# coding=utf-8
import os
-import httplib
+import re
+import http.client
import base64
import time
import zipfile
import subprocess
import logging
+
log_file = '/opt/opendaylight/data/log/installCerts.log'
+with open(os.path.join('/opt/opendaylight/data/log', 'installCerts.log'), 'w') as fp:
+ pass
+
log_format = "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
logging.basicConfig(filename=log_file,level=logging.DEBUG,filemode='w',format=log_format)
-Path = os.environ['ODL_CERT_DIR']
+Path = "/tmp"
zipFileList = []
INTERVAL=30
timePassed=0
-postKeystore= "/restconf/operations/netconf-keystore:add-keystore-entry"
-postPrivateKey= "/restconf/operations/netconf-keystore:add-private-key"
-postTrustedCertificate= "/restconf/operations/netconf-keystore:add-trusted-certificate"
+postKeystore= "/rests/operations/netconf-keystore:add-keystore-entry"
+postPrivateKey= "/rests/operations/netconf-keystore:add-private-key"
+postTrustedCertificate= "/rests/operations/netconf-keystore:add-trusted-certificate"
+
+truststore_pass_file = Path + '/truststore.pass'
+truststore_file = Path + '/truststore.jks'
+
+keystore_pass_file = Path + '/keystore.pass'
+keystore_file = Path + '/keystore.jks'
+
+jks_files = [truststore_pass_file, keystore_pass_file, keystore_file, truststore_file]
-cadi_file = '.pass'
odl_port = 8181
-headers = {'Authorization':'Basic %s' % base64.b64encode(username + ":" + password),
+cred_string = username + ":" + password
+headers = {'Authorization':'Basic %s' % base64.b64encode(cred_string.encode()).decode(),
'X-FromAppId': 'csit-sdnc',
'X-TransactionId': 'csit-sdnc',
'Accept':"application/json",
- 'Content-type':"application/json"}
+ 'Content-type':"application/yang-data+json"}
+
def readFile(folder, file):
key = open(Path + "/" + folder + "/" + file, "r")
fileRead = "\n".join(fileRead.splitlines()[1:-1])
return fileRead
+
def readTrustedCertificate(folder, file):
listCert = list()
caPem = ""
caPem = ""
return listCert
+
def makeKeystoreKey(clientKey, count):
- odl_private_key="ODL_private_key_%d" %count
+ odl_private_key = "ODL_private_key_%d" %count
json_keystore_key='{{\"input\": {{ \"key-credential\": {{\"key-id\": \"{odl_private_key}\", \"private-key\" : ' \
'\"{clientKey}\",\"passphrase\" : \"\"}}}}}}'.format(
return json_keystore_key
-
def makePrivateKey(clientKey, clientCrt, certList, count):
caPem = ""
if certList:
return json_private_key
+
def makeTrustedCertificate(certList, count):
number = 0
json_cert_format = ""
else:
logging.debug("Response :%s Reason :%s ",res.status, res.reason)
+
def extractZipFiles(zipFileList, count):
for zipFolder in zipFileList:
with zipfile.ZipFile(Path + "/" + zipFolder.strip(),"r") as zip_ref:
folder = zipFolder.rsplit(".")[0]
processFiles(folder, count)
+
def processFiles(folder, count):
for file in os.listdir(Path + "/" + folder):
if os.path.isfile(Path + "/" + folder + "/" + file.strip()):
shutil.rmtree(Path + "/" + folder)
post_content(clientKey, clientCrt, certList, count)
+
def post_content(clientKey, clientCrt, certList, count):
- conn = httplib.HTTPConnection("localhost",odl_port)
+ conn = http.client.HTTPConnection("localhost",odl_port)
+
if clientKey:
json_keystore_key = makeKeystoreKey(clientKey, count)
logging.debug("Posting private key in to ODL keystore")
# WAIT 10 minutes maximum and test every 30 seconds if HealthCheck API is returning 200
while timePassed < TIMEOUT:
try:
- conn = httplib.HTTPConnection("localhost",odl_port)
- req = conn.request("POST", "/restconf/operations/SLI-API:healthcheck",headers=headers)
+ conn = http.client.HTTPConnection("localhost",odl_port)
+ req = conn.request("POST", "/rests/operations/SLI-API:healthcheck",headers=headers)
res = conn.getresponse()
res.read()
if res.status == 200:
timePassed = timePassed + INTERVAL
return timePassed
-def get_cadi_password():
+
+def get_pass(file_name):
try:
- with open(Path + '/' + cadi_file , 'r') as file_obj:
- cadi_pass = file_obj.read().split('=', 1)[1].strip()
- return cadi_pass
+ with open(file_name, 'r') as file_obj:
+ password = file_obj.read().strip()
+ return "'{}'".format(password)
except Exception as e:
logging.error("Error occurred while fetching password : %s", e)
exit()
+
def cleanup():
- for file in os.listdir(Path):
- if os.path.isfile(Path + '/' + file):
- logging.debug("Cleaning up the file %s", Path + '/'+ file)
- os.remove(Path + '/'+ file)
+ for file in jks_files:
+ if os.path.isfile(file):
+ logging.debug("Cleaning up the file %s", file)
+ os.remove(file)
-def extract_content(file, password, count):
+
+def jks_to_p12(file, password):
+ """Converts jks format into p12"""
try:
- certList = []
- key = None
- cert = None
- if (file.endswith('.jks')):
- p12_file = file.replace('.jks', '.p12')
- jks_cmd = 'keytool -importkeystore -srckeystore {src_file} -destkeystore {dest_file} -srcstoretype JKS -srcstorepass {src_pass} -deststoretype PKCS12 -deststorepass {dest_pass}'.format(src_file=file, dest_file=p12_file, src_pass=password, dest_pass=password)
- logging.debug("Converting %s into p12 format", file)
- os.system(jks_cmd)
- file = p12_file
-
- clcrt_cmd = 'openssl pkcs12 -in {src_file} -clcerts -nokeys -passin pass:{src_pass}'.format(src_file=file, src_pass=password)
- clkey_cmd = 'openssl pkcs12 -in {src_file} -nocerts -nodes -passin pass:{src_pass}'.format(src_file=file, src_pass=password)
- trust_file = file.split('/')[2] + '.trust'
- trustCerts_cmd = 'openssl pkcs12 -in {src_file} -out {out_file} -cacerts -nokeys -passin pass:{src_pass} '.format(src_file=file, out_file=Path + '/' + trust_file, src_pass=password)
-
- result_key = subprocess.check_output(clkey_cmd , shell=True)
- if result_key:
- key = result_key.split('-----BEGIN PRIVATE KEY-----', 1)[1].lstrip().split('-----END PRIVATE KEY-----')[0]
-
- os.system(trustCerts_cmd)
- if os.path.exists(Path + '/' + trust_file):
- certList = readTrustedCertificate(Path, trust_file)
-
- result_crt = subprocess.check_output(clcrt_cmd , shell=True)
- if result_crt:
- cert = result_crt.split('-----BEGIN CERTIFICATE-----', 1)[1].lstrip().split('-----END CERTIFICATE-----')[0]
- """
- To-do: Posting the key, cert, certList might need modification
- based on how AAF distributes the files.
