Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
E
eduGAIN Technical Site
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package registry
Container registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
edugain
eduGAIN OT
eduGAIN Technical Site
Commits
27c4bcc2
Commit
27c4bcc2
authored
1 year ago
by
Tomasz Wolniewicz
Browse files
Options
Downloads
Patches
Plain Diff
adding certificate update script
parent
76f41cbe
Branches
Branches containing commit
Tags
Tags containing commit
3 merge requests
!3
Align master branch with twoln-dev
,
!2
Synchronising towards version 2.5
,
!1
Twoln dev
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
external_scripts/dbhost/cert.py
+131
-0
131 additions, 0 deletions
external_scripts/dbhost/cert.py
with
131 additions
and
0 deletions
external_scripts/dbhost/cert.py
0 → 100755
+
131
−
0
View file @
27c4bcc2
#!/usr/bin/python
"""
This script will add a federation signing certificate to the database.
One required argument is the identifier of the federation. The certificate
to be added must be in the PEM format must be named upstreamCert_IDENIFIER.cer
and must be in the Certs subdirecory of your current directory.
The database access details are below as
"
db, host, user
"
, we suggest that
it is safest to use localhost as host and have the
"
user
"
access right only
from the localhost. The script will prompt for password of the user (again
for security reasons this password is not stored in the script).
If a given federation already has a certificate in the database, the script
will ask if we want to remove or keep the other certificate. It is possible
to have more certificates than one and they will all be tried during the
validation process. This feature is meant for smooth transition form one
signing key to another. The old key should be removed after the transition
has been finalised.
At the moment there is no script for removing the certificate, this needs
to be done manually accessing the database. Looking at the createtime field
may be helpful in selecting the right certificate to remove.
"""
import
sys
,
re
,
ssl
,
base64
,
urllib2
import
MySQLdb
import
os.path
import
getpass
from
M2Crypto
import
X509
from
OpenSSL
import
crypto
import
sys
db
=
'
edugain
'
host
=
'
localhost
'
user
=
'
cert
'
passwd
=
getpass
.
getpass
()
selectcodes
=
"
select code from federation
"
select
=
"
select code from federation where code=
'
%s
'"
exists
=
"
select id from cert where code=
'
%s
'"
delete
=
"
delete from cert where id=
'
%s
'"
insert
=
"
insert into cert (code,data,sha1, sha256) values (%(code)s, %(cert)s, %(sha1)s, %(sha256)s)
"
update
=
"
update federation_status set feed_etag=null, feed_last_modified=
'
000-00-00 00:00:00
'
where code=
'
%(code)s
'"
mys
=
MySQLdb
.
connect
(
host
,
user
,
passwd
,
db
)
mys
.
autocommit
(
True
)
curs
=
mys
.
cursor
()
curd
=
mys
.
cursor
()
codes
=
[]
def
yn_choice
(
msg
,
default
=
'
y
'
):
choices
=
'
Y/n
'
if
default
.
lower
()
in
(
'
y
'
,
'
yes
'
)
else
'
y/N
'
choice
=
raw_input
(
"
%s (%s)
"
%
(
msg
,
choices
))
values
=
(
'
y
'
,
'
yes
'
,
''
)
if
choices
==
'
Y/n
'
else
(
'
y
'
,
'
yes
'
)
return
choice
.
strip
().
lower
()
in
values
if
len
(
sys
.
argv
)
==
1
:
print
selectcodes
sys
.
exit
(
0
)
cnt
=
curs
.
execute
(
selectcodes
)
if
cnt
>
0
:
nextrow
=
curs
.
fetchone
()
while
nextrow
:
code
=
None
row
=
nextrow
nextrow
=
curs
.
fetchone
()
codes
.
append
(
row
[
0
])
else
:
for
i
in
range
(
1
,
len
(
sys
.
argv
)):
codes
.
append
(
sys
.
argv
[
i
])
for
code
in
codes
:
try
:
cnt
=
curs
.
execute
(
select
%
code
)
if
cnt
==
1
:
nextrow
=
curs
.
fetchone
()
while
nextrow
:
code
=
None
row
=
nextrow
nextrow
=
curs
.
fetchone
()
if
row
is
None
:
continue
if
row
[
0
]:
code
=
row
[
0
]
print
'
looking for
'
,
code
,
'
Certs/upstreamCert_
'
+
code
+
'
.cer
'
if
code
and
(
os
.
path
.
isfile
(
'
Certs/upstreamCert_
'
+
code
+
'
.cer
'
)):
f
=
open
(
'
Certs/upstreamCert_
'
+
code
+
'
.cer
'
,
'
r
'
)
cert
=
f
.
read
()
cert_der
=
ssl
.
PEM_cert_to_DER_cert
(
cert
)
x509
=
crypto
.
load_certificate
(
crypto
.
FILETYPE_PEM
,
cert
)
fpsha256
=
x509
.
digest
(
'
sha256
'
).
decode
().
replace
(
'
:
'
,
''
)
fpsha1
=
x509
.
digest
(
'
sha1
'
).
decode
().
replace
(
'
:
'
,
''
)
#x509 = X509.load_cert_string(cert, X509.FORMAT_PEM)
#fpsha1 = x509.get_fingerprint('sha1')
#fpsha256 = x509.get_fingerprint('sha256')
c_is
=
curd
.
execute
(
exists
%
code
)
if
c_is
==
2
:
print
'
It is the next certificate for
'
+
code
+
\
'
\n
We can not register more than two certificates per federation!
'
continue
if
c_is
:
choice
=
yn_choice
(
'
There is a certificate registered for
'
+
code
+
"
\n
Do you want to delete this certificate?
"
)
if
choice
:
c_nrow
=
curd
.
fetchone
()
while
c_nrow
:
c_id
=
None
c_row
=
c_nrow
c_nrow
=
curd
.
fetchone
()
if
c_row
is
None
:
continue
if
c_row
[
0
]:
print
(
delete
%
c_row
[
0
])
curd
.
execute
(
delete
%
c_row
[
0
])
else
:
choice
=
yn_choice
(
'
Do you want to register this certificate and
'
+
'
have temporary two certificates for
'
+
code
+
'
?
'
)
if
not
choice
:
print
code
+
"
skipped, nothing happened
"
continue
cnt
=
curs
.
execute
(
insert
,
{
'
code
'
:
code
,
'
cert
'
:
base64
.
b64encode
(
cert_der
),
'
sha1
'
:
fpsha1
,
'
sha256
'
:
fpsha256
})
print
'
certificate for
'
,
code
,
'
added
'
print
(
update
%
{
'
code
'
:
code
})
curs
.
execute
(
update
%
{
'
code
'
:
code
})
else
:
print
"
Certificate not found, nothing happened
"
else
:
print
'
No such federation:
'
+
code
except
IndexError
:
print
'
brak
'
,
code
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment