[IMP] Lot of improvements

2024-05-17 17:29:47 +02:00
parent 61d50ec61e
commit 9c58afe0f7
6 changed files with 250 additions and 33 deletions
@@ -13,6 +13,7 @@
 # Maange DC Certificates

 from common import Printing, TisPKI, check_directories, config
+from intermediate_module import generate_intermediate_crl

 import subprocess
 import jinja2
@@ -24,7 +25,7 @@ import shutil
 import time


-def generate_dc_certificate(dc_name=None, ca_name=None, force=False, verbose=False):
+def generate_dc_certificate(dc_name=None, ca_name=None, verbose=False):

    if ca_name != "Root":
        dc_certfile = os.path.join(TisPKI.intermediate_cert_path(ca_name),f'{dc_name}.crt')
@@ -50,13 +51,11 @@ def generate_dc_certificate(dc_name=None, ca_name=None, force=False, verbose=Fal
    if not os.path.isfile(dc_certfile) and not os.path.isfile(dc_keyfile):
        Printing.information(f'Generate certificate for {dc_name}')

-        dc_guid = subprocess.run('/bin/bash get_guid.sh',shell=True, check=True, executable='/bin/bash')
-        if dc_guid.returncode != 0:
-            Printing.error('Unable to find dc_guid')
+        dc_name_guid = dc_name.split('.')[0]
+        dc_guid = str(subprocess.check_output(f'/bin/bash get_guid.sh {dc_name_guid}',shell=True).decode("utf-8")).strip()
+        if str(dc_guid) == '':
+            Printing.error('Unable to find dc_guid. Please verify the DC FQDN.')
            sys.exit(1)
-        else:
-            dc_name_guid = dc_name.split('.')[0]
-            dc_guid = str(subprocess.check_output(f'/bin/bash get_guid.sh {dc_name_guid}',shell=True).decode("utf-8")).strip()

        if verbose:
            Printing.information(f'{dc_name} GUID is : ' + str(dc_guid).strip())
@@ -70,6 +69,7 @@ def generate_dc_certificate(dc_name=None, ca_name=None, force=False, verbose=Fal
            'crl_uri': crl_uri,
            'pki_dir': pki_dir,
            'default_cert_duration': config.get('openssl_config','default_cert_duration'),
+            'default_crl_duration': config.get('openssl_config','default_crl_duration'),
            'country': config.get('openssl_config','country'),
            'state': config.get('openssl_config','state'),
            'city': config.get('openssl_config','city'),
@@ -89,7 +89,7 @@ def generate_dc_certificate(dc_name=None, ca_name=None, force=False, verbose=Fal
            Printing.information(f'{dc_name} OpenSSL configfile is correctly generated !')

        Printing.information(f'Generate private key and CSR for {dc_name}')
-        gen_dc_key = subprocess.run(f"openssl req -new -addext 'subjectAltName = email:copy' -newkey rsa:4096 -keyout {dc_keyfile} \
+        gen_dc_key = subprocess.run(f"openssl req -new -addext 'subjectAltName = email:copy' -newkey rsa:4096 -nodes -keyout {dc_keyfile} \
            -out {dc_csrfile} -config {dc_openssl_configfile}" , shell=True, check=False, executable='/bin/bash')

        if gen_dc_key.returncode == 0:
@@ -109,10 +109,40 @@ def generate_dc_certificate(dc_name=None, ca_name=None, force=False, verbose=Fal
                    retry = input('If you want to retry, press Y : ')
                    if retry == "y" or retry == 'Y':
                        os.remove(dc_keyfile)
-                        generate_dc_certificate(dc_name, ca_name, force, verbose)
+                        generate_dc_certificate(dc_name, ca_name, verbose)
        else:
            Printing.error('Error on generating Domain Controler private key')
            retry = input('If you want to retry, press Y : ')
            if retry == "y" or retry == 'Y':
                os.remove(dc_keyfile)
-                generate_dc_certificate(dc_name, ca_name, force, verbose)
+                generate_dc_certificate(dc_name, ca_name, verbose)
+
+
+def revoke_dc_certificate(dc_name=None, ca_name=None, verbose=False):
+    Printing.information(f'Revoke {dc_name} certificate')
+
+    if ca_name != "Root":
+        dc_keyfile = os.path.join(TisPKI.intermediate_keyout_path(ca_name),f'{dc_name}.key')
+        dc_certfile = os.path.join(TisPKI.intermediate_cert_path(ca_name),f'{dc_name}.crt')
+        dc_openssl_configfile = os.path.join(TisPKI.intermediate_config_path(ca_name),f'openssl_{dc_name}.ini')
+    else:
+        dc_keyfile = os.path.join(TisPKI.root_keyout_path(),f'{dc_name}.key')
+        dc_certfile = os.path.join(TisPKI.root_cert_path(),f'{dc_name}.crt')
+        dc_openssl_configfile = os.path.join(TisPKI.root_config_path(),f'openssl_{dc_name}.ini')
+
+    revoke_dc = input(f'Are you realy sure to revoke {dc_name} certificate ? [y/N]'.strip() or 'y')
+    if revoke_dc.lower() == "y":
+        Printing.information(f'OK, revoking {dc_name} certificate !')
+        revoke_cmd = subprocess.run(f"/usr/bin/openssl ca -config {dc_openssl_configfile} -revoke {dc_certfile}",
+        shell=True, check=False, executable='/bin/bash')
+
+        if revoke_cmd.returncode == 0:
+            Printing.information(f'Regenerate {ca_name} CRL')
+            generate_intermediate_crl(dc_openssl_configfile, ca_name, verbose)
+        else:
+            Printing.error('Unable to revoke CA Intermediate certificate')
+
+    remove_files = input('Would you like to remove private key and certificate ? [Y/n]' or "y")
+    if remove_files.lower() == "y":
+        os.remove(dc_certfile)
+        os.remove(dc_keyfile)