @@ C. Installation
 
    # cd /opt
    # tar xjf warden_server_3.0.tar.bz2
-   # ls
-   warden_server_3.0
+   # mv warden_server_3.0 warden_server
 
  * Create database and desired database users
    (We're using db "warden3" and user "warden@localhost" as an example.)
 
    # mysql -p
 
-   mysql> CREATE DATABASE warden3;
-   mysql> GRANT ALL ON warden3.* TO `warden`@`localhost`;
-   mysql> SET PASSWORD FOR 'warden'@'localhost' = PASSWORD('example');
-   mysql> FLUSH PRIVILEGES;
+   > CREATE DATABASE warden3;
+   > CREATE USER 'warden'@'localhost' IDENTIFIED BY 'example';
+   > GRANT ALL ON warden3.* TO `warden`@`localhost`;
+   > FLUSH PRIVILEGES;
 
  * Create necessary table structure
 
    mysql -p -u warden warden3 < warden_3.0.sql
 
+ * Get up to date Idea schema
+
+   wget -O warden_server/idea.schema https://idea.cesnet.cz/_media/en/idea0.schema
+
  * Enable mod_wsgi, mod_ssl, include Warden configuration
 
    This depends heavily on your distribution and Apache configuration.
    Basically you need to create and include apache.conf:
 
-      Include /opt/warden_server_3.0/apache.conf
+      Include /opt/warden_server/apache.conf
 
    or paste the contents into whichever Directory, Location or VirtualHost
    you dedicate for Warden.  You can use apache22.conf.dist or
@@ -123,7 +130,8 @@ particular implementation object of the aspect, for example type of logger
 
 		Log: FileLogger, SysLogger
 		DB: MySQL
-		Auth: X509Authenticator, PlainAuthenticator
+		Auth: X509Authenticator, X509NameAuthenticator,
+              X509MixMatchAuthenticator,PlainAuthenticator
 		Validator: JSONSchemaValidator, NoValidator
 		Handler: WardenHandler
 
@@ -144,7 +152,17 @@ object from particular section list is used ("FileLogger" for example).
 
    X509Authenticator: authenticate based on certificate chain validation,
        hostname corresponding with certificate CN or SubjectAltName and
-       optionally shared secret
+       optionally shared secret (note that more clients on one machine
+       will have to have the certificate with the same hostname, clients
+       than can be differentiated by separate secrets).
+       This method is OBSOLETE.
+
+    X509NameAuthenticator: authenticate based on certificate chain validation,
+        certificate CN must correspond with client _name_, NOT hostname.
+
+    X509MixMatchAuthenticator: automatically choose X509Authenticator or
+        X509NameAuthenticator based on existence of 'secret' in query. Allows
+        for seamless transition of clients between two authentication methods.
 
    PlainAuthenticator: authenticate based on client name or shared secret, usable
       over plain HTTP connection or HTTPS without client certificate - note that
@@ -214,7 +232,8 @@ warden_server.py register [--help] -n NAME -h HOSTNAME -r REQUESTOR
      -r REQUESTOR, --requestor REQUESTOR
                            requestor email
      -s SECRET, --secret SECRET
-                           authentication token
+                           authentication token (use explicit empty string to
+                           disable)
      --note NOTE           client freetext description
      --valid               valid client (default)
      --novalid

