Ottomata has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/404687 )
Change subject: Generate ca.crt.pem files in each certificate directory ...................................................................... Generate ca.crt.pem files in each certificate directory This makes it easier to distribute CA certificate files. Change-Id: I09c1dff11eea8d4cd44aa9f574b386245ec38fb1 --- M CHANGELOG.md M cergen/certificate.py M setup.py M tests/test_certificate.py 4 files changed, 40 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/cergen refs/changes/87/404687/1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 675b7dc..0153f66 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +# 0.2.1 +- Now also generate ca.crt.pem files in each certificate directory. + # 0.2.0 - puppet-sign-cert now only works with Puppet 4. diff --git a/cergen/certificate.py b/cergen/certificate.py index 8bb7436..903aff3 100644 --- a/cergen/certificate.py +++ b/cergen/certificate.py @@ -157,8 +157,10 @@ # Certificate Signing Request file in .pem format. self.csr_file = os.path.join(self.path, '{}.csr.pem'.format(self.name)) - # Public Signed Certificate file in .pem format + # x509 Certificate file in .pem format self.crt_file = os.path.join(self.path, '{}.crt.pem'.format(self.name)) + # Authority's x509 Certificate file in .pem format + self.ca_crt_file = os.path.join(self.path, 'ca.crt.pem') # PKCS#12 'keystore' file self.p12_file = os.path.join(self.path, '{}.keystore.p12'.format(self.name)) # Java Keystore file @@ -263,6 +265,7 @@ self.key.generate(force=force) self.generate_crt(force=force) # TODO: maybe rename these subordinate generate methods? + self.generate_ca_crt(force=force) self.generate_p12(force=force) self.generate_keystore(force=force) self.generate_truststore(force=force) @@ -358,6 +361,35 @@ f.write(csr.public_bytes(serialization.Encoding.PEM)) return csr + + def generate_ca_crt(self, force=False): + """ + Copies the authority's certificate in .pem format + into this certificate's path under the name 'ca.crt.pem'. + This is useful so the CA certificate can be easily distributed. + + Args: + force (bool, optional) + + Raises: + RuntimeError: if a a new certificate cannot be signed by the authority + or verified by the authority chain. + + """ + if not self.should_generate(self.ca_crt_file, force): + return False + + self.log.info('Generating CA certificate file') + + # The authority has a local cert_file. Copy it to this Certificate's path. + shutil.copyfile(self.authority.cert_file, self.ca_crt_file) + + # Verify that crt_file was created. + if not os.path.exists(self.ca_crt_file): + raise RuntimeError( + '{} does not exist even though we copied it from {}. ' + ' This should not happen.'.format(self.ca_crt_file, self.authority.cert_file) + ) def generate_p12(self, force=False): """ @@ -522,6 +554,7 @@ self.key.private_key_file, self.key.public_key_file, self.crt_file, + self.ca_crt_file, self.p12_file, self.jks_file, self.truststore_jks_file diff --git a/setup.py b/setup.py index 4006228..ca1a1b0 100644 --- a/setup.py +++ b/setup.py @@ -9,7 +9,7 @@ setup( name='cergen', - version='0.1.1', + version='0.2.1', description='Automated x509 certificate generation and management', license='Apache', author='Andrew Otto', diff --git a/tests/test_certificate.py b/tests/test_certificate.py index 57d0a4f..02d2bd8 100644 --- a/tests/test_certificate.py +++ b/tests/test_certificate.py @@ -37,6 +37,8 @@ 'crt_file should exist' assert os.path.exists(certificate.csr_file), \ 'csr_file should exist' + assert os.path.exists(certificate.ca_crt_file), \ + 'ca_crt_file should exist' assert os.path.exists(certificate.p12_file), \ 'p12_file should exist' assert os.path.exists(certificate.jks_file), \ -- To view, visit https://gerrit.wikimedia.org/r/404687 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I09c1dff11eea8d4cd44aa9f574b386245ec38fb1 Gerrit-PatchSet: 1 Gerrit-Project: cergen Gerrit-Branch: master Gerrit-Owner: Ottomata <ao...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits