Commit 3e90e6c8 authored by Pavel Spirek's avatar Pavel Spirek

Merge branch 'master' of gitlab.labs.nic.cz:labs/jetconf

parents bd566e8d 4823a559
......@@ -18,20 +18,77 @@ Python 3. Main features:
* Support for NACM_
Requirements
=============
*JetConf* requires Python 3.5 or newer::
$ sudo apt-get install python3
$ sudo apt-get install python3-pip
These requirements should be installed by running *Instalation*
::
colorlog==2.10.0
h2==3.0.1
hpack==2.3.0
hyperframe==5.0.0
pyaml==16.12.2
pytz==2016.10
PyXB==1.2.5
PyYAML==3.12
yangson==1.3.16
Installation
============
*JetConf* can be installed by PyPI:
::
python -m pip install jetconf
$ python3 -m pip install jetconf
Running
============
Running *JetConf*
::
$ jetconf -c <path_to_config_file.yaml>
For development purposes, *JetConf* can also be started directly
from Git repository with run.py script:
::
$ ./run.py -c <path_to_config_file.yaml>
Example configuration (template)
============
In the 'data' folder, there is an example template for
configuring paths, certificates etc.
::
example-config.yaml
In this configuration file, you have to modify all paths to match
your actual file locations.
Note that *JetConf* requires Python 3.5.
Links
=====
* `Git repository`_
* `Documentation`_
.. _RESTCONF: https://tools.ietf.org/html/draft-ietf-netconf-restconf-18
......
-----BEGIN CERTIFICATE-----
MIIC3TCCAcUCARUwDQYJKoZIhvcNAQEFBQAwSzELMAkGA1UEBhMCQ1oxEzARBgNV
MIIC3TCCAcUCASQwDQYJKoZIhvcNAQELBQAwSzELMAkGA1UEBhMCQ1oxEzARBgNV
BAoMCkV4YW1wbGUgQ0ExEDAOBgNVBAsMB2V4Y2EuY3oxFTATBgNVBAMMDG1haWxA
ZXhjYS5jejAeFw0xNjExMzAxNTMxNDFaFw0xNzExMzAxNTMxNDFaMB4xHDAaBgkq
ZXhjYS5jejAeFw0xODAyMDcxMDMwMzlaFw0yODAyMDUxMDMwMzlaMB4xHDAaBgkq
hkiG9w0BCQEWDWxvanphQG1haWwuY3owggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDZ3oi4UzfrrDrgDKkBBpN5OBkpnMkIkFrlDtJgeRZQ2mI3T6Ob1AzP
XwWabHJdsV0Fq5HlMQuLDdEfKLKvHWyZ0TboECKdfsZ6ysNE+Q9iudH+w+bNMNU3
mYGgbSujSb6+ieNauSPd/ffugQHdZF6Zq7R/UJbenl5P9cIBVYemYT3ITxxMduqy
vtmfmhA0PThh63tHA6Y5WDmc8mVjStYkxPMbRZ9sW2AWwtVxqjgU8kf8i8Sdk4zB
orbhjD/6+imkaoPGsg1NuwAv8Ll57EZCFOeMWvD6HOgFfxvWZ6GSrMHlMFCrpwgq
n3NuVEl2Ttt5828epfj/ar0t48mtR113AgMBAAEwDQYJKoZIhvcNAQEFBQADggEB
AA5ubDj3eVokoMRahaUi6KpSF/eLkcG1PbMz5yGfwhYs6QmfElgTFZMakTjVAgHq
idDYOz4TTGB/mPi7YdCtK7r7u6rALzuzz+b/8x1vwsaY+QVUcYpcIvXOcEaQlgbi
yfT3e66mEQ+T7XRktU9P0ey2ITNPWnXhmzrPvPI3qImkF+paO+T0EzhG0/K52vRv
fBqS+bADat7TtSFmbxDKnqTC+Jjo2RlrvmkFt0MAL0p5+T78M/wRQ5JEM1LjrsR2
VenMUBMMi53LBP389Y9h6gwsfQWpZmnUq4yzQocWiwjIQw8QP6oxKBGjlbnA6EM8
NZdikT6UCwEQTtj+HBEBqGI=
n3NuVEl2Ttt5828epfj/ar0t48mtR113AgMBAAEwDQYJKoZIhvcNAQELBQADggEB
ACmFFhxw2mCpPjgjm9jgo9xbJ+xnkLv1UwwSzM/o5ddFfnDfD2gyNBEcjqCGdMt5
GieDC+UgjlGEns/3GHAwKRnsUn0hBG9tp7NRATjxI+IPkLmFmvq0rrDnWFdVW7c0
0e9uMLUwpssUgB93At4x8nnQTJDnWvOAe2N3liuZNYnoDEPFWu0vQk6HcXaQ93ct
ewjQe9rXdft/Unn9qiqvQEkNarPVai+BrK5Ieoy8dqWX3YhrHfNBFTC2Kg35S5Cm
wprGmmSuN01WJyIENOvgdU8A+sUHhlWgtPaAyRqIrEHF0D8MFSO0K5b2BXVwz7Yc
rb6JTnA+nc5MY0oJ56anYDw=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA2d6IuFM366w64AypAQaTeTgZKZzJCJBa5Q7SYHkWUNpiN0+j
......
......@@ -6,5 +6,5 @@ pyaml==16.12.2
pytz==2016.10
PyXB==1.2.5
PyYAML==3.12
