From 06cc27fbd6bedcc0b59a86f39c3c8134e699ea37 Mon Sep 17 00:00:00 2001 From: Kevin Guerineau Date: Tue, 7 May 2024 16:08:50 +0200 Subject: [PATCH] [IMP] More explicit variables --- common.py | 42 +++++++++++++++++++++--------------------- manage_pki.py | 8 ++++---- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/common.py b/common.py index 2d48acb..176f74c 100644 --- a/common.py +++ b/common.py @@ -26,22 +26,22 @@ class TisPKI: def root_ca_keyfile(): return os.path.join(TisPKI.pki_dir(),'private','root_ca.key') - def keyout_path(): + def root_keyout_path(): return os.path.join(TisPKI.pki_dir(),'private') - def csr_path(): + def root_csr_path(): return os.path.join(TisPKI.pki_dir(),'csr') - def cert_path(): + def root_cert_path(): return os.path.join(TisPKI.pki_dir(),'certs') - def p12_path(): + def root_p12_path(): return os.path.join(TisPKI.pki_dir(),'p12') - def config_path(): + def root_config_path(): return os.path.join(TisPKI.pki_dir(),'config') - def crl_path(): + def root_crl_path(): return os.path.join(TisPKI.pki_dir(),'crl') @@ -228,13 +228,13 @@ def generate_dc_certificate(): crl_uri = config.get('openssl_config','intermediate_crl_uri') pki_dir = TisPKI.pki_intermediate_dir() else: - dc_certfile = os.path.join(TisPKI.cert_path(),f'{dc}.crt') - dc_keyfile = os.path.join(TisPKI.keyout_path(),f'{dc}.key') - dc_csrfile = os.path.join(TisPKI.csr_path(),f'{dc}.csr') - dc_openssl_configfile = os.path.join(TisPKI.config_path(),f'openssl_{dc}.ini') - crl_file = os.path.join(TisPKI.crl_path(),'root_ca.crl') - dc_ca_keyfile = os.path.join(TisPKI.keyout_path(),'root_ca.key') - dc_ca_certfile = os.path.join(TisPKI.cert_path(),'root_ca.crt') + dc_certfile = os.path.join(TisPKI.root_cert_path(),f'{dc}.crt') + dc_keyfile = os.path.join(TisPKI.root_keyout_path(),f'{dc}.key') + dc_csrfile = os.path.join(TisPKI.root_csr_path(),f'{dc}.csr') + dc_openssl_configfile = os.path.join(TisPKI.root_config_path(),f'openssl_{dc}.ini') + crl_file = os.path.join(TisPKI.root_crl_path(),'root_ca.crl') + dc_ca_keyfile = os.path.join(TisPKI.root_keyout_path(),'root_ca.key') + dc_ca_certfile = os.path.join(TisPKI.root_cert_path(),'root_ca.crt') crl_uri = config.get('openssl_config','crl_uri') pki_dir = TisPKI.pki_dir() @@ -305,12 +305,12 @@ def generate_user_certificate(): emailAddress = upn commonName = username else: - crl_file = os.path.join(TisPKI.crl_path(),'root_ca.crl') - dc_ca_keyfile = os.path.join(TisPKI.keyout_path(),'root_ca.key') - dc_ca_certfile = os.path.join(TisPKI.cert_path(),'root_ca.crt') + crl_file = os.path.join(TisPKI.root_crl_path(),'root_ca.crl') + dc_ca_keyfile = os.path.join(TisPKI.root_keyout_path(),'root_ca.key') + dc_ca_certfile = os.path.join(TisPKI.root_cert_path(),'root_ca.crt') crl_uri = config.get('openssl_config','crl_uri') pki_dir = TisPKI.pki_dir() - openssl_user_file = os.path.join(TisPKI.config_path(),'openssl_user.ini') + openssl_user_file = os.path.join(TisPKI.root_config_path(),'openssl_user.ini') emailAddress = upn commonName = username @@ -345,17 +345,17 @@ def generate_user_certificate(): print(f'Generate private key for {upn}') - print(subprocess.run(f"openssl req -new -newkey rsa:{default_bits_user} -keyout {TisPKI.keyout_path()}/{username}.key -out {TisPKI.csr_path()}/{username}.csr -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)",shell=True,check=True, executable='/bin/bash')) + print(subprocess.run(f"openssl req -new -newkey rsa:{default_bits_user} -keyout {TisPKI.root_keyout_path()}/{username}.key -out {TisPKI.root_csr_path()}/{username}.csr -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)",shell=True,check=True, executable='/bin/bash')) print(f'Sign certificate') - print(subprocess.run(f'openssl ca -extensions usr_cert_scarduser -days 730 -notext -md sha512 -create_serial -in {TisPKI.csr_path()}/{username}.csr -out {TisPKI.cert_path()}/{username}.crt -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)',shell=True,check=True, executable='/bin/bash')) + print(subprocess.run(f'openssl ca -extensions usr_cert_scarduser -days 730 -notext -md sha512 -create_serial -in {TisPKI.root_csr_path()}/{username}.csr -out {TisPKI.root_cert_path()}/{username}.crt -config <(cat {openssl_user_file} <(cat <<-EOF\n[ sanuser ]\notherName=msUPN;UTF8:{upn}\nemail=copy\nEOF\n)\n)',shell=True,check=True, executable='/bin/bash')) print('Remove password in rsa key') - print(subprocess.run(f'openssl rsa -in {TisPKI.keyout_path()}/{username}.key -out {TisPKI.keyout_path()}/{username}-nopasswd.key',shell=True,check=True, executable='/bin/bash')) + print(subprocess.run(f'openssl rsa -in {TisPKI.root_keyout_path()}/{username}.key -out {TisPKI.root_keyout_path()}/{username}-nopasswd.key',shell=True,check=True, executable='/bin/bash')) print('Create p12') - print(subprocess.run(f'openssl pkcs12 -export -inkey {TisPKI.keyout_path()}/{username}-nopasswd.key -in {TisPKI.cert_path()}/{username}.crt -out {TisPKI.p12_path()}/{username}.p12', shell=True,check=True, executable='/bin/bash')) + print(subprocess.run(f'openssl pkcs12 -export -inkey {TisPKI.root_keyout_path()}/{username}-nopasswd.key -in {TisPKI.root_cert_path()}/{username}.crt -out {TisPKI.root_p12_path()}/{username}.p12', shell=True,check=True, executable='/bin/bash')) def main(): diff --git a/manage_pki.py b/manage_pki.py index 162067e..a6e8432 100644 --- a/manage_pki.py +++ b/manage_pki.py @@ -16,13 +16,13 @@ from common import * def main(): parser = OptionParser() - parser.add_option('--init', dest="init", action="store_false", help="Create PKI") - parser.add_option('--create-intermediate', dest="create_intermediate", action="store_false", help="Create an intermediate CA") - parser.add_option('--create-dc-cert', dest="create_dc_cert", action="store_false", help="Create a certificat for a Domain Controler") + parser.add_option('--initialize', dest="initialize", action="store_true", help="Create PKI") + parser.add_option('--create-intermediate', dest="create_intermediate", action="store_true", help="Create an intermediate CA") + parser.add_option('--create-dc-cert', dest="create_dc_cert", action="store_true", help="Create a certificat for a Domain Controler") (options, args) = parser.parse_args() - if options.init: + if options.initialize: create_openssl_config()