Added preliminary (but functional, although not configurable) certificate issuing server

3e419c87 · Pavel Kácha · faaf5231 · 3e419c87
Commit 3e419c87 authored 8 years ago by Pavel Kácha
--- a/warden3/contrib/warden_ra/warden_ra.py
+++ b/warden3/contrib/warden_ra/warden_ra.py
@@ -12,12 +12,17 @@ import struct
 import argparse
 import subprocess
 import json
+import logging
 # *ph* server vulnerable to logjam, local openssl too new, use hammer to disable Diffie-Helmann
 import ssl
 ssl._DEFAULT_CIPHERS += ":!DH"
 import ejbcaws
+# for local version of up to date jsonschema
+sys.path.append(os.path.join(os.path.dirname(__file__), "..", "..", "warden_server"))
+from warden_server import Request, ObjectReq, StreamLogger, FileLogger, Server, expose
 class EjbcaClient(object):
@@ -128,7 +133,10 @@ class EjbcaRegistry(object):
            subjectAltName="",
            subjectDN="",
            tokenType=ejbcaws.TOKEN_TYPE_USERGENERATED,
-            username="")
+            username="",
+            password = "".join((random.choice(string.ascii_letters + string.digits) for dummy in range(16))),
+            clearPwd = True
+        )
        client = EjbcaClient(registry=self, ejbca_data=new_ejbca_data)
        client.name = name
        client.admins = admins
@@ -155,6 +163,61 @@ def format_cert(cert):
        cert.get_issuer().as_text()
    )
+# Server side
+class NullAuthenticator(ObjectReq):
+    def __init__(self, req):
+        ObjectReq.__init__(self, req)
+    def __str__(self):
+        return "%s(req=%s)" % (type(self).__name__, type(self.req).__name__)
+    def authenticate(self, env, args):
+        return True
+    def authorize(self, env, client, path, method):
+        return True
+class CertHandler(ObjectReq):
+    def __init__(self, req, registry):
+        ObjectReq.__init__(self, req)
+        self.registry = registry
+    @expose(read=1, debug=1)
+    def getCert(self, name=None, password=None, events=None):
+        csr_data = (events or {}).get("csr")
+        if not (name and password and events):
+            raise self.req.error(message="Wrong or missing arguments", error=400)
+        client = self.registry.get_client(name[0])
+        if not client:
+            raise self.req.error(message="Unknown client", error=403)
+        #return {"client": client, "password": password[0], "csr_data": csr_data}
+        try:
+            newcert = client.new_cert(csr_data, password)
+        except Exception as e:
+            raise self.req.error(message="Processing error", error=403, cause=e)
+        return {"pem": newcert.as_pem()}
+def build_server(conf):
+    StreamLogger()
+    req = Request()
+    log = FileLogger(
+        req,
+        filename=os.path.join(os.path.dirname(__file__), os.path.splitext(os.path.split(__file__)[1])[0] + ".log"),
+        level=logging.DEBUG)
+    auth = NullAuthenticator(req)
+    registry = EjbcaRegistry(**conf)
+    handler = CertHandler(req, registry)
+    server = Server(req, auth, handler)
+    return server
 # Command line arguments
@@ -172,7 +235,7 @@ def list_clients(registry, name=None, verbose=False):
        print(client)
        if verbose:
            print(client.verbose_str())
-        for cert in sorted(client.get_certs(), key=lambda c: c.get_not_after()):
+        for cert in sorted(client.get_certs(), key=lambda c: c.get_not_after().get_datetime()):
            print(format_cert(cert))
            if verbose:
                print(cert.as_text())