| 1 | #!/usr/bin/python |
|---|
| 2 | |
|---|
| 3 | from __future__ import print_function |
|---|
| 4 | |
|---|
| 5 | import base64 |
|---|
| 6 | import re |
|---|
| 7 | import sys |
|---|
| 8 | from OpenSSL import crypto |
|---|
| 9 | |
|---|
| 10 | # How to use: |
|---|
| 11 | # 1. Download the "X509, Base64 encoded" cert from the Certificate |
|---|
| 12 | # Services Manager |
|---|
| 13 | # 2. Run "vhostcert import < foo_mit_edu.cer". Save stdout (a base64 |
|---|
| 14 | # blob) |
|---|
| 15 | # 3. Log in as root to a Scripts server, and run vhostedit foo.mit.edu |
|---|
| 16 | # 4. Add entries: |
|---|
| 17 | # scriptsVhostCertificate: space-separated base64 blobs from vhostcert import |
|---|
| 18 | # scriptsVhostCertificateKeyFile: scripts-2048.key |
|---|
| 19 | # 5. On each server: |
|---|
| 20 | # /etc/httpd/export-scripts-certs |
|---|
| 21 | # systemctl reload httpd.service |
|---|
| 22 | # |
|---|
| 23 | # TODO: Make this script do the vhostedit automatically. |
|---|
| 24 | |
|---|
| 25 | def debug_chain(chain): |
|---|
| 26 | for i, c in enumerate(chain): |
|---|
| 27 | print(i, 's:', c.get_subject(), file=sys.stderr) |
|---|
| 28 | print(i, 'i:', c.get_issuer(), file=sys.stderr) |
|---|
| 29 | print(file=sys.stderr) |
|---|
| 30 | |
|---|
| 31 | def pem_to_scripts(data): |
|---|
| 32 | certs = [ |
|---|
| 33 | crypto.load_certificate(crypto.FILETYPE_PEM, m.group(0)) |
|---|
| 34 | for m in |
|---|
| 35 | re.finditer( |
|---|
| 36 | b'-----BEGIN CERTIFICATE-----\r?\n.+?\r?\n-----END CERTIFICATE-----', |
|---|
| 37 | data, re.DOTALL) |
|---|
| 38 | ] |
|---|
| 39 | |
|---|
| 40 | # Put the chain in the right order, and delete any self-signed root |
|---|
| 41 | leaf, = [c for c in certs if not any( |
|---|
| 42 | c1.get_issuer() == c.get_subject() for c1 in certs)] |
|---|
| 43 | chain = [leaf] |
|---|
| 44 | count = 1 |
|---|
| 45 | while True: |
|---|
| 46 | issuers = [c for c in certs if chain[-1].get_issuer() == c.get_subject()] |
|---|
| 47 | if not issuers: |
|---|
| 48 | break |
|---|
| 49 | issuer, = issuers |
|---|
| 50 | assert issuer not in chain |
|---|
| 51 | count += 1 |
|---|
| 52 | if issuer.get_issuer() == issuer.get_subject(): |
|---|
| 53 | break |
|---|
| 54 | chain.append(issuer) |
|---|
| 55 | assert count == len(certs) |
|---|
| 56 | |
|---|
| 57 | debug_chain(chain) |
|---|
| 58 | |
|---|
| 59 | return b' '.join(base64.b64encode( |
|---|
| 60 | crypto.dump_certificate(crypto.FILETYPE_ASN1, c)) for c in chain) |
|---|
| 61 | |
|---|
| 62 | def scripts_to_pem(data): |
|---|
| 63 | chain = [ |
|---|
| 64 | crypto.load_certificate(crypto.FILETYPE_ASN1, base64.b64decode(d)) |
|---|
| 65 | for d in data.split(b' ') |
|---|
| 66 | ] |
|---|
| 67 | |
|---|
| 68 | debug_chain(chain) |
|---|
| 69 | |
|---|
| 70 | return b''.join(crypto.dump_certificate(crypto.FILETYPE_PEM, c) for c in chain) |
|---|
| 71 | |
|---|
| 72 | def __main__(): |
|---|
| 73 | if sys.argv[1:] == ['import']: |
|---|
| 74 | print(pem_to_scripts(sys.stdin.read().encode()).decode()) |
|---|
| 75 | elif sys.argv[1:] == ['export']: |
|---|
| 76 | print(scripts_to_pem(sys.stdin.read().encode()).decode(), end='') |
|---|
| 77 | else: |
|---|
| 78 | print('usage: {} {{import|export}}'.format(__file__), file=sys.stderr) |
|---|
| 79 | |
|---|
| 80 | if __name__ == '__main__': |
|---|
| 81 | sys.exit(__main__()) |
|---|