warden_server/README.test

++----------------------------------+
+| Warden3 Server Test Suite README |
++----------------------------------+
+
+Content
+
+  A. Introduction
+  B. Compatibility
+  C. Dependencies
+  D. Usage
+
+-------------------------------------------------------------------------------
+A. Introduction
+
+The Warden Server Test Suite is a collection of high-level functional tests
+(black-box testing), covering the most important interfaces of the Warden
+Server.
+
+-------------------------------------------------------------------------------
+B. Compatibility
+
+* The test suite, just like the Warden Server, is compatible with both Python2
+  (tested on 2.7) and Python3 (tested on 3.6).
+* Just like Warden Server, the test suite requires a local MySQL installation.
+* It is safe to run the test suite on a production system. For testing,
+  a database distinct from the default production one is used. Also, the user
+  account used for accessing the testing database is set for local login only.
+  To be extra safe, make sure not to name the production database `w3test`.
+
+-------------------------------------------------------------------------------
+C. Dependencies
+
+In addition to the regular Warden Server dependencies, package `unittest2` is
+required to run the test suite. It can be installed by running:
+	pip install unittest2
+or `pip3 install unittest2` for Python3 version
+	or on Debian:
+apt-get install python-unittest2
+	or alternatively:
+apt-get install python3-unittest2
+for Python3 version.
+
+An optional dependency is a code coverage measurement tool `Coverage.py`,
+which can be installed by:
+	pip install coverage
+or `pip3 install coverage` for Python3 version
+or on Debian:
+	apt-get install python-coverage
+or alternatively:
+	apt-get install python3-coverage
+for Python3 version.
+
+-------------------------------------------------------------------------------
+D. Usage
+
+Before running the tests (for the first time), a DB user with required rights
+must be created. An easy way to do it is:
+	./test_warden_server.py --init
+This will prompt for MySQL root password.
+
+Standard usage for testing:
+	./test_warden_server.py
+
+Advanced usage:
+
+	./test_warden_server.py --help
+	usage: test_warden_server.py [-h] [-i] [-n]
+
+	Warden3 Server Test Suite
+
+	optional arguments:
+	  -h, --help     show this help message and exit
+	  -i, --init     Set up an user with rights to CREATE/DROP the
+			 test database
+	  -n, --nopurge  Skip the database purge after running the tests
+
+
+Option -n (--nopurge) is meant for debugging purposes and test development, it
+keeps the test database around for inspection after running the tests.
+
+-------------------------------------------------------------------------------

warden3/warden_server/apache22.conf.dist → warden_server/apache22.conf.dist

 SSLEngine on
 
-SSLVerifyClient require
+SSLVerifyClient optional
 SSLVerifyDepth 4
 SSLOptions +StdEnvVars +ExportCertData
 
 #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 
-SSLCertificateFile      /opt/warden_server_3/etc/cert.pem
-SSLCertificateKeyFile   /opt/warden_server_3/etc/key.pem
-SSLCACertificateFile    /opt/warden_server_3/etc/tcs-ca-bundle.pem
+SSLCertificateFile      /opt/warden_server/etc/cert.pem
+SSLCertificateKeyFile   /opt/warden_server/etc/key.pem
+SSLCACertificateFile    /opt/warden_server/etc/tcs-ca-bundle.pem
 
-WSGIScriptAlias /warden3 /opt/warden_server_3/warden_server.wsgi
+WSGIScriptAlias /warden3 /opt/warden_server/warden_server.wsgi
 
-<Directory /opt/warden_server_3/warden_server.wsgi>
+<Directory /opt/warden_server/warden_server.wsgi>
     Order allow,deny
     Allow from all
 </Directory>

warden3/warden_server/apache24.conf.dist → warden_server/apache24.conf.dist

 SSLEngine on
 
-SSLVerifyClient require
+SSLVerifyClient optional
 SSLVerifyDepth 4
 SSLOptions +StdEnvVars +ExportCertData
 
 #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 
-SSLCertificateFile      /opt/warden_server_3/etc/cert.pem
-SSLCertificateKeyFile   /opt/warden_server_3/etc/key.pem
-SSLCACertificateFile    /opt/warden_server_3/etc/tcs-ca-bundle.pem
+SSLCertificateFile      /opt/warden_server/etc/cert.pem
+SSLCertificateKeyFile   /opt/warden_server/etc/key.pem
+SSLCACertificateFile    /opt/warden_server/etc/tcs-ca-bundle.pem
 
-WSGIScriptAlias /warden3 /opt/warden_server_3/warden_server.wsgi
+WSGIScriptAlias /warden3 /opt/warden_server/warden_server.wsgi
 
-<DirectoryMatch /opt/warden_server_3/warden_server.wsgi>
+<DirectoryMatch /opt/warden_server/warden_server.wsgi>
 	Require all granted
 </DirectoryMatch>

warden3/warden_server/warden_server.cfg.dist → warden_server/warden_server.cfg.dist

@@ -7,5 +7,10 @@
         "send_events_limit": 500,
         "get_events_limit": 1000,
         "description": "Warden 3 distribution config"
+    },
+    "DB": {
+        "user": "warden",
+        "password": "EXAMPLE",
+        "dbname": "warden3"
     }
 }
\ No newline at end of file