URL: https://github.com/freeipa/freeipa/pull/542
Author: LiptonB
 Title: #542: Implementation independent interface for CSR generation
Action: opened

PR body:
"""
@HonzaCholasta and everyone, here is where I am so far on the 
[CertificationRequestInfo-based interface for CSR 
generation](https://www.redhat.com/archives/freeipa-devel/2017-February/msg00104.html).

As I see it, there are a few rough edges still, so I'd like to get your 
opinion, especially about these things:
- For feeding to `build_requestinfo` we want a config file, not a script, so I 
needed to add another formatter/helper that omits the bash code that's there 
for other helpers.
- While openssl has a library function for creating cert extensions from the 
config file format, the logic for creating the subject name from the config 
format is implemented within the `openssl req` command rather than the library. 
In `build_requestinfo` I copied [the code from 
certmonger](https://pagure.io/certmonger/blob/master/f/src/csrgen-o.c#_193-223) 
that creates the subject name, which takes a simpler format. So the new 
formatter is called "certmonger" and uses that format.
- I'm not sure where in the freeipa project the code for `build_requestinfo` 
should go, how to work it into the build process, and where it should be 
installed. Right now I just have a TODO to do so. Or did you mean for that code 
to be run via CFFI as well?
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/542/head:pr542
git checkout pr542
From 6f678a1c68769daf5b2f80cbf65a5b6b1c99f7a1 Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Fri, 7 Oct 2016 10:39:40 -0400
Subject: [PATCH 1/3] csrgen: Add "certmonger" helper to produce simplified
 openssl configs

The resulting file is similar to the config accepted by `openssl req`,
but instead of a section for the subject name, it contains a single
config item, `cm_template_subject`, in the format that certmonger
accepts for its certificate subject names.

https://pagure.io/freeipa/issue/4899
---
 install/share/csrgen/Makefile.am                    |  1 +
 install/share/csrgen/rules/dataDNS.json             |  2 +-
 install/share/csrgen/rules/dataEmail.json           |  2 +-
 install/share/csrgen/rules/dataHostCN.json          |  2 +-
 install/share/csrgen/rules/dataSubjectBase.json     |  2 +-
 install/share/csrgen/rules/dataUsernameCN.json      |  2 +-
 install/share/csrgen/rules/syntaxSAN.json           |  2 +-
 install/share/csrgen/rules/syntaxSubject.json       |  4 ++++
 install/share/csrgen/templates/certmonger_base.tmpl | 17 +++++++++++++++++
 ipaclient/csrgen.py                                 |  7 ++++++-
 10 files changed, 34 insertions(+), 7 deletions(-)
 create mode 100644 install/share/csrgen/templates/certmonger_base.tmpl

