Commit 32ebb80b authored by Julien Muchembled's avatar Julien Muchembled

re6st-conf: new --fingerprint option

parent b2040ea0
......@@ -160,11 +160,16 @@ nodes = []
gateway1.screen('miniupnpd -d -f miniupnpd.conf -P miniupnpd.pid'
' -a %s -i %s' % (g1_if_1.name, g1_if_0_name))
if 1:
import sqlite3
from OpenSSL import crypto
import hashlib, sqlite3
os.path.exists('ca.crt') or subprocess.check_call(
"openssl req -nodes -new -x509 -key registry/ca.key -out ca.crt"
" -subj /CN=re6st.example.com/emailAddress=re6st@example.com"
" -set_serial 0x120010db80042 -days %u" % CA_DAYS, shell=True)
with open('ca.crt') as f:
ca = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
fingerprint = "sha1:" + hashlib.sha1(
crypto.dump_certificate(crypto.FILETYPE_ASN1, ca)).hexdigest()
db_path = 'registry/registry.db'
registry.screen('./py re6st-registry @registry/re6st-registry.conf'
' --db %s --mailhost %s -v%u --control-socket registry/babeld.socket'
......@@ -189,7 +194,8 @@ if 1:
os.symlink('../dh2048.pem', dh_path)
email = node.name + '@example.com'
p = node.Popen(('../py', 're6st-conf', '--registry', registry,
'--email', email), stdin=subprocess.PIPE, cwd=folder)
'--email', email, '--fingerprint', fingerprint),
stdin=subprocess.PIPE, cwd=folder)
token = None
while not token:
time.sleep(.1)
......
#!/usr/bin/python
import argparse, atexit, errno, os, subprocess, sqlite3, sys, time
import argparse, atexit, binascii, errno, hashlib
import os, subprocess, sqlite3, sys, time
from OpenSSL import crypto
from re6st import registry, utils, x509
......@@ -18,6 +19,8 @@ def main():
description="Setup script for re6stnet.",
formatter_class=utils.HelpFormatter)
_ = parser.add_argument
_('--fingerprint', metavar='ALG:FINGERPRINT',
help="Check CA fingerprint to protect against MITM.")
_('--registry', required=True, metavar='URL',
help="HTTP URL of the server delivering certificates.")
_('--is-needed', action='store_true',
......@@ -53,8 +56,20 @@ def main():
s = registry.RegistryClient(config.registry)
# Get CA
ca = s.getCa()
network = x509.networkFromCa(loadCert(ca))
ca = loadCert(s.getCa())
if config.fingerprint:
try:
alg, fingerprint = config.fingerprint.split(':', 1)
fingerprint = binascii.a2b_hex(fingerprint)
if hashlib.new(alg).digest_size != len(fingerprint):
raise ValueError("wrong size")
except StandardError, e:
parser.error("invalid fingerprint: %s" % e)
if x509.fingerprint(ca, alg).digest() != fingerprint:
sys.exit("CA fingerprint doesn't match")
else:
print "WARNING: it is strongly recommended to use --fingerprint option."
network = x509.networkFromCa(ca)
if config.is_needed:
route, err = subprocess.Popen(('ip', '-6', '-o', 'route', 'get',
utils.ipFromBin(network)),
......@@ -62,7 +77,7 @@ def main():
sys.exit(err or route and
utils.binFromIp(route.split()[8]).startswith(network))
create(ca_path, ca)
create(ca_path, crypto.dump_certificate(crypto.FILETYPE_PEM, ca))
if config.ca_only:
sys.exit()
......
......@@ -31,6 +31,9 @@ def encrypt(cert, data):
raise subprocess.CalledProcessError(p.returncode, 'openssl', err)
return out
def fingerprint(cert, alg='sha1'):
return hashlib.new(alg, crypto.dump_certificate(crypto.FILETYPE_ASN1, cert))
def maybe_renew(path, cert, info, renew):
from .registry import RENEW_PERIOD
while True:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment