3
########################################################################
5
# (c) by Michael Stroeder, michael@stroeder.com
6
########################################################################
10
########################################################################
11
# This simple script generates a LDIF file containing all CA certs
13
########################################################################
16
import sys, string, os, getopt, types, shutil
18
def findoption(options,paramname):
24
def PrintUsage(ErrorMsg='',ErrorCode=1):
25
script_name = string.split(sys.argv[0],os.sep)[-1]
26
sys.stderr.write("""*** %s *** (C) by Michael Stroeder, 1999
33
Print out this message
36
Pathname of OpenSSL configuration file.
37
Default: /etc/openssl/openssl.cnf
40
Specify directory containing the pyCA modules
41
Default: /usr/local/pyca/pylib
44
Pathname of LDIF file for output
47
--dntemplate=[Python dict string]
48
A Python string used as template for building LDAP
49
Distinguished Names E.g. cn=%%(CN)s,ou=TestCA,o=My company,c=DE
55
""" % (script_name,script_name))
57
sys.stderr.write('Error: %s\n' % ErrorMsg)
60
script_name=sys.argv[0]
63
options,args=getopt.getopt(sys.argv[1:],'h',['help','config=','pycalib=','out=','dntemplate=','crl'])
64
except getopt.error,e:
67
if findoption(options,'-h')!=() or findoption(options,'--help')!=():
68
PrintUsage(script_name)
70
if findoption(options,'--config')!=():
71
opensslcnfname = findoption(options,'--config')[1]
73
opensslcnfname = os.environ.get('OPENSSL_CONF','/etc/openssl/openssl.cnf')
75
if not os.path.isfile(opensslcnfname):
76
PrintUsage('Config file %s not found.' % (opensslcnfname))
79
if findoption(options,'--pycalib')!=():
80
pycalib = findoption(options,'--pycalib')[1]
82
pycalib = os.environ.get('PYCALIB','/usr/local/pyca/pylib')
84
if not os.path.exists(pycalib) or not os.path.isdir(pycalib):
85
PrintUsage('Module directory %s does not exist or is no directory.' % (pycalib))
88
sys.path.append(pycalib)
91
import openssl, charset, ldif, ldapbase
93
PrintUsage('Required pyCA modules not found in directory %s!' % (pycalib))
95
# Read the configuration file
96
if os.path.isfile('%s.pickle' % (opensslcnfname)):
97
# Try to read OpenSSL's config file from a pickled copy
98
f=open('%s.pickle' % (opensslcnfname),'rb')
100
# first try to use the faster cPickle module
101
from cPickle import load
103
from pickle import load
107
# Parse OpenSSL's config file from source
108
opensslcnf=openssl.cnf.OpenSSLConfigClass(opensslcnfname)
110
create_crls = findoption(options,'--crl')!=()
112
pyca_section = opensslcnf.data.get('pyca',{})
113
openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/local/ssl/bin/openssl')
114
if not os.path.isfile(openssl.bin_filename):
115
sys.stderr.write('Did not find OpenSSL executable %s.\n' % (openssl.bin_filename))
118
if findoption(options,'--out')!=():
119
ldiffile = open(findoption(options,'--out')[1],'w')
121
ldiffile = sys.stdout
123
if findoption(options,'--dntemplate')!=():
124
dntemplate = findoption(options,'--dntemplate')[1]
126
dntemplate = r'cn=%(CN)s'
128
ca_names = opensslcnf.sectionkeys.get('ca',[])
131
for ca_name in ca_names:
133
ca = opensslcnf.getcadata(ca_name)
135
if os.path.isfile(ca.certificate):
137
cacert = openssl.cert.X509CertificateClass(ca.certificate)
139
ca_dn = charset.iso2utf(charset.t612iso(dntemplate % (cacert.subject)))
140
if ca_dn_dict.has_key(ca_dn):
141
sys.stderr.write('Warning: DN of %s conflicts with %s.\n' % (ca_name,ca_dn_dict[ca_dn]))
143
ca_dn_dict[ca_dn]=ca_name
145
if ldapbase.dn_regex.match(ca_dn):
146
ca_entry = {'objectclass':['top','certificationAuthority']}
147
ca_entry['cACertificate;binary'] = [cacert.readcertfile('der')]
150
if os.path.isfile(ca.crl):
152
cacrl = openssl.cert.CRLClass(ca.crl)
153
ca_entry['certificateRevocationList;binary'] = [cacrl.readcertfile('der')]
154
ca_entry['authorityRevocationList;binary'] = [cacrl.readcertfile('der')]
157
sys.stderr.write('Warning: CRL file %s not found.\n' % (ca.crl))
158
certificateRevocationList_binary=''
160
ldiffile.write(ldif.CreateLDIF(ca_dn,ca_entry,['cACertificate;binary','certificateRevocationList;binary']))
164
sys.stderr.write('Warning: DN "%s" is not a valid DN.\nCheck parameter --dntemplate="%s".\n' % (ca_dn,dntemplate))
165
cACertificate_binary=''
168
sys.stderr.write('Warning: CA certificate file %s not found.\n' % (ca.certificate))
169
cACertificate_binary=''