Revision 0aee8ee9 lib/client/gnt_cluster.py
b/lib/client/gnt_cluster.py | ||
---|---|---|
672 | 672 |
ToStdout("%s %s", path, tag) |
673 | 673 |
|
674 | 674 |
|
675 |
def _ReadAndVerifyCert(cert_filename, verify_private_key=False): |
|
676 |
"""Reads and verifies an X509 certificate. |
|
677 |
|
|
678 |
@type cert_filename: string |
|
679 |
@param cert_filename: the path of the file containing the certificate to |
|
680 |
verify encoded in PEM format |
|
681 |
@type verify_private_key: bool |
|
682 |
@param verify_private_key: whether to verify the private key in addition to |
|
683 |
the public certificate |
|
684 |
@rtype: string |
|
685 |
@return: a string containing the PEM-encoded certificate. |
|
686 |
|
|
687 |
""" |
|
688 |
try: |
|
689 |
pem = utils.ReadFile(cert_filename) |
|
690 |
except IOError, err: |
|
691 |
raise errors.X509CertError(cert_filename, |
|
692 |
"Unable to read certificate: %s" % str(err)) |
|
693 |
|
|
694 |
try: |
|
695 |
OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, pem) |
|
696 |
except Exception, err: |
|
697 |
raise errors.X509CertError(cert_filename, |
|
698 |
"Unable to load certificate: %s" % str(err)) |
|
699 |
|
|
700 |
if verify_private_key: |
|
701 |
try: |
|
702 |
OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, pem) |
|
703 |
except Exception, err: |
|
704 |
raise errors.X509CertError(cert_filename, |
|
705 |
"Unable to load private key: %s" % str(err)) |
|
706 |
|
|
707 |
return pem |
|
708 |
|
|
709 |
|
|
710 |
def _RenewCrypto(new_cluster_cert, new_rapi_cert, #pylint: disable=R0911 |
|
711 |
rapi_cert_filename, new_spice_cert, spice_cert_filename, |
|
712 |
spice_cacert_filename, new_confd_hmac_key, new_cds, |
|
713 |
cds_filename, force): |
|
675 |
def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename, |
|
676 |
new_confd_hmac_key, new_cds, cds_filename, |
|
677 |
force): |
|
714 | 678 |
"""Renews cluster certificates, keys and secrets. |
715 | 679 |
|
716 | 680 |
@type new_cluster_cert: bool |
... | ... | |
719 | 683 |
@param new_rapi_cert: Whether to generate a new RAPI certificate |
720 | 684 |
@type rapi_cert_filename: string |
721 | 685 |
@param rapi_cert_filename: Path to file containing new RAPI certificate |
722 |
@type new_spice_cert: bool |
|
723 |
@param new_spice_cert: Whether to generate a new SPICE certificate |
|
724 |
@type spice_cert_filename: string |
|
725 |
@param spice_cert_filename: Path to file containing new SPICE certificate |
|
726 |
@type spice_cacert_filename: string |
|
727 |
@param spice_cacert_filename: Path to file containing the certificate of the |
|
728 |
CA that signed the SPICE certificate |
|
729 | 686 |
@type new_confd_hmac_key: bool |
730 | 687 |
@param new_confd_hmac_key: Whether to generate a new HMAC key |
731 | 688 |
@type new_cds: bool |
... | ... | |
747 | 704 |
" the same time.") |
748 | 705 |
return 1 |
749 | 706 |
|
750 |
if new_spice_cert and (spice_cert_filename or spice_cacert_filename):
|
|
751 |
ToStderr("When using --new-spice-certificate, the --spice-certificate"
|
|
752 |
" and --spice-ca-certificate must not be used.")
