[MediaWiki-commits] [Gerrit] cergen[master]: Generate ca.crt.pem files in each certificate directory

Wed, 17 Jan 2018 07:25:40 -0800 

Ottomata has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/404687 )

Change subject: Generate ca.crt.pem files in each certificate directory
......................................................................

Generate ca.crt.pem files in each certificate directory

This makes it easier to distribute CA certificate files.

Change-Id: I09c1dff11eea8d4cd44aa9f574b386245ec38fb1
---
M CHANGELOG.md
M cergen/certificate.py
M setup.py
M tests/test_certificate.py
4 files changed, 40 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/cergen refs/changes/87/404687/1

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 675b7dc..0153f66 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,6 @@
+# 0.2.1
+- Now also generate ca.crt.pem files in each certificate directory.
+
 # 0.2.0
 - puppet-sign-cert now only works with Puppet 4.
 
diff --git a/cergen/certificate.py b/cergen/certificate.py
index 8bb7436..903aff3 100644
--- a/cergen/certificate.py
+++ b/cergen/certificate.py
@@ -157,8 +157,10 @@
 
         # Certificate Signing Request file in .pem format.
         self.csr_file = os.path.join(self.path, '{}.csr.pem'.format(self.name))
-        # Public Signed Certificate file in .pem format
+        # x509 Certificate file in .pem format
         self.crt_file = os.path.join(self.path, '{}.crt.pem'.format(self.name))
+        # Authority's x509 Certificate file in .pem format
+        self.ca_crt_file = os.path.join(self.path, 'ca.crt.pem')
         # PKCS#12 'keystore' file
         self.p12_file = os.path.join(self.path, 
'{}.keystore.p12'.format(self.name))
         # Java Keystore file
@@ -263,6 +265,7 @@
         self.key.generate(force=force)
         self.generate_crt(force=force)
         # TODO: maybe rename these subordinate generate methods?
+        self.generate_ca_crt(force=force)
         self.generate_p12(force=force)
         self.generate_keystore(force=force)
         self.generate_truststore(force=force)
@@ -358,6 +361,35 @@
             f.write(csr.public_bytes(serialization.Encoding.PEM))
 
         return csr
+
+    def generate_ca_crt(self, force=False):
+        """
+        Copies the authority's certificate in .pem format
+        into this certificate's path under the name 'ca.crt.pem'.
+        This is useful so the CA certificate can be easily distributed.
+
+        Args:
+            force (bool, optional)
+
+        Raises:
+            RuntimeError: if a a new certificate cannot be signed by the 
authority
+                or verified by the authority chain.
+
+        """
+        if not self.should_generate(self.ca_crt_file, force):
+            return False
+
+        self.log.info('Generating CA certificate file')
+
+        # The authority has a local cert_file.  Copy it to this Certificate's 
path.
+        shutil.copyfile(self.authority.cert_file, self.ca_crt_file)
+
+        # Verify that crt_file was created.
+        if not os.path.exists(self.ca_crt_file):
+            raise RuntimeError(
+                '{} does not exist even though we copied it from {}. '
+                ' This should not happen.'.format(self.ca_crt_file, 
self.authority.cert_file)
+            )
 
     def generate_p12(self, force=False):
         """
@@ -522,6 +554,7 @@
             self.key.private_key_file,
             self.key.public_key_file,
             self.crt_file,
+            self.ca_crt_file,
             self.p12_file,
             self.jks_file,
             self.truststore_jks_file
diff --git a/setup.py b/setup.py
index 4006228..ca1a1b0 100644
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='cergen',
-    version='0.1.1',
+    version='0.2.1',
     description='Automated x509 certificate generation and management',
     license='Apache',
     author='Andrew Otto',
diff --git a/tests/test_certificate.py b/tests/test_certificate.py
index 57d0a4f..02d2bd8 100644
--- a/tests/test_certificate.py
+++ b/tests/test_certificate.py
@@ -37,6 +37,8 @@
         'crt_file should exist'
     assert os.path.exists(certificate.csr_file), \
         'csr_file should exist'
+    assert os.path.exists(certificate.ca_crt_file), \
+        'ca_crt_file should exist'
     assert os.path.exists(certificate.p12_file), \
         'p12_file should exist'
     assert os.path.exists(certificate.jks_file), \

-- 
To view, visit https://gerrit.wikimedia.org/r/404687
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I09c1dff11eea8d4cd44aa9f574b386245ec38fb1
Gerrit-PatchSet: 1
Gerrit-Project: cergen
Gerrit-Branch: master
Gerrit-Owner: Ottomata <ao...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to