diff --git a/install/share/csrgen/Makefile.am b/install/share/csrgen/Makefile.am
index 12c62c4..53324fe 100644
--- a/install/share/csrgen/Makefile.am
+++ b/install/share/csrgen/Makefile.am
@@ -20,6 +20,7 @@ rule_DATA =				\
 templatedir = $(IPA_DATA_DIR)/csrgen/templates
 template_DATA =			\
 	templates/certutil_base.tmpl	\
+	templates/certmonger_base.tmpl	\
 	templates/openssl_base.tmpl	\
 	templates/openssl_macros.tmpl	\
 	$(NULL)
diff --git a/install/share/csrgen/rules/dataDNS.json b/install/share/csrgen/rules/dataDNS.json
index 2663f11..263eae0 100644
--- a/install/share/csrgen/rules/dataDNS.json
+++ b/install/share/csrgen/rules/dataDNS.json
@@ -1,7 +1,7 @@
 {
   "rules": [
     {
-      "helper": "openssl",
+      "helper": ["openssl", "certmonger"],
       "template": "DNS = {{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
     },
     {
diff --git a/install/share/csrgen/rules/dataEmail.json b/install/share/csrgen/rules/dataEmail.json
index 2eae9fb..5c4dbe8 100644
--- a/install/share/csrgen/rules/dataEmail.json
+++ b/install/share/csrgen/rules/dataEmail.json
@@ -1,7 +1,7 @@
 {
   "rules": [
     {
-      "helper": "openssl",
+      "helper": ["openssl", "certmonger"],
       "template": "email = {{subject.mail.0}}"
     },
     {
diff --git a/install/share/csrgen/rules/dataHostCN.json b/install/share/csrgen/rules/dataHostCN.json
index 5c415bb..8c17e8a 100644
--- a/install/share/csrgen/rules/dataHostCN.json
+++ b/install/share/csrgen/rules/dataHostCN.json
@@ -1,7 +1,7 @@
 {
   "rules": [
     {
-      "helper": "openssl",
+      "helper": ["openssl", "certmonger"],
       "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"
     },
     {
diff --git a/install/share/csrgen/rules/dataSubjectBase.json b/install/share/csrgen/rules/dataSubjectBase.json
index 309dfb1..489dd49 100644
--- a/install/share/csrgen/rules/dataSubjectBase.json
+++ b/install/share/csrgen/rules/dataSubjectBase.json
@@ -1,7 +1,7 @@
 {
   "rules": [
     {
-      "helper": "openssl",
+      "helper": ["openssl", "certmonger"],
       "template": "{{config.ipacertificatesubjectbase.0}}"
     },
     {
diff --git a/install/share/csrgen/rules/dataUsernameCN.json b/install/share/csrgen/rules/dataUsernameCN.json
index 37e7e01..d294ab2 100644
--- a/install/share/csrgen/rules/dataUsernameCN.json
+++ b/install/share/csrgen/rules/dataUsernameCN.json
@@ -1,7 +1,7 @@
 {
   "rules": [
     {
-      "helper": "openssl",
+      "helper": ["openssl", "certmonger"],
       "template": "CN={{subject.uid.0}}"
     },
     {
diff --git a/install/share/csrgen/rules/syntaxSAN.json b/install/share/csrgen/rules/syntaxSAN.json
index 122eb12..00b1808 100644
--- a/install/share/csrgen/rules/syntaxSAN.json
+++ b/install/share/csrgen/rules/syntaxSAN.json
@@ -1,7 +1,7 @@
 {
   "rules": [
     {
-      "helper": "openssl",
+      "helper": ["openssl", "certmonger"],
       "template": "subjectAltName = @{% call openssl.section() %}{{ datarules|join('\n') }}{% endcall %}",
       "options": {
         "extension": true
diff --git a/install/share/csrgen/rules/syntaxSubject.json b/install/share/csrgen/rules/syntaxSubject.json
index af6ec03..1eb02e9 100644
--- a/install/share/csrgen/rules/syntaxSubject.json
+++ b/install/share/csrgen/rules/syntaxSubject.json
@@ -5,6 +5,10 @@
       "template": "distinguished_name = {% call openssl.section() %}{{ datarules|reverse|join('\n') }}{% endcall %}"
     },
     {
+      "helper": "certmonger",
+      "template": "cm_template_subject = {{ datarules|reverse|join(',') }}"
+    },
+    {
       "helper": "certutil",
       "template": "-s {{ datarules|join(',') }}"
     }
diff --git a/install/share/csrgen/templates/certmonger_base.tmpl b/install/share/csrgen/templates/certmonger_base.tmpl
new file mode 100644
index 0000000..2a695a7
--- /dev/null
+++ b/install/share/csrgen/templates/certmonger_base.tmpl
@@ -0,0 +1,17 @@
+{% raw -%}
+{% import "openssl_macros.tmpl" as openssl -%}
+{%- endraw %}
+[ req ]
+prompt = no
+encrypt_key = no
+
+{{ parameters|join('\n') }}
+{% raw %}{% set rendered_extensions -%}{% endraw %}
+{{ extensions|join('\n') }}
+{% raw -%}
+{%- endset -%}
+{% if rendered_extensions -%}
+req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall %}
+{% endif %}
+{{ openssl.openssl_sections|join('\n\n') }}
+{%- endraw %}
diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 96100ae..3fb944b 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -228,6 +228,10 @@ def _prepare_syntax_rule(
         return self.SyntaxRule(prepared_template, is_extension)
 
 
+class CertmongerFormatter(OpenSSLFormatter):
+    base_template_name = 'certmonger_base.tmpl'
+
+
 class CertutilFormatter(Formatter):
     base_template_name = 'certutil_base.tmpl'
 