-
- """
- post_content(key, cert, certList, count)
+ p12_file = file.replace('.jks', '.p12')
+ jks_cmd = 'keytool -importkeystore -srckeystore {src_file} -destkeystore {dest_file} -srcstoretype JKS -srcstorepass {src_pass} -deststoretype PKCS12 -deststorepass {dest_pass}'.format(src_file=file, dest_file=p12_file, src_pass=password, dest_pass=password)
+ logging.debug("Converting %s into p12 format", file)
+ os.system(jks_cmd)
+ file = p12_file
+ return file
except Exception as e:
- logging.error("Error occurred while processing the file %s : %s", file,e)
-
-def lookforfiles():
- count = 0
- for file in os.listdir(Path):
- if (file.endswith(('.p12', '.jks'))):
- if os.path.exists(Path + '/' + cadi_file):
- cert_password = get_cadi_password()
- logging.debug("Extracting contents from the file %s", file)
- extract_content(Path + '/' + file, cert_password, count)
- count += 1
- else:
- logging.error("Cadi password file %s not present under cert directory", cadi_file)
- exit()
- if count > 0:
- cleanup()
+ logging.error("Error occurred while converting jks to p12 format : %s", e)
+
+
+def make_cert_chain(cert_chain, pattern):
+ cert_list = []
+ if cert_chain:
+ matches = re.findall(pattern, cert_chain, re.DOTALL | re.MULTILINE)
+ for cert in matches:
+ cert_list.append(cert.strip())
+ return cert_list
else:
- logging.debug("No jks/p12 files found under cert directory %s", Path)
+ logging.debug(" Certificate Chain empty: %s " % cert_chain)
+
+
+def process_jks_files(count):
+ ca_cert_list = []
+ logging.info("Processing JKS files found in %s directory " % Path)
+ try:
+ if all([os.path.isfile(f) for f in jks_files]):
+ keystore_pass = get_pass(keystore_pass_file)
+ keystore_file_p12 = jks_to_p12(keystore_file, keystore_pass)
+
+ client_key_cmd = 'openssl pkcs12 -in {src_file} -nocerts -nodes -passin pass:{src_pass}'.format(
+ src_file=keystore_file_p12, src_pass=keystore_pass)
+ client_crt_cmd = 'openssl pkcs12 -in {src_file} -clcerts -nokeys -passin pass:{src_pass}'.format(
+ src_file=keystore_file_p12, src_pass=keystore_pass)
+
+ truststore_pass = get_pass(truststore_pass_file)
+ truststore_p12 = jks_to_p12(truststore_file, truststore_pass)
+
+ trust_cert_cmd = 'openssl pkcs12 -in {src_file} -cacerts -nokeys -passin pass:{src_pass} '.format(
+ src_file=truststore_p12, src_pass=truststore_pass)
+
+ key_pattern = r'(?<=-----BEGIN PRIVATE KEY-----).*?(?=-----END PRIVATE KEY-----)'
+ client_key = subprocess.check_output(client_key_cmd, shell=True)
+ if client_key:
+ client_key = make_cert_chain(client_key, key_pattern)[0]
+ logging.debug("Key Ok")
+
+ cert_pattern = r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)'
+ client_cert = subprocess.check_output(client_crt_cmd, shell=True)
+ if client_cert:
+ client_cert = make_cert_chain(client_cert, cert_pattern)[0]
+ logging.debug("Client Cert Ok")
+
+ ca_cert = subprocess.check_output(trust_cert_cmd, shell=True)
+ if ca_cert:
+ ca_cert_list = make_cert_chain(ca_cert, cert_pattern)
+ logging.debug("CA Cert Ok")
+
+ if client_key and client_cert and ca_cert:
+ post_content(client_key, client_cert, ca_cert_list, count)
+ else:
+ logging.debug("No JKS files found in %s directory" % Path)
+ except subprocess.CalledProcessError as err:
+ print("CalledProcessError Execution of OpenSSL command failed: %s" % err)
+ except Exception as e:
+ logging.error("UnExpected Error while processing JKS files at {0}, Caused by: {1}".format(Path, e))
def readCertProperties():
+ '''
+ This function searches for manually copied zip file
+ containing certificates. This is required as part
+ of backward compatibility.
+ If not foud, it searches for jks certificates.
+ '''
connected = makeHealthcheckCall(headers, timePassed)
if connected:
count += 1
del zipFileList[:]
else:
- logging.debug("No zipfiles present under cert directory")
+ logging.debug("No certs.properties/zip files exist at: " + Path)
+ process_jks_files(count)
- logging.info("Looking for jks/p12 files under cert directory")
- lookforfiles()
readCertProperties()