lilik-117bis / ca_manager Goto Github PK
View Code? Open in Web Editor NEWEasier Certification Authority management
License: GNU General Public License v3.0
Easier Certification Authority management
License: GNU General Public License v3.0
Update CertificateLookup to fetch from DB https://github.com/LILiK-117bis/ca_manager/blob/master/lookup.py#L138
Update the getter for CALookup https://github.com/LILiK-117bis/ca_manager/blob/master/lookup.py#L44
When asked to describe a certificate the command raises a AttributeError
(CA Manager)> describe_certificate d9a183bd-0def-4ad6-9aae-b9e3acd912ab
Traceback (most recent call last):
File "/home/sign/ca_manager/manager.py", line 114, in <module>
CAManagerShell(ca_manager).cmdloop()
File "/usr/lib/python3.5/cmd.py", line 138, in cmdloop
stop = self.onecmd(line)
File "/usr/lib/python3.5/cmd.py", line 217, in onecmd
return func(arg)
File "/home/sign/ca_manager/shell.py", line 98, in do_describe_certificate
cert.signed_by,
AttributeError: 'Certificate' object has no attribute 'signed_by'
Reading certificates in not implemented yet
In https://github.com/LILiK-117bis/ca_manager/blob/master/ca_manager.py#L123 and https://github.com/LILiK-117bis/ca_manager/blob/master/request_server.py#L73 we are basically dumping and loading JSON instead of using the pickle format.
Using the pickle format we can drop this deserialisation in https://github.com/LILiK-117bis/ca_manager/blob/master/ca_manager.py#L136 using some metaprogramming but the server would be dependent on the SignRequest class.
As we will, hopefully, have a root certification authority we should generate not simple files but certificate signin requests.
We can convert from openssl to openssh key format with ssh-keygen -f private.pem -y > private.pub
so we can move the generate method to the Authority
base class
We should really do this. The host CA can still be available to ansible but the user CA should not.
Moreover we should then separate them in the ansible playbook too
this is tricky as it requires generating the CA list, the request list and then choose which one to display.
signed_certificates is supposed to be a list of certificates issued by the ca.
It is referenced in cerificate model[1] but is not implemented yet.
[1] https://github.com/LILiK-117bis/ca_manager/blob/master/models/certificate.py#L21
Check subprocess.call returncode in:
https://github.com/LILiK-117bis/ca_manager/blob/master/ca_manager.py#L123
https://github.com/LILiK-117bis/ca_manager/blob/master/ca_manager.py#L131
https://github.com/LILiK-117bis/ca_manager/blob/master/ca_manager.py#L91
Or check that certificate file exists before dropping the request:
https://github.com/LILiK-117bis/ca_manager/blob/master/ca_manager.py#L339
Signin a certificate from the new ssh_server role shows that we have a problem with hostnames
CA Manager)> sign_request test_ssh_ca d9a183bd-0def-4ad6-9aae-b9e3acd912ab
Request hash: 295de20c36094c862c1cc7a30321eabaee420440ac0f71531de5000932b6bcf9
You are about to sign the following request:
HostSSHRequest d9a183bd-0def-4ad6-9aae-b9e3acd912ab with fields: [('Hostname', '.lilik.it')]
with the following CA:
SSHAuthority test_ssh_ca (ca di test per ssh), created on 2017-03-20 21:31:37.922499
Proceed? (type yes)> yes
Enter passphrase:
Signed host key /var/lib/ca_manager/outputs/d9a183bd-0def-4ad6-9aae-b9e3acd912ab-cert.pub: id "host__lilik_it" serial 0 for .lilik.it valid from 2017-04-10T15:38:00 to 2018-04-09T15:39:11
As you can see the hostname has been splitted and we have ".lilik.it" instead of "hostname.lilik.it"
We discussed changing from the cmd
module to others but I don't remember the other options
Here's a list of what I found that could replace it
We can currently sign ssh keys but are unable to revoke them.
Certificates can be revoked with one of two inputs:
the command is ssh-keygen -s /path/to/ca.pub -k
create a KRL, the command ssh-keygen -s /paht/to/ca.pub -u
update a previous KRL
Version from tag v0.1 cannot set the root flag
(CA Manager)> gen_ssh xxssh test
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/peewee.py", line 3768, in execute_sql
cursor.execute(sql, params or ())
sqlite3.IntegrityError: NOT NULL constraint failed: sshauthority.isRoot
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/ca-shell", line 20, in <module>
CAManagerShell(ca_manager).cmdloop()
File "/usr/lib/python3.5/cmd.py", line 138, in cmdloop
stop = self.onecmd(line)
File "/usr/lib/python3.5/cmd.py", line 217, in onecmd
return func(arg)
File "/usr/local/lib/python3.5/dist-packages/ca_manager/shell.py", line 176, in do_gen_ssh
new_auth.save()
File "/usr/local/lib/python3.5/dist-packages/peewee.py", line 5108, in save
pk_from_cursor = self.insert(**field_dict).execute()
File "/usr/local/lib/python3.5/dist-packages/peewee.py", line 3526, in execute
cursor = self._execute()
File "/usr/local/lib/python3.5/dist-packages/peewee.py", line 2912, in _execute
return self.database.execute_sql(sql, params, self.require_commit)
File "/usr/local/lib/python3.5/dist-packages/peewee.py", line 3775, in execute_sql
self.commit()
File "/usr/local/lib/python3.5/dist-packages/peewee.py", line 3598, in __exit__
reraise(new_type, new_type(*exc_args), traceback)
File "/usr/local/lib/python3.5/dist-packages/peewee.py", line 135, in reraise
raise value.with_traceback(tb)
File "/usr/local/lib/python3.5/dist-packages/peewee.py", line 3768, in execute_sql
cursor.execute(sql, params or ())
peewee.IntegrityError: NOT NULL constraint failed: sshauthority.isRoot
As we can see in https://github.com/LILiK-117bis/ca_manager/blob/master/lookup.py#L34 the iterator does not return the Authority class but only the representation in the database.
Why are we using the database?
I would like to have it like https://github.com/LILiK-117bis/ca_manager/blob/master/lookup.py#L97
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.