mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2025-01-15 06:36:30 +00:00
567430790c
Problems resolved: - Method create_self_signed_cert() was invoked nowhere. This puts parameter "SAML_SIGN_REQUEST" description in configs/development.py as incorrect - Method create_self_signed_cert() was returning error while trying to write out certificate and private key. File handler was opened for writing out TEXT instead of BINARY data Enhancements: - Two new parameters are introduced SAML_CERT_FILE and SAML_KEY_FILE. User can now explicitly define own certificate and key file anywhere on file-system. - If parameters mentioned in previous bullet aren't explicitly defined, in PowerDNS-Admin root directory self-signed certificate will be created. - Certificates will be used or generated in any case, because in saml.py there are explicit parameters defined which require certificate/key in order to work normally. If they aren't, exception will be thrown. Examples of parameters defined in saml.py requiring certificate: wantAssertionsEncrypted, signMetadata, wantAssertionsSigned.
48 lines
1.5 KiB
Python
48 lines
1.5 KiB
Python
from OpenSSL import crypto
|
|
from datetime import datetime
|
|
import pytz
|
|
import os
|
|
CRYPT_PATH = os.path.abspath(os.path.dirname(os.path.realpath(__file__)) + "/../../")
|
|
CERT_FILE = CRYPT_PATH + "/saml_cert.crt"
|
|
KEY_FILE = CRYPT_PATH + "/saml_cert.key"
|
|
|
|
|
|
def check_certificate():
|
|
if not os.path.isfile(CERT_FILE):
|
|
return False
|
|
st_cert = open(CERT_FILE, 'rt').read()
|
|
cert = crypto.load_certificate(crypto.FILETYPE_PEM, st_cert)
|
|
now = datetime.now(pytz.utc)
|
|
begin = datetime.strptime(cert.get_notBefore(), "%Y%m%d%H%M%SZ").replace(tzinfo=pytz.UTC)
|
|
begin_ok = begin < now
|
|
end = datetime.strptime(cert.get_notAfter(), "%Y%m%d%H%M%SZ").replace(tzinfo=pytz.UTC)
|
|
end_ok = end > now
|
|
if begin_ok and end_ok:
|
|
return True
|
|
return False
|
|
|
|
def create_self_signed_cert():
|
|
|
|
# create a key pair
|
|
k = crypto.PKey()
|
|
k.generate_key(crypto.TYPE_RSA, 2048)
|
|
|
|
# create a self-signed cert
|
|
cert = crypto.X509()
|
|
cert.get_subject().C = "DE"
|
|
cert.get_subject().ST = "NRW"
|
|
cert.get_subject().L = "Dortmund"
|
|
cert.get_subject().O = "Dummy Company Ltd"
|
|
cert.get_subject().OU = "Dummy Company Ltd"
|
|
cert.get_subject().CN = "PowerDNS-Admin"
|
|
cert.set_serial_number(1000)
|
|
cert.gmtime_adj_notBefore(0)
|
|
cert.gmtime_adj_notAfter(10*365*24*60*60)
|
|
cert.set_issuer(cert.get_subject())
|
|
cert.set_pubkey(k)
|
|
cert.sign(k, 'sha256')
|
|
|
|
open(CERT_FILE, "bw").write(
|
|
crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
|
|
open(KEY_FILE, "bw").write(
|
|
crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) |