Commit 32ebb80b authored by Julien Muchembled's avatar Julien Muchembled

re6st-conf: new --fingerprint option

parent b2040ea0
...@@ -160,11 +160,16 @@ nodes = [] ...@@ -160,11 +160,16 @@ nodes = []
gateway1.screen('miniupnpd -d -f miniupnpd.conf -P miniupnpd.pid' gateway1.screen('miniupnpd -d -f miniupnpd.conf -P miniupnpd.pid'
' -a %s -i %s' % (g1_if_1.name, g1_if_0_name)) ' -a %s -i %s' % (g1_if_1.name, g1_if_0_name))
if 1: if 1:
import sqlite3 from OpenSSL import crypto
import hashlib, sqlite3
os.path.exists('ca.crt') or subprocess.check_call( os.path.exists('ca.crt') or subprocess.check_call(
"openssl req -nodes -new -x509 -key registry/ca.key -out ca.crt" "openssl req -nodes -new -x509 -key registry/ca.key -out ca.crt"
" -subj /CN=re6st.example.com/emailAddress=re6st@example.com" " -subj /CN=re6st.example.com/emailAddress=re6st@example.com"
" -set_serial 0x120010db80042 -days %u" % CA_DAYS, shell=True) " -set_serial 0x120010db80042 -days %u" % CA_DAYS, shell=True)
with open('ca.crt') as f:
ca = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
fingerprint = "sha1:" + hashlib.sha1(
crypto.dump_certificate(crypto.FILETYPE_ASN1, ca)).hexdigest()
db_path = 'registry/registry.db' db_path = 'registry/registry.db'
registry.screen('./py re6st-registry @registry/re6st-registry.conf' registry.screen('./py re6st-registry @registry/re6st-registry.conf'
' --db %s --mailhost %s -v%u --control-socket registry/babeld.socket' ' --db %s --mailhost %s -v%u --control-socket registry/babeld.socket'
...@@ -189,7 +194,8 @@ if 1: ...@@ -189,7 +194,8 @@ if 1:
os.symlink('../dh2048.pem', dh_path) os.symlink('../dh2048.pem', dh_path)
email = node.name + '@example.com' email = node.name + '@example.com'
p = node.Popen(('../py', 're6st-conf', '--registry', registry, p = node.Popen(('../py', 're6st-conf', '--registry', registry,
'--email', email), stdin=subprocess.PIPE, cwd=folder) '--email', email, '--fingerprint', fingerprint),
stdin=subprocess.PIPE, cwd=folder)
token = None token = None
while not token: while not token:
time.sleep(.1) time.sleep(.1)
......
#!/usr/bin/python #!/usr/bin/python
import argparse, atexit, errno, os, subprocess, sqlite3, sys, time import argparse, atexit, binascii, errno, hashlib
import os, subprocess, sqlite3, sys, time
from OpenSSL import crypto from OpenSSL import crypto
from re6st import registry, utils, x509 from re6st import registry, utils, x509
...@@ -18,6 +19,8 @@ def main(): ...@@ -18,6 +19,8 @@ def main():
description="Setup script for re6stnet.", description="Setup script for re6stnet.",
formatter_class=utils.HelpFormatter) formatter_class=utils.HelpFormatter)
_ = parser.add_argument _ = parser.add_argument
_('--fingerprint', metavar='ALG:FINGERPRINT',
help="Check CA fingerprint to protect against MITM.")
_('--registry', required=True, metavar='URL', _('--registry', required=True, metavar='URL',
help="HTTP URL of the server delivering certificates.") help="HTTP URL of the server delivering certificates.")
_('--is-needed', action='store_true', _('--is-needed', action='store_true',
...@@ -53,8 +56,20 @@ def main(): ...@@ -53,8 +56,20 @@ def main():
s = registry.RegistryClient(config.registry) s = registry.RegistryClient(config.registry)
# Get CA # Get CA
ca = s.getCa() ca = loadCert(s.getCa())
network = x509.networkFromCa(loadCert(ca)) if config.fingerprint:
try:
alg, fingerprint = config.fingerprint.split(':', 1)
fingerprint = binascii.a2b_hex(fingerprint)
if hashlib.new(alg).digest_size != len(fingerprint):
raise ValueError("wrong size")
except StandardError, e:
parser.error("invalid fingerprint: %s" % e)
if x509.fingerprint(ca, alg).digest() != fingerprint:
sys.exit("CA fingerprint doesn't match")
else:
print "WARNING: it is strongly recommended to use --fingerprint option."
network = x509.networkFromCa(ca)
if config.is_needed: if config.is_needed:
route, err = subprocess.Popen(('ip', '-6', '-o', 'route', 'get', route, err = subprocess.Popen(('ip', '-6', '-o', 'route', 'get',
utils.ipFromBin(network)), utils.ipFromBin(network)),
...@@ -62,7 +77,7 @@ def main(): ...@@ -62,7 +77,7 @@ def main():
sys.exit(err or route and sys.exit(err or route and
utils.binFromIp(route.split()[8]).startswith(network)) utils.binFromIp(route.split()[8]).startswith(network))
create(ca_path, ca) create(ca_path, crypto.dump_certificate(crypto.FILETYPE_PEM, ca))
if config.ca_only: if config.ca_only:
sys.exit() sys.exit()
......
...@@ -31,6 +31,9 @@ def encrypt(cert, data): ...@@ -31,6 +31,9 @@ def encrypt(cert, data):
raise subprocess.CalledProcessError(p.returncode, 'openssl', err) raise subprocess.CalledProcessError(p.returncode, 'openssl', err)
return out return out
def fingerprint(cert, alg='sha1'):
return hashlib.new(alg, crypto.dump_certificate(crypto.FILETYPE_ASN1, cert))
def maybe_renew(path, cert, info, renew): def maybe_renew(path, cert, info, renew):
from .registry import RENEW_PERIOD from .registry import RENEW_PERIOD
while True: while True:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment