-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkafka_cert.py
330 lines (282 loc) · 12.3 KB
/
kafka_cert.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
'''
Generate certificate and key
@author: Jacob Antony Vaikath
@copyright: 2017 Cisco Systems. All rights reserved.
@contact: jantonyv@cisco.com
@source: https://github.com/noironetworks/acc-provision/blob/master/provision/acc_provision/kafka_cert.py
'''
import subprocess
import logging
import argparse
import sys
import os
import requests
import json
import shutil
import stat
SERIAL_NUMBER = ''
COMMON_NAME = ''
PASSPHRASE = ''
REQUEST_TYPE = ''
MY_NODE_IDIP = ''
MY_CHASSIS_ID = ''
MY_SN = ''
KEY_PEM = 'temp.key.pem'
CSR_PEM = 'temp.csr.pem'
SIGN = 'temp.sign'
REST_COOKIE = 'cookie'
FINAL_CRT = 'server.crt'
FINAL_KEY = 'server.key'
FINAL_CA = 'cacert.crt'
FINAL_CRT_DER = 'server.crt.der'
FINAL_KEY_DER = 'server.key.der'
FINAL_CA_DER = 'cacert.crt.der'
FINAL_P8 = 'server.p8'
FINAL_P12 = 'server.p12'
EXPORT_PASS = 'ins3965!'
FINAL_BLOB = 'blob.txt'
FINAL_JKS_TRUSTSTORE = 'truststore.jks'
FINAL_JKS_KEYSTORE = 'keystore.jks'
TRUSTSTORE_PASS = 'ins3965!'
KEYSTORE_PASS = 'ins3965!'
# Copies to support naming as per cert generation infra
CERT_COPY = [(FINAL_P8, 'server8.key'), (FINAL_CA, 'ApicCa.crt')]
INOPENSSL_CONF_FILE = 'gen.cnf'
INOPENSSL_CONF_TEMPLATE = '''
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha512
prompt = no
[ req_distinguished_name ]
commonName = {common_name}
'''
INOPENSSL_SERIAL_CONF_TEMPLATE = '''
serialNumber = {serial_number}
'''
logger = None
session = requests.Session()
retry = requests.packages.urllib3.util.retry.Retry(total=3, read=3, connect=3, backoff_factor=0.3, status_forcelist=(500, 502, 503))
session.mount('https://', requests.adapters.HTTPAdapter(max_retries=retry))
def set_logger(logdir, logfile):
if not os.path.isdir(logdir):
print('Log directory %s does not exist') % logdir
sys.exit(1)
logpath = logdir + '/' + logfile
try:
if not os.path.exists(logpath):
print("Log file {} does not exist yet. Create file".format(logpath))
with open(logpath, 'w'):
pass
mask = stat.S_IROTH | stat.S_IRGRP
if os.stat(logpath).st_mode & mask != mask:
print('Set read permission for %s') % logpath
os.chmod(logpath, 0o666)
except Exception as e:
print("Exception {} setting logger".format(e))
pass
logger = logging.getLogger(__name__)
hdlr = logging.FileHandler(logpath)
formatter = logging.Formatter('%(asctime)s | %(process)d | %(levelname)s | %(message)s')
hdlr.setFormatter(formatter)
logger.addHandler(hdlr)
logger.setLevel(logging.DEBUG)
return logger
def run(cmd):
shell = True if type(cmd) is str else False
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=shell)
out = proc.communicate()[0].strip()
logger.info('>> %s | RETURN: %d' % (cmd, proc.returncode))
if proc.returncode != 0:
logger.error(out)
return proc.returncode, out
def cleanup(keep_final=True):
tmp_files = [KEY_PEM, CSR_PEM, SIGN, INOPENSSL_CONF_FILE]
final_files = [FINAL_CRT, FINAL_KEY, FINAL_CA, FINAL_P8, FINAL_CRT_DER, FINAL_KEY_DER, FINAL_CA_DER, FINAL_P8, FINAL_P12, FINAL_BLOB]
if not keep_final:
tmp_files.extend(final_files)
removed_files = []
for tmp_file in tmp_files:
try:
os.remove(tmp_file)
removed_files.append(tmp_file)
except OSError:
pass
logger.info('Removed files: %s', ' '.join(removed_files))
def generate_pair(nodeip, phrase, cn):
'''Generates a cert-key pair'''
conf_data = {'common_name': cn}
conf = INOPENSSL_CONF_TEMPLATE.format(**conf_data)
if SERIAL_NUMBER != '':
conf_ser_data = {'serial_number': SERIAL_NUMBER}
conf_ser = INOPENSSL_SERIAL_CONF_TEMPLATE.format(**conf_ser_data)
with open(INOPENSSL_CONF_FILE, 'w') as f:
f.write(conf)
if SERIAL_NUMBER != '':
f.write(conf_ser)
cmd = 'openssl genrsa -out ' + KEY_PEM + ' 2048'
cmd = cmd + ' && openssl req -config ' + INOPENSSL_CONF_FILE + ' -new -key ' + KEY_PEM + ' -out ' + CSR_PEM
cmd = cmd + ' && openssl dgst -sha256 -hmac ' + phrase + ' -out ' + SIGN + ' ' + CSR_PEM
print("Now passphrase is {}".format(phrase))
ret, out = run(cmd)
if ret != 0:
return False
hmac = ''
certreq = ''
with open(SIGN) as f:
hmac = f.read().strip().split(' ')[-1]
with open(CSR_PEM) as f:
certreq = f.read().strip()
if not make_certreq(nodeip, hmac, certreq):
logger.info('Generation of [crt, key, ca] failed')
return False
with open(KEY_PEM, 'r') as f:
logger.info('Generated key\n [key]\n%s' % f.read().strip())
shutil.copyfile(KEY_PEM, FINAL_KEY)
logger.info('Generated pem: [%s, %s, %s] ' % (FINAL_CRT, FINAL_KEY, FINAL_CA))
if not pair_match(FINAL_CRT, FINAL_KEY, 'pem'):
return False
# Cert generation and cert/key match success
return True
def make_certreq(nodeip, hmac, certreq):
url = 'https://%s/raca/certreq.json' % nodeip
payload = '{"aaaCertGenReq":{"attributes":{"type":"%s","hmac":"%s", "certreq": "%s", "podip": "%s", "podmac": "%s", "podname": "%s"}}}' % ("csvc", hmac, certreq, MY_NODE_IDIP, MY_CHASSIS_ID, MY_SN)
logger.info('Request url : %s' % url)
logger.info('Request body: %s' % payload)
response = session.post(url, data=payload, verify=False, timeout=5)
logger.info('Request res: %s' % response.text)
if response.status_code != 200:
logger.error('aaaCertGenReq request failed')
return False
logger.info('aaaCertGenReq request succeded')
json_out = json.loads(response.text.replace('\n', '\\n'))
rootres = str(json_out['imdata'][0]['aaaApplianceCertRes']['attributes']['rootres']).strip()
certres = str(json_out['imdata'][0]['aaaApplianceCertRes']['attributes']['certres']).strip()
blobres = str(json_out['imdata'][0]['aaaApplianceCertRes']['attributes']['blobres']).strip()
logger.info('Retrieved ca, crt\n [ca]\n%s\n [crt]\n%s\n [blob]\n%s' % (rootres, certres, blobres))
with open(FINAL_CA, 'w') as f:
f.write(rootres)
with open(FINAL_CRT, 'w') as f:
f.write(certres)
if blobres:
with open(FINAL_BLOB, 'w') as f:
f.write(blobres)
return True
def make_copies():
for src, dst in CERT_COPY:
if os.path.exists(src):
run('cp %s %s' % (src, dst))
def delete_copies():
for src, dst in CERT_COPY:
if os.path.exists(dst):
run('rm -f %s' % dst)
def convert_certs():
'''Converts PEM certificates to PKCS8, PKCS12, JKS and DER'''
cmd = 'openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in ' + FINAL_KEY + ' -out ' + FINAL_P8
ret, out = run(cmd)
if ret != 0:
return False
logger.info('Generated pkcs8: [%s] ' % FINAL_P8)
cmd = 'openssl pkcs12 -export -inkey ' + FINAL_KEY + ' -in ' + FINAL_CRT + ' -certfile ' + FINAL_CA + ' -out ' + FINAL_P12 + ' -passout pass:' + EXPORT_PASS
ret, out = run(cmd)
if ret != 0:
return False
logger.info('Generated pkcs12: [%s] ' % FINAL_P12)
cmd = 'openssl x509 -outform der -in ' + FINAL_CRT + ' -out ' + FINAL_CRT_DER
cmd = cmd + ' && openssl x509 -outform der -in ' + FINAL_CA + ' -out ' + FINAL_CA_DER
cmd = cmd + ' && openssl rsa -outform der -in ' + FINAL_KEY + ' -out ' + FINAL_KEY_DER
ret, out = run(cmd)
if ret != 0:
return False
logger.info('Generated der: [%s, %s, %s] ' % (FINAL_CRT_DER, FINAL_KEY_DER, FINAL_CA_DER))
if not pair_match(FINAL_CRT_DER, FINAL_KEY_DER, 'der'):
return False
cmd = 'keytool -keystore ' + FINAL_JKS_TRUSTSTORE + ' -alias CARoot -import -file ' + FINAL_CA + ' -storepass ' + TRUSTSTORE_PASS + ' -noprompt'
cmd = cmd + ' && keytool -keystore ' + FINAL_JKS_KEYSTORE + ' -alias CARoot -import -file ' + FINAL_CA + ' -storepass ' + KEYSTORE_PASS + ' -noprompt'
cmd = cmd + ' && keytool -importkeystore -destkeystore ' + FINAL_JKS_KEYSTORE + ' -deststorepass ' + KEYSTORE_PASS + ' -srckeystore ' + FINAL_P12 + ' -srcstoretype PKCS12 -srcstorepass ' + EXPORT_PASS + ' -noprompt'
cmd = cmd + ' && keytool -changealias -alias 1 -destalias localhost -keypass ' + KEYSTORE_PASS + ' -keystore ' + FINAL_JKS_KEYSTORE + ' -storepass ' + KEYSTORE_PASS
ret, out = run(cmd)
if ret != 0:
return False
logger.info('Generated PKS: [%s, %s] ' % (FINAL_JKS_TRUSTSTORE, FINAL_JKS_KEYSTORE))
# Cert convertions and cert/key match success
return True
def get_passphrase(nodeip, username, password):
'''Retrieves passphrase'''
url = 'https://%s/api/aaaLogin.json' % nodeip
payload = '{"aaaUser":{"attributes":{"name":"%s","pwd":"%s"}}}' % (username, password)
logger.info('Request url : %s' % url)
# do not log password
logger.info('Request body: %s' % payload.replace(password, '********'))
response = session.post(url, data=payload, verify=False, timeout=5)
logger.info('Request res: %s' % response.text)
if response.status_code != 200:
logger.error('aaaLogin request failed')
return False, ''
logger.info('aaaLogin request succeded')
url = 'https://%s/api/node/class/pkiFabricSelfCAEp.json' % nodeip
logger.info('Request url : %s' % url)
response = session.get(url, verify=False, timeout=5)
logger.info('Request res: %s' % response.text)
if response.status_code != 200:
logger.error('pkiFabricSelfCA request failed')
return False, ''
logger.info('pkiFabricSelfCA request succeded')
json_out = response.json()
passphrase = str(json_out['imdata'][0]['pkiFabricSelfCAEp']['attributes']['currCertReqPassphrase'])
logger.info('Retrieved passphrase [%s]' % passphrase)
return True, passphrase
def pair_match(crt, key, cert_format):
'''Checks if cert-key match eachother'''
ret, crt_out = run('openssl x509 -inform ' + cert_format + ' -noout -modulus -in ' + crt + ' | openssl md5')
ret, key_out = run('openssl rsa -inform ' + cert_format + ' -noout -modulus -in ' + key + ' | openssl md5')
if crt_out == key_out:
logger.info('[%s, %s] - Match ' % (crt, key))
return True
else:
logger.error('[%s, %s] - Mismatch' % (crt, key))
return False
def parse_args():
# Parse arguments
parser = argparse.ArgumentParser(description='command help')
parser.add_argument('--workdir', default='/tmp/', help='Work directory')
parser.add_argument('--logdir', default='/tmp/', help='Log directory')
parser.add_argument('--logfile', default='gen_cert.log', help='Log file')
subparsers = parser.add_subparsers(dest='command', help='sub-command help')
parser_generate = subparsers.add_parser('generate', help='Generate files')
parser_generate.add_argument('--sn', default='', required=False, help='Serial Number', nargs='+')
parser_generate.add_argument('--cn', required=True, help='Common Name', nargs='+')
parser_generate.add_argument('--nodeip', default='localhost', help='Node Ip')
parser_generate.add_argument('--passphrase', help='Passphrase')
parser_generate.add_argument('--username', help='Username')
parser_generate.add_argument('--password', default='noir0!234', help='Password')
parser_generate.add_argument('--reqtype', choices=['csvc', 'vtor', 'vapic'], help='Request type', default='csvc')
parser_generate.add_argument('--mynodeidip', help='My Node Id:Ip')
parser_generate.add_argument('--mychassisid', help='My Chassis Id')
parser_generate.add_argument('--mysn', help='My SN')
args = parser.parse_args()
return args
def generate(workdir, nodeip, cn, user, password, export_pass=None, keystore_pass=None, truststore_pass=None):
previous_dir = os.getcwd()
os.chdir(workdir)
if export_pass:
EXPORT_PASS = export_pass
if keystore_pass:
KEYSTORE_PASS = keystore_pass
if truststore_pass:
TRUSTSTORE_PASS = truststore_pass
ret, PASSPHRASE = get_passphrase(nodeip, user, password)
if not ret:
print("Arguments: Could not fetch passphrase using credentials")
os.chdir(previous_dir)
return False
else:
print("passphrase: {}".format(PASSPHRASE))
if generate_pair(nodeip, PASSPHRASE, cn) and convert_certs():
cleanup(True)
make_copies()
os.chdir(previous_dir)
return True
os.chdir(previous_dir)
return False