|
|
753 |
return 1
|
|
707 |
if rapi_cert_filename:
|
|
708 |
# Read and verify new certificate
|
|
709 |
try:
|
|
710 |
rapi_cert_pem = utils.ReadFile(rapi_cert_filename)
|
|
754 | 711 |
|
755 |
if bool(spice_cacert_filename) ^ bool(spice_cert_filename): |
|
756 |
ToStderr("Both --spice-certificate and --spice-ca-certificate must be" |
|
757 |
" specified.") |
|
758 |
return 1 |
|
712 |
OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, |
|
713 |
rapi_cert_pem) |
|
714 |
except Exception, err: # pylint: disable=W0703 |
|
715 |
ToStderr("Can't load new RAPI certificate from %s: %s" % |
|
716 |
(rapi_cert_filename, str(err))) |
|
717 |
return 1 |
|
759 | 718 |
|
760 |
rapi_cert_pem, spice_cert_pem, spice_cacert_pem = (None, None, None) |
|
761 |
try: |
|
762 |
if rapi_cert_filename: |
|
763 |
rapi_cert_pem = _ReadAndVerifyCert(rapi_cert_filename, True) |
|
764 |
if spice_cert_filename: |
|
765 |
spice_cert_pem = _ReadAndVerifyCert(spice_cert_filename, True) |
|
766 |
spice_cacert_pem = _ReadAndVerifyCert(spice_cacert_filename) |
|
767 |
except errors.X509CertError, err: |
|
768 |
ToStderr("Unable to load X509 certificate from %s: %s", err[0], err[1]) |
|
769 |
return 1 |
|
719 |
try: |
|
720 |
OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, rapi_cert_pem) |
|
721 |
except Exception, err: # pylint: disable=W0703 |
|
722 |
ToStderr("Can't load new RAPI private key from %s: %s" % |
|
723 |
(rapi_cert_filename, str(err))) |
|
724 |
return 1 |
|
725 |
|
|
726 |
else: |
|
727 |
rapi_cert_pem = None |
|
770 | 728 |
|
771 | 729 |
if cds_filename: |
772 | 730 |
try: |
... | ... | |
786 | 744 |
|
787 | 745 |
def _RenewCryptoInner(ctx): |
788 | 746 |
ctx.feedback_fn("Updating certificates and keys") |
789 |
bootstrap.GenerateClusterCrypto(new_cluster_cert, |
|
790 |
new_rapi_cert, |
|
791 |
new_spice_cert, |
|
747 |
bootstrap.GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, |
|
792 | 748 |
new_confd_hmac_key, |
793 | 749 |
new_cds, |
794 | 750 |
rapi_cert_pem=rapi_cert_pem, |
795 |
spice_cert_pem=spice_cert_pem, |
|
796 |
spice_cacert_pem=spice_cacert_pem, |
|
797 | 751 |
cds=cds) |
798 | 752 |
|
799 | 753 |
files_to_copy = [] |
... | ... | |
804 | 758 |
if new_rapi_cert or rapi_cert_pem: |
805 | 759 |
files_to_copy.append(constants.RAPI_CERT_FILE) |
806 | 760 |
|
807 |
if new_spice_cert or spice_cert_pem: |
|
808 |
files_to_copy.append(constants.SPICE_CERT_FILE) |
|
809 |
files_to_copy.append(constants.SPICE_CACERT_FILE) |
|
810 |
|
|
811 | 761 |
if new_confd_hmac_key: |
812 | 762 |
files_to_copy.append(constants.CONFD_HMAC_KEY) |
813 | 763 |
|
... | ... | |
836 | 786 |
return _RenewCrypto(opts.new_cluster_cert, |
837 | 787 |
opts.new_rapi_cert, |
838 | 788 |
opts.rapi_cert, |
839 |
opts.new_spice_cert, |
|
840 |
opts.spice_cert, |
|
841 |
opts.spice_cacert, |
|
842 | 789 |
opts.new_confd_hmac_key, |
843 | 790 |
opts.new_cluster_domain_secret, |
844 | 791 |
opts.cluster_domain_secret, |
... | ... | |
1427 | 1374 |
RenewCrypto, ARGS_NONE, |
1428 | 1375 |
[NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT, |
1429 | 1376 |
NEW_CONFD_HMAC_KEY_OPT, FORCE_OPT, |
1430 |
NEW_CLUSTER_DOMAIN_SECRET_OPT, CLUSTER_DOMAIN_SECRET_OPT, |
|
1431 |
NEW_SPICE_CERT_OPT, SPICE_CERT_OPT, SPICE_CACERT_OPT], |
|
1377 |
NEW_CLUSTER_DOMAIN_SECRET_OPT, CLUSTER_DOMAIN_SECRET_OPT], |
|
1432 | 1378 |
"[opts...]", |
1433 | 1379 |
"Renews cluster certificates, keys and secrets"), |
1434 | 1380 |
"epo": ( |
Also available in: Unified diff