yangson==1.3.16
yangson==1.3.26
-e .
Generating a basic client SSL certificate for testing purposes:
The SSL certificates can be generated using the 'openssl' utility. To partially
automate this task, the 'gen_client_cert.sh' script is provided. This will
issue a new client certificate using the 'CA.pem' as a certification authority.
Note: such certificates are of course not considered trustworthy by common
web browsers and operating systems, they are only suitable for testing.
You can just run the script as follows:
./gen_client_cert.sh <output_filename>
Steps 2 and 3 (creating CSR and signing it) are the only ones that require
a user interaction.
2. Creating CSR:
When requested to enter certificate fields like Country Name or Locality Name,
you can enter any values you want or just use defaults by simply pressing
ENTER key. The only fileld that matters is the 'Email Address', which will be
used as the username by Jetconf server.
Do not enter any 'Challenge password'.
3. Signing CSR:
Enter the following password for test CA private key: ahoj
Now you should have the following files:
output_filename.pem - the client certificate
output_filename.key - the client private key
output_filename_curl.pem - the combination of previous 2 files containing both
certificate and key. Some utilities like CURL expect the client certificate
to be in this combined form.
Generating a basic client SSL certificate for testing purposes
--------------------------------------------------------------------------------
The SSL certificates can be generated using the 'openssl' utility. To automate
this task, the 'gen_client_cert.sh' script is provided. This will issue a new
client certificate using the 'CA.pem' as the certification authority.
Note: such certificates are of course not considered trustworthy by common web
browsers and operating systems, they are only suitable for testing.
To generate a client certificate, just run the provided script as follows:
./gen_client_cert.sh <username>
The issued certificate will have the "emailAddress" DN in the form of
username@mail.cz. This will be used as the username by Jetconf server.
The following files will be generated:
username.pem - the client certificate
username.key - the client private key
username_curl.pem - the concateration of previous 2 files. Some utilities, like
CURL, expect the client certificate in this form.
username.pfx - certificate and private key in PKCS#12 format. Required for
importing into web browsers (Chrome, Firefox, ...).
Generating a server SSL certificate for testing purposes
--------------------------------------------------------------------------------
To generate a new server certificate for Jetconf, which will be in the correct
form and accepted even by the more pedantic web browsers like Chrome, just run
the provided gen_server_cert.sh script in the following way:
./gen_server_cert.sh <out_file_suffix> <domain/ip>
or:
./gen_server_cert.sh <out_file_suffix> <domain/ip> <server_key>
The first form will generate a new server private key, while the second one
lets you to pass the private key file as an argument.
I.e.
./gen_server_cert.sh example example.com
will create a certificate "server_example.crt" for example.com domain with new
private key.
The script will autodetect if the certificate is being issued for a domain
name or an IP address, and sets the appropriate SAN value.
If you want this certificate to be recognized as valid by your web browser,
the issuing CA's certificate needs to be imported to your browser.
WARNING: It is strongly recommended not to import the provided CA's
certificate (ca.pem) to your production browser, as it's private key is
publicly known. If you do so, someone could perform a MITM attack to
any connection with an SSL-protected website.
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQI9RYN7l6uawgCAggA
MB0GCWCGSAFlAwQBKgQQCYymROgGy6W7C4wFvogZ/gSCBNCII8W/MeTQTkTxNjBB
mtxgb5biPVc5kEkMKi7wOAZnnCR4Eh+vBq4JIaxlLoeMNDmKSj1bPMQcsRG8Hszj
Z3KyI7/am+W0GOcM6iUQlfo3nztjygDxZ7hPowLJnKC8K0gNkGowY/PU8x58o+Ou
iWRGXspzaQoZpQtOuMVMx1XsSpOXfDpVZhBYsQI4hdHEANqDxJgAwtT1k0A+A9+i
em2peJMA+Y+MAKLd0PvI2UdtVZCExfi7rzGMF9vwKgCO/54YBJzMCadn+Y2OjgYx
nQi89fqDQmpAjpfiKhe/Oj4GTiO8zUy3+JuUrNTKFbWyZ/68fZaYdGQ6maDoFsdq
DbgRpn1MyDKrP+6MFCoJay0JTJd4t3oUGsYxJFJEF4zFAtA4vm1mjEV2f89TpTyB
3XKdSdHE5OeTv8prCimk85Uls9E6+LDZmpzBMxkTZHnctm+W7rA3OZsXztRz8g/R
56KsKq553xq0UpUua+zjIafb4mKdOTjb6GFRXnaXxi7zOmGoENZ1cNuszxN0fVD6
ewJ35segGuuJ2Ggj2SGuLNt7KfYU9vBN4Pw3zlcmv2AIhK9b2aU67qFUSkQsU0ez
7+ry9VO2HMQV4xP5eIIfi18hwo+TRpm3noxaM1lavoHRQ2dfqhAov3SnsdSJBnC5
Hoja1TUFzx/31hVHk83VSU6cbDVc8kVdOGqed9RtvCN0PPV/KlGLYsiHkL0NB9xY
Yr9Rvm7VzdC3O8Zt+w3E20ByLwNM40C8GRpJCofQc+hYd9pxd8HL+9K2IGPWaWHR
2XbOVdId+eR4ilT+PsW8hWBimWb9FmHIAiopwuC4Uh/BEOtFIbxlD+maJhqdN90U
trTRKiIzsgpCYhY4UEIVK8zrc3dTBH21hH3QJZ+VX02yErGXYEheWWXu4H7Pkf3E
xD0qSsxHuUm5rT7CcKP/ntOk7vel3AXYl7rOkENYeaFao5GzCs1PObKbatfeIprO
CTihn1tikDtE3YHNdZWWE5yxlQCn+tp8/7zUyj/hAYwrgdvG22aL8Ebg2KPba0tc
yAdPwZl1zjR+ZVTLOZ5RfInOCXNXg+5cYDG1jH9HdjcawyvvieAQZAShZAJXB0C6
0pTuz15UNn/tSpLfDy7Zwf93fYX8fuCn/+La9VmxALIkgBxm01c1XGwOjiSNQBH1
WBTdZBS9zB2ZNSH0GvfJM48q7iNMSPs+JgxRmWUYFHweShPeGD6kH/BWkf+N31jr
T47rMn/x3T666STa2SvHgAbUFs36GGGXyJsk25QC8tFd94bO710OS01nP/ozjqsr
1uamNiJDEQk/wdZrdyQPMYjADLxL5J0jZx8hv7mdb4fnS6GdS+99bwzhnAaUtEN/
rSKMShKkp+8+bIYd3y0+Glyl4Y0IHtYLSfVvcpwcFFn6y8AsV4Uz4jftZ4m4JY3+
P9uLXb8MN9+XaMctMWKPncyJ9areW8/190klVYu92eNzObShKS92Q387JK8rcH01
+DWsuFeOJWuQNrzlyZBGHWB0eYilE6Bj4c+buMHeC++TeJVv5cOj3AQ7HfvJ7+Op
OFow7f45TI3AtHwkkzPPXFm8kA6az1fR7eg6L/Z5a7fA4B5qrQZOL3RINH65gCP4
EJ8iHPGRDmVtVMzwyJbDfD5ITw==
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAnMgi+WX1wcORWiq5Mv/1PbcSwAnMmAlU1dZvYsCSmX96pBOo
wFtkF5QDFkgwUMzaefXeiliBd3IhNfTbYeToNx1un8o17TKz1vAl9ZL9pbRTKPXr
OC6mKFZ2BVeeRg7I3/8Kik7a4OhScnuhaGzq5mEs1QN3PAOCqefnsJPZCROxnuZc
dkZDKpwjI2+oBaM7EvVTJeoAimKarremil4vobKs1g4b0Pfmh6wigLWNlAFQlSJz
L9RWcnI4WT1gLmrC0OMEsGwgdSHY2qcpLIOa8sOOXAtVkLeUathGQIvUKAkCC8XK
qZ6wAu0OcaqfV4fMw7xnUZ4reiN+NybisLv4lQIDAQABAoIBABsj5jIIPXfSdAoI
1VCH0JtjYsKNr7Yt/1qZKWUN8xLRZ5iZsp/B8lzGiZZE3uBN5hAwyNpoIdlcj3U4
svWKW8yWsrzEk3tBSLKPlfKiBHi386FmmNZ79NWMyhd4qHR2QL3N97QjnG5MqWEa
F8HtAOjqr4kcdXqVHPxuocQGhA627aKs2OBe501vP4slKchN5XeUpqt/5Zg7K2Mm
1a0XVv5UUZki9VjSc+/wOwpgWeNDf/k9NcKButBRO42bYbW/4ZqG26aCe3+dAVLE
l0f/S+yoUhRqfMzooIYxzzLkRBr/hZMOA8ZNk2L/D37pSYFvANeDUj/AeiWPzrWc
Qc0Ww4ECgYEAz+g7K++wOCmQPAsfj7z5bMzwQTYbypKtdMoOEBLMFHmhEjmAnfNE
pyHbGzeFk3DnkRgi9INCdnZ6zdpAX4K9HGw0WHQ2nzJkvoyGc+cAhnWqeO/sSdJJ
n1O+CD3vkxa6xSUjoRmQBcD4nzO6k+zArNDjM3ctG6vF9KW47jma2rUCgYEAwQxh
3QfAz6C/ypvrKcii/wxdEWRLvOGCS4wFqCji3USmzi9TVKrSE64zhnLVZSvv88b8
Ctq0R4LtPfqZ0n/pU5IM1SMi43voNA6WLi8jFxt0I7B6/k8J/BEdgVnWENcYp9iV
sBDIYc+hYlujW/sAepSix/flKTajqc3WN/MQ8mECgYEAntfoNXZIJXCj8SvybihM
TLL7MGd9rjSIb71cJy2lXFNdG4ZxXLwbDLJSK6Ys2OwfD/zn3/ZVFhsJUjNYkWBa
yddl2trXTKP80pScuPqZrSFDIGj2F6SheShK/RMM8k0gXzUz1oaoQa0ghsnH1/K/
domVvKFmBkkj0fm3o9LBHC0CgYEAoRvaWIJt8VlwdoClQ5vEHCKPUUJoyttQyAe1
eN+WZZ8zroNkghaFeBM7wQr4+JQwjzwTgGOBbOThZYZM9ZX2fd43g3DtXvg7k6ZQ
w35nRJOO23IfUzlXVdxayWbV9fvtAbcJRYTcFnUXdGSR8uOJRMPjDgveXgTRlZbJ
HqxmCkECgYEAw66kvnYqB/XSaDnBysPHQifcRKUSdazvVhg9/1G7o2aViuGUNTk7
FDAldwC0h12UUSQ20PkSTjJ5MRryCGDgyrXDAeWyCkl/uHMbd0HCFomQGJ9HTusZ
vpxDYE6GwOyLXC84nsDLp9Ofd2TjZgR4bOaPHV3UKXX0ka4tI5l5wBA=
-----END RSA PRIVATE KEY-----
......@@ -4,16 +4,21 @@ if [ "$1" = "" ]; then
exit 1
fi
echo "\n1. Generating private key:"
echo -e "\n1. Generating private key:"
openssl genrsa -out $1.key 2048
echo "\n2. Generating CSR:"
openssl req -new -key $1.key -out $1.req
echo -e "\n2. Generating CSR:"
openssl req -new -key $1.key -out $1.req -subj "/CN=Test/emailAddress=$1@mail.cz"
echo "\n3. Signing CSR with test CA's key:"
openssl x509 -req -in $1.req -CA ca.pem -CAkey ca.key -days 365 -out $1.pem
echo -e "\n3. Signing CSR with test CA's key:"
openssl x509 -req -in $1.req -CAcreateserial -CA ca.pem -CAkey ca.key -days 3650 -out $1.pem
rm $1.req
echo "\n4. Creating combined $1_curl.pem file containing both certificate and key (for curl etc.):"
echo -e "\n4. Creating $1_curl.pem (concaterated certificate and key for curl etc.):"
cat $1.pem > $1_curl.pem
cat $1.key >> $1_curl.pem
echo -e "\n5. Creating .pfx for web browsers (password: $1):"
openssl pkcs12 -export -out $1.pfx -inkey $1.key -in $1.pem -password pass:$1
echo -e "\nDone"
#!/bin/bash
if [ $# -ne 2 ] && [ $# -ne 3 ]; then
echo "Usage:"
echo " $0 <out_file_suffix> <domain/ip>"
echo "or:"
echo " $0 <out_file_suffix> <domain/ip> <server_key>"
echo "I.e. $0 example example.com will create file server_example.crt"
echo "with new private key."
exit 1
fi
# Generate server private key if not passed from the command line
if [ $# -eq 2 ]; then
KEY_FILE=server_$1.key
echo -e "\nGenerating new private key:"
openssl genrsa -out $KEY_FILE 2048
else
KEY_FILE=$3
fi
CSR_CNF_FILE=/tmp/srv.csr.cnf
V3EXT_FILE=/tmp/srv.v3ext
# Prepare temporary configuration file
cat << EOF > $CSR_CNF_FILE
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
CN = $2
EOF
# Prepare temporary v3-extensions file
cat << EOF > $V3EXT_FILE
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
EOF
# Test if certificate is being issued for domain or IP and set a correct SAN
if [[ $2 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "IP.1 = $2" >> $V3EXT_FILE
else
echo "DNS.1 = $2" >> $V3EXT_FILE
fi
echo -e "\n1. Generating CSR:"
openssl req -new -key $KEY_FILE -out server_$1.csr -sha256 -config $CSR_CNF_FILE
echo -e "\n2. Signing CSR with test CA's key:"
openssl x509 -req -in server_$1.csr -CAcreateserial -CA ca.pem -CAkey ca.key -days 3650 -sha256 -extfile $V3EXT_FILE -out server_$1.crt
rm -f server_$1.csr $CSR_CNF_FILE $V3EXT_FILE
echo -e "\nDone"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment