From ea32d1c99ff79d26bf2382dc61d51ced3c2e7a4a Mon Sep 17 00:00:00 2001 From: esobmar Date: Fri, 13 Mar 2020 16:37:04 +0000 Subject: [PATCH] Add support for jks cert fomat Change-Id: I8f977566f07700beab8d843755e92a7614208834 Issue-ID: SDNC-991 Signed-off-by: esobmar Change-Id: I48423a5cdc5ae153d6ee65124b759737dc39a2c4 (cherry picked from commit fe50ba26235d73de9e84fe425fc40f6fa3abcda4 [formerly 9501cfe3a5d9b0de082016003b617f16840e84f1]) Former-commit-id: ed5cdd176a3960a1f07d8f9bd8417175d1a15b8d --- installation/sdnc/src/main/scripts/installCerts.py | 122 +++++++++++++-------- 1 file changed, 79 insertions(+), 43 deletions(-) diff --git a/installation/sdnc/src/main/scripts/installCerts.py b/installation/sdnc/src/main/scripts/installCerts.py index 42763f4b..8135f600 100644 --- a/installation/sdnc/src/main/scripts/installCerts.py +++ b/installation/sdnc/src/main/scripts/installCerts.py @@ -46,7 +46,14 @@ postKeystore= "/restconf/operations/netconf-keystore:add-keystore-entry" postPrivateKey= "/restconf/operations/netconf-keystore:add-private-key" postTrustedCertificate= "/restconf/operations/netconf-keystore:add-trusted-certificate" -cadi_file = '.pass' +truststore_pass_file = Path + '/truststore.pass' +truststore_file = Path + '/truststore.jks' + +keystore_pass_file = Path + '/keystore.pass' +keystore_file = Path + '/keystore.jks' + +jks_files = [truststore_pass_file, keystore_pass_file, keystore_file, truststore_file] + odl_port = 8181 headers = {'Authorization':'Basic %s' % base64.b64encode(username + ":" + password), 'X-FromAppId': 'csit-sdnc', @@ -54,6 +61,7 @@ headers = {'Authorization':'Basic %s' % base64.b64encode(username + ":" + passwo 'Accept':"application/json", 'Content-type':"application/json"} + def readFile(folder, file): key = open(Path + "/" + folder + "/" + file, "r") fileRead = key.read() @@ -61,6 +69,7 @@ def readFile(folder, file): fileRead = "\n".join(fileRead.splitlines()[1:-1]) return fileRead + def readTrustedCertificate(folder, file): listCert = list() caPem = "" @@ -78,8 +87,9 @@ def readTrustedCertificate(folder, file): caPem = "" return listCert + def makeKeystoreKey(clientKey, count): - odl_private_key="ODL_private_key_%d" %count + odl_private_key = "ODL_private_key_%d" %count json_keystore_key='{{\"input\": {{ \"key-credential\": {{\"key-id\": \"{odl_private_key}\", \"private-key\" : ' \ '\"{clientKey}\",\"passphrase\" : \"\"}}}}}}'.format( @@ -89,7 +99,6 @@ def makeKeystoreKey(clientKey, count): return json_keystore_key - def makePrivateKey(clientKey, clientCrt, certList, count): caPem = "" if certList: @@ -107,6 +116,7 @@ def makePrivateKey(clientKey, clientCrt, certList, count): return json_private_key + def makeTrustedCertificate(certList, count): number = 0 json_cert_format = "" @@ -132,6 +142,7 @@ def makeRestconfPost(conn, json_file, apiCall): else: logging.debug("Response :%s Reason :%s ",res.status, res.reason) + def extractZipFiles(zipFileList, count): for zipFolder in zipFileList: with zipfile.ZipFile(Path + "/" + zipFolder.strip(),"r") as zip_ref: @@ -139,6 +150,7 @@ def extractZipFiles(zipFileList, count): folder = zipFolder.rsplit(".")[0] processFiles(folder, count) + def processFiles(folder, count): for file in os.listdir(Path + "/" + folder): if os.path.isfile(Path + "/" + folder + "/" + file.strip()): @@ -153,8 +165,10 @@ def processFiles(folder, count): shutil.rmtree(Path + "/" + folder) post_content(clientKey, clientCrt, certList, count) + def post_content(clientKey, clientCrt, certList, count): conn = httplib.HTTPConnection("localhost",odl_port) + if clientKey: json_keystore_key = makeKeystoreKey(clientKey, count) logging.debug("Posting private key in to ODL keystore") @@ -200,77 +214,98 @@ def timeIncrement(timePassed): timePassed = timePassed + INTERVAL return timePassed -def get_cadi_password(): + +def get_pass(file_name): try: - with open(Path + '/' + cadi_file , 'r') as file_obj: - cadi_pass = file_obj.read().split('=', 1)[1].strip() - return cadi_pass + with open(file_name , 'r') as file_obj: + password = file_obj.read().strip() + return password except Exception as e: logging.error("Error occurred while fetching password : %s", e) exit() + def cleanup(): for file in os.listdir(Path): if os.path.isfile(Path + '/' + file): logging.debug("Cleaning up the file %s", Path + '/'+ file) os.remove(Path + '/'+ file) -def extract_content(file, password, count): + +def jks_to_p12(file, password): + """Converts jks format into p12""" + try: + p12_file = file.replace('.jks', '.p12') + jks_cmd = 'keytool -importkeystore -srckeystore {src_file} -destkeystore {dest_file} -srcstoretype JKS -srcstorepass {src_pass} -deststoretype PKCS12 -deststorepass {dest_pass}'.format(src_file=file, dest_file=p12_file, src_pass=password, dest_pass=password) + logging.debug("Converting %s into p12 format", file) + os.system(jks_cmd) + file = p12_file + return file + except Exception as e: + logging.error("Error occurred while converting jks to p12 format : %s", e) + + +def extract_content(): + """Extracts client key, certificates, CA certificates.""" try: certList = [] key = None cert = None - if (file.endswith('.jks')): - p12_file = file.replace('.jks', '.p12') - jks_cmd = 'keytool -importkeystore -srckeystore {src_file} -destkeystore {dest_file} -srcstoretype JKS -srcstorepass {src_pass} -deststoretype PKCS12 -deststorepass {dest_pass}'.format(src_file=file, dest_file=p12_file, src_pass=password, dest_pass=password) - logging.debug("Converting %s into p12 format", file) - os.system(jks_cmd) - file = p12_file - - clcrt_cmd = 'openssl pkcs12 -in {src_file} -clcerts -nokeys -passin pass:{src_pass}'.format(src_file=file, src_pass=password) - clkey_cmd = 'openssl pkcs12 -in {src_file} -nocerts -nodes -passin pass:{src_pass}'.format(src_file=file, src_pass=password) - trust_file = file.split('/')[2] + '.trust' - trustCerts_cmd = 'openssl pkcs12 -in {src_file} -out {out_file} -cacerts -nokeys -passin pass:{src_pass} '.format(src_file=file, out_file=Path + '/' + trust_file, src_pass=password) + + truststore_pass = get_pass(truststore_pass_file) + truststore_file_p12 = jks_to_p12(truststore_file, truststore_pass) + + keystore_pass = get_pass(keystore_pass_file) + keystore_file_p12 = jks_to_p12(keystore_file, keystore_pass) + + clcrt_cmd = 'openssl pkcs12 -in {src_file} -clcerts -nokeys -passin pass:{src_pass}'.format(src_file=keystore_file_p12, src_pass=keystore_pass) + + clkey_cmd = 'openssl pkcs12 -in {src_file} -nocerts -nodes -passin pass:{src_pass}'.format(src_file=keystore_file_p12, src_pass=keystore_pass) + trust_file = truststore_file_p12.split('/')[2] + '.trust' + + trustCerts_cmd = 'openssl pkcs12 -in {src_file} -out {out_file} -cacerts -nokeys -passin pass:{src_pass} '.format(src_file=truststore_file_p12, out_file=Path + '/' + trust_file, src_pass=truststore_pass) result_key = subprocess.check_output(clkey_cmd , shell=True) if result_key: key = result_key.split('-----BEGIN PRIVATE KEY-----', 1)[1].lstrip().split('-----END PRIVATE KEY-----')[0] + logging.debug("key ok") os.system(trustCerts_cmd) if os.path.exists(Path + '/' + trust_file): certList = readTrustedCertificate(Path, trust_file) + logging.debug("certList ok") result_crt = subprocess.check_output(clcrt_cmd , shell=True) if result_crt: cert = result_crt.split('-----BEGIN CERTIFICATE-----', 1)[1].lstrip().split('-----END CERTIFICATE-----')[0] - """ - To-do: Posting the key, cert, certList might need modification - based on how AAF distributes the files. + logging.debug("cert ok") + + if key and cert and certList: + post_content(key, cert, certList, 0) + else: + logging.debug("Exiting. Key, cert or key are missing") + return - """ - post_content(key, cert, certList, count) except Exception as e: - logging.error("Error occurred while processing the file %s : %s", file,e) + logging.error("Error occurred while processing the file: %s", e) -def lookforfiles(): - count = 0 - for file in os.listdir(Path): - if (file.endswith(('.p12', '.jks'))): - if os.path.exists(Path + '/' + cadi_file): - cert_password = get_cadi_password() - logging.debug("Extracting contents from the file %s", file) - extract_content(Path + '/' + file, cert_password, count) - count += 1 - else: - logging.error("Cadi password file %s not present under cert directory", cadi_file) - exit() - if count > 0: + +def look_for_jks_files(): + if all([os.path.isfile(f) for f in jks_files]): + extract_content() cleanup() else: - logging.debug("No jks/p12 files found under cert directory %s", Path) + logging.debug("Some of the files are missing") + return def readCertProperties(): + ''' + This function searches for manually copied zip file + containing certificates. This is required as part + of backward compatibility. + If not foud, it searches for jks certificates. + ''' connected = makeHealthcheckCall(headers, timePassed) if connected: @@ -285,9 +320,10 @@ def readCertProperties(): count += 1 del zipFileList[:] else: - logging.debug("No zipfiles present under cert directory") + logging.debug("No zipfiles present in folder " + Path) + + logging.info("Looking for jks files in folder " + Path) + look_for_jks_files() - logging.info("Looking for jks/p12 files under cert directory") - lookforfiles() -readCertProperties() +readCertProperties() \ No newline at end of file -- 2.16.6