@@ -294,7 +298,7 @@ def _rule(self, rule_name, helper):
                     {'ruleset': rule_name})
 
             matching_rules = [r for r in ruleset['rules']
-                              if r['helper'] == helper]
+                              if helper in r['helper']]
             if len(matching_rules) == 0:
                 raise errors.EmptyResult(
                     reason=_('No transformation in "%(ruleset)s" rule supports'
@@ -340,6 +344,7 @@ class CSRGenerator(object):
     FORMATTERS = {
         'openssl': OpenSSLFormatter,
         'certutil': CertutilFormatter,
+        'certmonger': CertmongerFormatter,
     }
 
     def __init__(self, rule_provider):

From 0f51474569d731ff314f90e88f4f19824c33954b Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Fri, 6 Jan 2017 11:19:19 -0500
Subject: [PATCH 2/3] csrgen: Modify cert_get_requestdata to return a
 CertificationRequestInfo

Also modify cert_request to use this new format. Note, only PEM private
keys are supported for now. NSS databases are not.

https://pagure.io/freeipa/issue/4899
---
 ipaclient/csrgen.py         | 90 +++++++++++++++++++++++++++++++++++++++++++++
 ipaclient/plugins/cert.py   | 75 ++++++++++++++++---------------------
 ipaclient/plugins/csrgen.py | 32 ++++++++--------
 3 files changed, 137 insertions(+), 60 deletions(-)

diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 3fb944b..2d18b63 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -6,11 +6,20 @@
 import json
 import os.path
 import pipes
+import subprocess
+import tempfile
 import traceback
 
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.serialization import load_pem_private_key, Encoding, PublicFormat
 import jinja2
 import jinja2.ext
 import jinja2.sandbox
+from pyasn1.codec.der import decoder, encoder
+from pyasn1.type import univ
+from pyasn1_modules import rfc2314
 import six
 
 from ipalib import errors
@@ -365,3 +374,84 @@ def csr_script(self, principal, config, profile_id, helper):
                 'Template error when formatting certificate data'))
 
         return script
+
+def build_requestinfo(csr_data, public_key_info):
+    if len(public_key_info) > 64 and '\n' not in public_key_info:
+        # build_requestinfo needs its base64 split into 64-character lines
+        # otherwise parsing fails
+        public_key_info = '\r\n'.join(
+            [public_key_info[x:x+64]
+                for x in range(0, len(public_key_info), 64)])
+
+    with (tempfile.NamedTemporaryFile()
+            ) as config_file, tempfile.NamedTemporaryFile() as pubkey_file:
+        config_file.write(csr_data)
+        config_file.flush()
+        pubkey_file.write(public_key_info)
+        pubkey_file.flush()
+
+        # TODO(blipton): Build and install this binary
+        request_info = subprocess.check_output(['build_requestinfo', config_file.name, pubkey_file.name])
+
+    return request_info
+
+
+class CSRLibraryAdaptor(object):
+    def get_subject_public_key_info(self):
+        raise NotImplementedError('Use a subclass of CSRLibraryAdaptor')
+
+    def sign_csr(self, certification_request_info):
+        """Sign a CertificationRequestInfo.
+
+        Returns: str, a DER-encoded signed CSR.
+        """
+        raise NotImplementedError('Use a subclass of CSRLibraryAdaptor')
+
+
+class OpenSSLAdaptor(object):
+    def __init__(self, key_filename, password_filename):
+        self.key_filename = key_filename
+        self.password_filename = password_filename
+
+    def key(self):
+        with open(self.key_filename, 'r') as key_file:
+            key_bytes = key_file.read()
+        password = None
+        if self.password_filename is not None:
+            with open(self.password_filename, 'r') as password_file:
+                password = password_file.read().strip()
+
+        key = load_pem_private_key(key_bytes, password, default_backend())
+        return key
+
+    def get_subject_public_key_info(self):
+        pubkey_info = self.key().public_key().public_bytes(
+            Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
+        return pubkey_info
+
+    def sign_csr(self, certification_request_info):
+        reqinfo = decoder.decode(certification_request_info, rfc2314.CertificationRequestInfo())[0]
+        csr = rfc2314.CertificationRequest()
+        csr.setComponentByName('certificationRequestInfo', reqinfo)
+
+        algorithm = rfc2314.SignatureAlgorithmIdentifier()
+        algorithm.setComponentByName(
+            'algorithm', univ.ObjectIdentifier('1.2.840.113549.1.1.11')) # sha256WithRSAEncryption
+        csr.setComponentByName('signatureAlgorithm', algorithm)
+
+        signature = self.key().sign(
+            certification_request_info,
+            padding.PKCS1v15(),
+            hashes.SHA256()
+        )
+        asn1sig = univ.BitString("'%s'H" % signature.encode('hex'))
+        csr.setComponentByName('signature', asn1sig)
+        return encoder.encode(csr)
+
+
+class NSSAdaptor(object):
+    def get_subject_public_key_info(self):
+        raise NotImplementedError('NSS is not yet supported')
+
+    def sign_csr(self, certification_request_info):
+        raise NotImplementedError('NSS is not yet supported')
diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py
index 348529c..ad73ce7 100644
--- a/ipaclient/plugins/cert.py
+++ b/ipaclient/plugins/cert.py
@@ -19,11 +19,12 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import base64
 import subprocess
-from tempfile import NamedTemporaryFile as NTF
 
 import six
 
+from ipaclient import csrgen
 from ipaclient.frontend import MethodOverride
 from ipalib import errors
 from ipalib import x509
@@ -77,54 +78,40 @@ def forward(self, csr=None, **options):
 
         if csr is None:
             if database:
-                helper = u'certutil'
-                helper_args = ['-d', database]
-                if password_file:
-                    helper_args += ['-f', password_file]
+                adaptor = csrgen.NSSAdaptor(database, password_file)
             elif private_key:
-                helper = u'openssl'
-                helper_args = [private_key]
-                if password_file:
-                    helper_args += ['-passin', 'file:%s' % password_file]
+                adaptor = csrgen.OpenSSLAdaptor(private_key, password_file)
             else:
                 raise errors.InvocationError(
                     message=u"One of 'database' or 'private_key' is required")
 
-            with NTF() as scriptfile, NTF() as csrfile:
-                # If csr_profile_id is passed, that takes precedence.
-                # Otherwise, use profile_id. If neither are passed, the default
-                # in cert_get_requestdata will be used.
-                profile_id = csr_profile_id
-                if profile_id is None:
-                    profile_id = options.get('profile_id')
-
-                self.api.Command.cert_get_requestdata(
-                    profile_id=profile_id,
-                    principal=options.get('principal'),
-                    out=unicode(scriptfile.name),
-                    helper=helper)
-
-                helper_cmd = [
-                    'bash', '-e', scriptfile.name, csrfile.name] + helper_args
-
-                try:
-                    subprocess.check_output(helper_cmd)
-                except subprocess.CalledProcessError as e:
-                    raise errors.CertificateOperationError(
-                        error=(
-                            _('Error running "%(cmd)s" to generate CSR:'
-                              ' %(err)s') %
-                            {'cmd': ' '.join(helper_cmd), 'err': e.output}))
-
-                try:
-                    csr = unicode(csrfile.read())
-                except IOError as e:
-                    raise errors.CertificateOperationError(
-                        error=(_('Unable to read generated CSR file: %(err)s')
-                               % {'err': e}))
-                if not csr:
-                    raise errors.CertificateOperationError(
-                        error=(_('Generated CSR was empty')))
+            pubkey_info = adaptor.get_subject_public_key_info()
+            pubkey_info_b64 = base64.b64encode(pubkey_info)
+
+            # If csr_profile_id is passed, that takes precedence.
+            # Otherwise, use profile_id. If neither are passed, the default
+            # in cert_get_requestdata will be used.
+            profile_id = csr_profile_id
+            if profile_id is None:
+                profile_id = options.get('profile_id')
+
+            response = self.api.Command.cert_get_requestdata(
+                profile_id=profile_id,
+                principal=options.get('principal'),
+                public_key_info=unicode(pubkey_info_b64))
+
+            req_info_b64 = response['result']['request_info']
+            req_info = base64.b64decode(req_info_b64)
+
+            csr = adaptor.sign_csr(req_info)
+
+            if not csr:
+                raise errors.CertificateOperationError(
+                    error=(_('Generated CSR was empty')))
+
+            # cert_request requires the CSR to be base64-encoded (but PEM
+            # header and footer are not required)
+            csr = unicode(base64.b64encode(csr))
         else:
             if database is not None or private_key is not None:
                 raise errors.MutuallyExclusiveError(reason=_(
diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
index 0d6eca0..958732d 100644
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@@ -4,13 +4,13 @@
 
 import six
 
-from ipaclient.csrgen import CSRGenerator, FileRuleProvider
+from ipaclient import csrgen
 from ipalib import api
 from ipalib import errors
 from ipalib import output
 from ipalib import util
 from ipalib.frontend import Local, Str
-from ipalib.parameters import Principal
+from ipalib.parameters import File, Principal
 from ipalib.plugable import Registry
 from ipalib.text import _
 from ipapython import dogtag
@@ -41,15 +41,14 @@ class cert_get_requestdata(Local):
             label=_('Profile ID'),
             doc=_('CSR Generation Profile to use'),
         ),
-        Str(
-            'helper',
-            label=_('Name of CSR generation tool'),
-            doc=_('Name of tool (e.g. openssl, certutil) that will be used to'
-                  ' create CSR'),
+        File(
+            'public_key_info',
+            label=_('Subject Public Key Info'),
+            doc=_('DER-encoded SubjectPublicKeyInfo structure'),
         ),
         Str(
             'out?',
-            doc=_('Write CSR generation script to file'),
+            doc=_('Write CertificationRequestInfo to file'),
         ),
     )
 
@@ -63,8 +62,8 @@ class cert_get_requestdata(Local):
 
     has_output_params = (
         Str(
-            'script',
-            label=_('Generation script'),
+            'request_info',
+            label=_('CertificationRequestInfo structure'),
         )
     )
 
@@ -76,7 +75,7 @@ def execute(self, *args, **options):
         profile_id = options.get('profile_id')
         if profile_id is None:
             profile_id = dogtag.DEFAULT_PROFILE
-        helper = options.get('helper')
+        public_key_info = options.get('public_key_info')
 
         if self.api.env.in_server:
             backend = self.api.Backend.ldap2
@@ -101,17 +100,18 @@ def execute(self, *args, **options):
         principal_obj = principal_obj['result']
         config = api.Command.config_show()['result']
 
-        generator = CSRGenerator(FileRuleProvider())
+        generator = csrgen.CSRGenerator(csrgen.FileRuleProvider())
 
-        script = generator.csr_script(
-            principal_obj, config, profile_id, helper)
+        csr_data = generator.csr_script(
+            principal_obj, config, profile_id, 'certmonger')
+        request_info = csrgen.build_requestinfo(csr_data, public_key_info)
 
         result = {}
         if 'out' in options:
             with open(options['out'], 'wb') as f:
-                f.write(script)
+                f.write(request_info)
         else:
-            result = dict(script=script)
+            result = dict(request_info=request_info)
 
         return dict(
             result=result

From 949d3467c3350a06c9061c9b68021c1d6b2ead31 Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Mon, 30 Jan 2017 10:51:11 -0500
Subject: [PATCH 3/3] csrgen: Beginnings of NSS database support

https://pagure.io/freeipa/issue/4899
---
 ipaclient/csrgen.py | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 2d18b63..4510bc1 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -3,7 +3,9 @@
 #
 
 import collections
+import base64
 import json
+import os
 import os.path
 import pipes
 import subprocess
@@ -14,6 +16,7 @@
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.serialization import load_pem_private_key, Encoding, PublicFormat
+from cryptography.x509 import load_pem_x509_certificate
 import jinja2
 import jinja2.ext
 import jinja2.sandbox
@@ -450,8 +453,30 @@ def sign_csr(self, certification_request_info):
 
 
 class NSSAdaptor(object):
+    def __init__(self, database, password_filename):
+        self.database = database
+        self.password_filename = password_filename
+        self.nickname = base64.b32encode(os.urandom(40))
+
     def get_subject_public_key_info(self):
-        raise NotImplementedError('NSS is not yet supported')
+        temp_cn = base64.b32encode(os.urandom(40))
+
+        password_args = []
+        if self.password_filename is not None:
+            password_args = ['-f', self.password_filename]
+
+        subprocess.check_call(
+            ['certutil', '-S', '-n', self.nickname, '-s', 'CN=%s' % temp_cn,
+             '-x', '-t', ',,', '-d', self.database] + password_args)
+        cert_pem = subprocess.check_output(
+            ['certutil', '-L', '-n', self.nickname, '-a', '-d', self.database]
+            + password_args)
+
+        cert = load_pem_x509_certificate(cert_pem, default_backend())
+        pubkey_info = cert.public_key().public_bytes(
+            Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
+
+        return pubkey_info
 
     def sign_csr(self, certification_request_info):
         raise NotImplementedError('NSS is not yet supported')
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to