Ajout auth client par certificat

myPKI.py

@@ -1,102 +1,114 @@
-#!/usr/bin/env python2
-# -*- coding: utf-8 -*-
+import sys, getopt, os
 
-# Todo :
-# - Fix options in command line. -d and -s not working
+def usage():
+    print(' USAGE: ./myPKI.py [OPTIONS]')
+    print(' OPTIONS:')
+    print('\t-A --initall\t-i -g -d -s')
+    print('\t-i --init\tInitialise directorys of PKI')
+    print('\t-g --genca\tGenerate CA root')
+    print('\t-d --gender\tGenerate DER cert for browser know my self-signed cert')
+    print('\t-s --gensign\tGenerate and sign certificate for hosts')
+    print('\t-n --genauth\tGenerate and sign certificate for client authenticationf in .pfx format')
+    print('\t-h --help\tShows this help')
 
+def generate_client_auth_cert():
+    tld = input("=> TLD of your certificate :")
+    client_name = input("=> Client Name :")
 
-import sys, getopt, os
+    # Changement du fichier de config
+    os.system('sed -i "s/DNSCHANGEME/'+ tld +'/" ./config/ca.config')
+    os.system('sed -i "s/Root Certificate/'+ tld +'/" ./config/ca.config')
+
+
+    print("=> Création du certificat client")
+    os.system("openssl genrsa -out ./certificats/" +client_name+ "_" +tld+ ".key 4096")
+    print("[*] " +client_name+"_"+tld+".key is done")
+    os.system('openssl req -new -config config/ca.config -key ./certificats/'+client_name+ '_'  +tld+  '.key  -out ./certificats/'+ client_name +'-remote.csr')
+    print("[*] CSR Request completed  !")
+    os.system('openssl x509 -req -days 3650 -in ./certificats/'+client_name+'-remote.csr -CA ./certificats/ca.crt -CAkey ./certificats/ca.key -set_serial 001 -out ./certificats/'+client_name+'-remote.pem')
+    print("[*] Sign OK")
+    os.system("openssl pkcs12 -export -out ./"+client_name+".full.pfx -inkey ./certificats/"+client_name+'_'+tld+".key -in ./certificats/"+client_name+"-remote.pem -certfile ./certificats/ca.crt")
+    print("[*] Certificate OK")
 
-def usage():
-	print ' USAGE: ./myPKI.py [OPTIONS]'
-	print
-	print ' OPTIONS:'
-	print '\t-A --initall\t-i -g -d -s'
-	print '\t-i --init\tInitialise directorys of PKI'
-	print '\t-g --genca\tGenerate CA root'
-	print '\t-d --gender\tGenerate DER cert for browser'
-	print '\t-s --gensign\tGenerate and sign certificate'
-	print '\t-h --help\tShows this help'
-    
 
 def generate_sign():
-	tld = raw_input("=> TLD of your certificate :")
-	ip_addr = raw_input("=> IPv4 :")
-
-	# Changement du fichier de config
-	os.system('sed -i "s/DNSCHANGEME/'+ tld +'/" ./config/ca.config')
-	os.system('sed -i "s/0.0.0.0/'+ ip_addr +'/" ./config/ca.config')
-	os.system('sed -i "s/Root Certificate/'+ tld +'/" ./config/ca.config')
-	
-	# Création des certificats
-	os.system("openssl genrsa -out ./certificats/"+tld+".key 4096")
-	os.system("openssl req -days 3000 -new -config config/ca.config -key ./certificats/"+tld+".key -out certificats/"+tld+".csr")
-	os.system("openssl ca -out "+tld+".crt -config config/ca.config -infiles certificats/"+tld+".csr ")
-	
-	# On restaure ca.config d'origine
-	os.system('sed -i "s/'+ tld +'/DNSCHANGEME/" ./config/ca.config')
-	os.system('sed -i "s/'+ ip_addr +'/0.0.0.0/" ./config/ca.config')
-	os.system('sed -i "s/'+ tld +'/Root Certificate/" ./config/ca.config')
-
-	print "[*] Certificate Signed !"
+    tld = input("=> TLD of your certificate :")
+    ip_addr = input("=> IPv4 :")
+
+    # Changement du fichier de config
+    os.system('sed -i "s/DNSCHANGEME/'+ tld +'/" ./config/ca.config')
+    os.system('sed -i "s/0.0.0.0/'+ ip_addr +'/" ./config/ca.config')
+    os.system('sed -i "s/Root Certificate/'+ tld +'/" ./config/ca.config')
+
+    # Création des certificats
+    os.system("openssl genrsa -out ./certificats/"+tld+".key 4096")
+    os.system("openssl req -days 3650 -new -config config/ca.config -key ./certificats/"+tld+".key -out certificats/"+tld+".csr")
+    os.system("openssl ca -out "+tld+".crt -config config/ca.config -infiles certificats/"+tld+".csr ")
+
+    # On restaure ca.config d'origine
+    os.system('sed -i "s/'+ tld +'/DNSCHANGEME/" ./config/ca.config')
+    os.system('sed -i "s/'+ ip_addr +'/0.0.0.0/" ./config/ca.config')
+    os.system('sed -i "s/'+ tld +'/Root Certificate/" ./config/ca.config')
+
+    print("[*] Certificate Signed !")
 
 
 def generate_der():
-	os.system("openssl x509 -in certificats/ca.crt -outform DER -out certificats/ca.der")
-	print "[*] Put public CA ./certificats/ca.der on all browser you see !"
-    
+    os.system("openssl x509 -in certificats/ca.crt -outform DER -out certificats/ca.der")
+    print("[*] Put public CA ./certificats/ca.der on all browser you see !")
+
 def generate_ca():
-	if not os.path.isfile("./certificats/ca.key"):
-		os.system("openssl genrsa -out ./certificats/ca.key 4096")
-		os.system("openssl req -utf8 -new -x509 -days 3000 -config ./config/ca.config -key ./certificats/ca.key -out ./certificats/ca.crt")
-		print "[*] CA Certificate done !"
-	else:
-		print "[x] CA Certificate already exist..."
-		
+    if not os.path.isfile("./certificats/ca.key"):
+        os.system("openssl genrsa -out ./certificats/ca.key 4096")
+        os.system("openssl req -utf8 -new -x509 -days 3000 -config ./config/ca.config -key ./certificats/ca.key -out ./certificats/ca.crt")
+        print("[*] CA Certificate done !")
+    else:
+        print("[x] CA Certificate already exist...")
 
-def init_dir():
-	if not os.path.exists("./db/ca.db.certs"):
-		print "[*] Creating directories"
-		os.makedirs("./db/ca.db.certs")
-		os.makedirs("./config")
-		os.makedirs("./certificats")
-		os.system("echo '01'> ./db/ca.db.serial")
-		os.system("cp /dev/null ./db/ca.db.index")
-		os.system("cp ./ca.config.sample ./config/ca.config")
-		os.system("touch ./db/ca.db.index.attr")
 
+def init_dir():
+    if not os.path.exists("./db/ca.db.certs"):
+        print("[*] Creating directories")
+        os.makedirs("./db/ca.db.certs")
+        os.makedirs("./config")
+        os.makedirs("./certificats")
+        os.system("echo '01'> ./db/ca.db.serial")
+        os.system("cp /dev/null ./db/ca.db.index")
+        os.system("cp ./ca.config.sample ./config/ca.config")
+        os.system("touch ./db/ca.db.index.attr")
+    else:
+        print("[x] Directorys already exist")
 
-	else:
-		print "[x] Directorys already exist"
-	
 
 def main():
-	try:
-		opts, args = getopt.getopt(sys.argv[1:], "Ahigds", ["initall", "help", "init", "genca", "gender", "gensign"])
-		
-		for o, a in opts:
-			if o in ("--help"):
-				usage()
-				sys.exit()
-			elif o in ("--genca"):
-				generate_ca()
-			elif o in ("--init"):
-				init_dir()
-			elif o in ("--gender"):
-				generate_der()
-			elif o in ("--gensign"):
-				generate_sign()
-			elif o in ("--initall"):
-				init_dir()
-				generate_ca()
-				generate_der()
-				generate_sign()
-		sys.exit()
-
-	except getopt.GetoptError, err:
-		sys.stderr.write(str(err))
-		usage()
-		sys.exit(2)            
+    try:
+        opts, args = getopt.getopt(sys.argv[1:], "Ahigdsn", ["initall", "help", "init", "genca", "gender", "gensign", "genauth"])
+
+        for o, a in opts:
+            if o in ("--help"):
+                usage()
+                sys.exit()
+            elif o in ("--genca"):
+                generate_ca()
+            elif o in ("--init"):
+                init_dir()
+            elif o in ("--gender"):
+                generate_der()
+            elif o in ("--gensign"):
+                generate_sign()
+            elif o in ("--genauth"):
+                generate_client_auth_cert()
+            elif o in ("--initall"):
+                init_dir()
+                generate_ca()
+                generate_der()
+                generate_sign()
+                sys.exit()
+
+    except getopt.GetoptError as err:
+        sys.stderr.write(str(err))
+        usage()
+        sys.exit(2)
 
 if __name__ == "__main__":
-	main()
+    main()