Skip to content
Snippets Groups Projects
Commit 27c4bcc2 authored by Tomasz Wolniewicz's avatar Tomasz Wolniewicz
Browse files

adding certificate update script

parent 76f41cbe
Branches
Tags
3 merge requests!3Align master branch with twoln-dev,!2Synchronising towards version 2.5,!1Twoln dev
#!/usr/bin/python
"""
This script will add a federation signing certificate to the database.
One required argument is the identifier of the federation. The certificate
to be added must be in the PEM format must be named upstreamCert_IDENIFIER.cer
and must be in the Certs subdirecory of your current directory.
The database access details are below as "db, host, user", we suggest that
it is safest to use localhost as host and have the "user" access right only
from the localhost. The script will prompt for password of the user (again
for security reasons this password is not stored in the script).
If a given federation already has a certificate in the database, the script
will ask if we want to remove or keep the other certificate. It is possible
to have more certificates than one and they will all be tried during the
validation process. This feature is meant for smooth transition form one
signing key to another. The old key should be removed after the transition
has been finalised.
At the moment there is no script for removing the certificate, this needs
to be done manually accessing the database. Looking at the createtime field
may be helpful in selecting the right certificate to remove.
"""
import sys,re,ssl,base64,urllib2
import MySQLdb
import os.path
import getpass
from M2Crypto import X509
from OpenSSL import crypto
import sys
db = 'edugain'
host = 'localhost'
user = 'cert'
passwd = getpass.getpass()
selectcodes = "select code from federation"
select = "select code from federation where code='%s'"
exists = "select id from cert where code='%s'"
delete = "delete from cert where id='%s'"
insert = "insert into cert (code,data,sha1, sha256) values (%(code)s, %(cert)s, %(sha1)s, %(sha256)s)"
update = "update federation_status set feed_etag=null, feed_last_modified='000-00-00 00:00:00' where code='%(code)s'"
mys = MySQLdb.connect(host, user, passwd, db)
mys.autocommit(True)
curs = mys.cursor()
curd = mys.cursor()
codes = []
def yn_choice(msg, default='y'):
choices = 'Y/n' if default.lower() in ('y', 'yes') else 'y/N'
choice = raw_input("%s (%s) " % (msg, choices))
values = ('y', 'yes', '') if choices == 'Y/n' else ('y', 'yes')
return choice.strip().lower() in values
if len(sys.argv) == 1:
print selectcodes
sys.exit(0)
cnt = curs.execute(selectcodes)
if cnt>0:
nextrow = curs.fetchone()
while nextrow:
code = None
row = nextrow
nextrow = curs.fetchone()
codes.append(row[0])
else:
for i in range(1, len(sys.argv)):
codes.append(sys.argv[i])
for code in codes:
try:
cnt = curs.execute(select % code)
if cnt==1:
nextrow = curs.fetchone()
while nextrow:
code = None
row = nextrow
nextrow = curs.fetchone()
if row is None:
continue
if row[0]:
code = row[0]
print 'looking for ', code, 'Certs/upstreamCert_'+code+'.cer'
if code and (os.path.isfile('Certs/upstreamCert_'+code+'.cer')):
f = open ('Certs/upstreamCert_'+code+'.cer', 'r')
cert = f.read()
cert_der = ssl.PEM_cert_to_DER_cert(cert)
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
fpsha256 = x509.digest('sha256').decode().replace(':', '')
fpsha1 = x509.digest('sha1').decode().replace(':', '')
#x509 = X509.load_cert_string(cert, X509.FORMAT_PEM)
#fpsha1 = x509.get_fingerprint('sha1')
#fpsha256 = x509.get_fingerprint('sha256')
c_is = curd.execute(exists % code)
if c_is == 2:
print 'It is the next certificate for ' + code + \
'\nWe can not register more than two certificates per federation!'
continue
if c_is:
choice = yn_choice('There is a certificate registered for ' +
code +
"\nDo you want to delete this certificate? ")
if choice:
c_nrow = curd.fetchone()
while c_nrow:
c_id = None
c_row = c_nrow
c_nrow = curd.fetchone()
if c_row is None:
continue
if c_row[0]:
print(delete % c_row[0])
curd.execute(delete % c_row[0])
else:
choice = yn_choice('Do you want to register this certificate and ' +
'have temporary two certificates for ' + code + '?')
if not choice:
print code + " skipped, nothing happened"
continue
cnt = curs.execute(insert, {'code': code, 'cert': base64.b64encode(cert_der), 'sha1': fpsha1, 'sha256': fpsha256})
print 'certificate for', code, 'added'
print(update % {'code': code})
curs.execute(update % {'code': code})
else:
print "Certificate not found, nothing happened"
else:
print 'No such federation: '+code
except IndexError:
print 'brak', code
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment