easyrsa: use config

This commit is contained in:
Jörn-Michael Miehe 2022-03-30 21:18:54 +00:00
parent 366b4dc6a0
commit a524c02138
2 changed files with 41 additions and 24 deletions

View file

@ -227,6 +227,7 @@ class CryptoConfig(BaseModel):
schemes: list[str] = ["bcrypt"] schemes: list[str] = ["bcrypt"]
# pki settings # pki settings
ca_password: str | None
cert_algo: CertificateAlgo | None cert_algo: CertificateAlgo | None
expiry_days: int | None expiry_days: int | None

View file

@ -1,3 +1,7 @@
"""
Python interface to EasyRSA CA.
"""
import subprocess import subprocess
from datetime import datetime from datetime import datetime
from pathlib import Path from pathlib import Path
@ -5,20 +9,32 @@ from pathlib import Path
from OpenSSL import crypto from OpenSSL import crypto
from passlib import pwd from passlib import pwd
from .config import Config, Settings
class EasyRSA: class EasyRSA:
__directory: Path | None """
__ca_password: str | None Represents an EasyRSA PKI.
"""
def __init__(self, directory: Path) -> None: @property
self.__directory = directory def pki_directory(self) -> Path:
return Settings._.data_dir.joinpath("pki")
def set_ca_password(self, password: str | None = None) -> None: @property
if password is None: def ca_password(self) -> str:
password = pwd.genword(length=32, charset="ascii_62") config = Config._
self.__ca_password = password if (ca_password := config.crypto.ca_password) is None:
print(self.__ca_password) ca_password = pwd.genword(
length=32,
charset="ascii_62",
)
config.crypto.ca_password = ca_password
config.save()
return config.crypto.ca_password
def __easyrsa( def __easyrsa(
self, self,
@ -27,7 +43,7 @@ class EasyRSA:
return subprocess.run( return subprocess.run(
[ [
"easyrsa", "--batch", "easyrsa", "--batch",
f"--pki-dir={self.__directory}", f"--pki-dir={self.pki_directory}",
*easyrsa_args, *easyrsa_args,
], ],
stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
@ -42,7 +58,7 @@ class EasyRSA:
self.__easyrsa(*easyrsa_args) self.__easyrsa(*easyrsa_args)
with open( with open(
self.__directory.joinpath(cert_filename), "r" self.pki_directory.joinpath(cert_filename), "r"
) as cert_file: ) as cert_file:
return crypto.load_certificate( return crypto.load_certificate(
crypto.FILETYPE_PEM, cert_file.read() crypto.FILETYPE_PEM, cert_file.read()
@ -53,14 +69,14 @@ class EasyRSA:
def build_ca( def build_ca(
self, self,
days: int = 365 * 50,
cn: str = "kiwi-vpn-ca"
) -> crypto.X509: ) -> crypto.X509:
config = Config._
cert = self.__build_cert( cert = self.__build_cert(
Path("ca.crt"), Path("ca.crt"),
f"--passout=pass:{self.__ca_password}", f"--passout=pass:{self.ca_password}",
f"--passin=pass:{self.__ca_password}", f"--passin=pass:{self.ca_password}",
# "--dn-mode=org", # "--dn-mode=org",
# "--req-c=EX", # "--req-c=EX",
@ -70,8 +86,8 @@ class EasyRSA:
# "--req-ou=EXAMPLE", # "--req-ou=EXAMPLE",
# "--req-email=EXAMPLE", # "--req-email=EXAMPLE",
f"--req-cn={cn}", f"--req-cn={config.server_name}",
f"--days={days}", f"--days={config.crypto.expiry_days}",
# "--use-algo=ed", # "--use-algo=ed",
# "--curve=ed25519", # "--curve=ed25519",
@ -79,20 +95,21 @@ class EasyRSA:
"build-ca", "build-ca",
) )
self.__easyrsa("gen-dh") # self.__easyrsa("gen-dh")
return cert return cert
def issue( def issue(
self, self,
days: int = 365 * 50,
cn: str = "kiwi-vpn-client", cn: str = "kiwi-vpn-client",
cert_type: str = "client" cert_type: str = "client"
) -> crypto.X509: ) -> crypto.X509:
config = Config._
return self.__build_cert( return self.__build_cert(
Path(f"issued/{cn}.crt"), Path(f"issued/{cn}.crt"),
f"--passin=pass:{self.__ca_password}", f"--passin=pass:{self.ca_password}",
f"--days={days}", f"--days={config.crypto.expiry_days}",
f"build-{cert_type}-full", f"build-{cert_type}-full",
cn, cn,
@ -101,11 +118,10 @@ class EasyRSA:
if __name__ == "__main__": if __name__ == "__main__":
easy_rsa = EasyRSA(Path("tmp/easyrsa")) easy_rsa = EasyRSA()
easy_rsa.init_pki() easy_rsa.init_pki()
easy_rsa.set_ca_password()
ca = easy_rsa.build_ca(cn="kiwi-vpn-ca") ca = easy_rsa.build_ca()
server = easy_rsa.issue(cert_type="server", cn="kiwi-vpn-server") server = easy_rsa.issue(cert_type="server", cn="kiwi-vpn-server")
client = easy_rsa.issue(cert_type="client", cn="kiwi-vpn-client") client = easy_rsa.issue(cert_type="client", cn="kiwi-vpn-client")