Commit 701ca50d authored by Łukasz Nowak's avatar Łukasz Nowak

- simplify usage of subprocess

 - kill only when returncode is none
 - to not play with hiding exceptions during runtime, so
   CertificateGenerationError, as simple ValueError is acceptable for
   simplicity
 - during revoking generate hashed links to the newest CRL


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@42381 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent d8a95452
...@@ -32,15 +32,22 @@ from Products.ERP5Type.Globals import InitializeClass ...@@ -32,15 +32,22 @@ from Products.ERP5Type.Globals import InitializeClass
from Products.ERP5Type.Tool.BaseTool import BaseTool from Products.ERP5Type.Tool.BaseTool import BaseTool
from Products.ERP5Type import Permissions from Products.ERP5Type import Permissions
from Products.PageTemplates.PageTemplateFile import PageTemplateFile from Products.PageTemplates.PageTemplateFile import PageTemplateFile
from zLOG import LOG, INFO, ERROR from zLOG import LOG, INFO
import os import os
import subprocess import subprocess
import base64 import base64
class CertificateGenerationError(Exception): def popenCommunicate(command_list, input=None, **kwargs):
"""Exception raised when certificate authority failed to work""" kwargs.update(stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
pass popen = subprocess.Popen(command_list, **kwargs)
result = popen.communicate(input)[0]
if popen.returncode is None:
popen.kill()
if popen.returncode != 0:
raise ValueError('Issue during calling %r, result was: %r' % (command_list,
result))
return result
class CertificateAuthorityBusy(Exception): class CertificateAuthorityBusy(Exception):
"""Exception raised when certificate authority is busy""" """Exception raised when certificate authority is busy"""
...@@ -183,23 +190,11 @@ class CertificateAuthorityTool(BaseTool): ...@@ -183,23 +190,11 @@ class CertificateAuthorityTool(BaseTool):
csr = os.path.join(self.certificate_authority_path, new_id + '.csr') csr = os.path.join(self.certificate_authority_path, new_id + '.csr')
cert = os.path.join(self.certificate_authority_path, 'certs', new_id + '.crt') cert = os.path.join(self.certificate_authority_path, 'certs', new_id + '.crt')
try: try:
keygen = subprocess.Popen([self.openssl_binary, 'req', '-nodes', '-config', popenCommunicate([self.openssl_binary, 'req', '-nodes', '-config',
self.openssl_config, '-new', '-keyout', key, '-out', csr, '-days', self.openssl_config, '-new', '-keyout', key, '-out', csr, '-days',
'3650'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, '3650'], '%s\n' % cn, stdin=subprocess.PIPE)
stdin=subprocess.PIPE) popenCommunicate([self.openssl_binary, 'ca', '-batch', '-config',
result = keygen.communicate('%s\n' % cn)[0] self.openssl_config, '-out', cert, '-infiles', csr])
if keygen.returncode is None or keygen.returncode != 0:
LOG('CertificateAuthorityTool', ERROR, 'Issue during key generation, result was:%r' % result)
keygen.kill()
raise CertificateGenerationError
keysign = subprocess.Popen([self.openssl_binary, 'ca', '-batch', '-config',
self.openssl_config, '-out', cert, '-infiles', csr], stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
result = keysign.communicate()[0]
if keysign.returncode is None or keysign.returncode != 0:
LOG('CertificateAuthorityTool', ERROR, 'Issue during key signing, result was:%r' % result)
keygen.kill()
raise CertificateGenerationError
os.unlink(csr) os.unlink(csr)
return dict( return dict(
key=open(key).read(), key=open(key).read(),
...@@ -224,27 +219,20 @@ class CertificateAuthorityTool(BaseTool): ...@@ -224,27 +219,20 @@ class CertificateAuthorityTool(BaseTool):
self._lockCertificateAuthority() self._lockCertificateAuthority()
try: try:
new_id = open(self.crl, 'r').read().strip().lower() new_id = open(self.crl, 'r').read().strip().lower()
crl = os.path.join(self.certificate_authority_path, 'crl', new_id + '.crl') crl_path = os.path.join(self.certificate_authority_path, 'crl')
crl = os.path.join(crl_path, new_id + '.crl')
cert = os.path.join(self.certificate_authority_path, 'certs', serial + '.crt') cert = os.path.join(self.certificate_authority_path, 'certs', serial + '.crt')
if not os.path.exists(cert): if not os.path.exists(cert):
raise ValueError('Certificate with serial %r does not exists' % serial) raise ValueError('Certificate with serial %r does not exists' % serial)
try: try:
crl_update = subprocess.Popen([self.openssl_binary, 'ca', '-config', popenCommunicate([self.openssl_binary, 'ca', '-config',
self.openssl_config, '-revoke', cert], stdout=subprocess.PIPE, self.openssl_config, '-revoke', cert])
stderr=subprocess.STDOUT) popenCommunicate([self.openssl_binary, 'ca', '-config',
result = crl_update.communicate()[0] self.openssl_config, '-gencrl', '-out', crl])
if crl_update.returncode is None or crl_update.returncode != 0: hash = popenCommunicate([self.openssl_binary, 'crl', '-noout',
LOG('CertificateAuthorityTool', ERROR, 'Issue during CRL update, result was:%r' % result) '-hash', '-in', crl]).strip()
crl_update.kill() previous_id = int(len([q for q in os.listdir(crl_path) if hash in q]))
raise CertificateGenerationError os.symlink(crl, os.path.join(crl_path, '%s.%s' % (hash, previous_id)))
crl_gen = subprocess.Popen([self.openssl_binary, 'ca', '-config',
self.openssl_config, '-gencrl', '-out', crl], stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
result = crl_gen.communicate()[0]
if crl_gen.returncode is None or crl_gen.returncode != 0:
LOG('CertificateAuthorityTool', ERROR, 'Issue during CRL generation, result was:%r' % result)
crl_gen.kill()
raise CertificateGenerationError
return dict(crl=open(crl).read()) return dict(crl=open(crl).read())
except: except:
try: try:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment