Revision b6267745 lib/client/gnt_cluster.py
| b/lib/client/gnt_cluster.py | ||
|---|---|---|
| 646 | 646 |
ToStdout("%s %s", path, tag)
|
| 647 | 647 |
|
| 648 | 648 |
|
| 649 |
def _RenewCrypto(new_cluster_cert, new_rapi_cert, rapi_cert_filename, |
|
| 650 |
new_confd_hmac_key, new_cds, cds_filename, |
|
| 651 |
force): |
|
| 649 |
def _ReadAndVerifyCert(cert_filename, verify_private_key=False): |
|
| 650 |
"""Reads and verifies an X509 certificate. |
|
| 651 |
|
|
| 652 |
@type cert_filename: string |
|
| 653 |
@param cert_filename: the path of the file containing the certificate to |
|
| 654 |
verify encoded in PEM format |
|
| 655 |
@type verify_private_key: bool |
|
| 656 |
@param verify_private_key: whether to verify the private key in addition to |
|
| 657 |
the public certificate |
|
| 658 |
@rtype: string |
|
| 659 |
@return: a string containing the PEM-encoded certificate. |
|
| 660 |
|
|
| 661 |
""" |
|
| 662 |
try: |
|
| 663 |
pem = utils.ReadFile(cert_filename) |
|
| 664 |
except IOError, err: |
|
| 665 |
raise errors.X509CertError(cert_filename, |
|
| 666 |
"Unable to read certificate: %s" % str(err)) |
|
| 667 |
|
|
| 668 |
try: |
|
| 669 |
OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, pem) |
|
| 670 |
except Exception, err: |
|
| 671 |
raise errors.X509CertError(cert_filename, |
|
| 672 |
"Unable to load certificate: %s" % str(err)) |
|
| 673 |
|
|
| 674 |
if verify_private_key: |
|
| 675 |
try: |
|
| 676 |
OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, pem) |
|
| 677 |
except Exception, err: |
|
| 678 |
raise errors.X509CertError(cert_filename, |
|
| 679 |
"Unable to load private key: %s" % str(err)) |
|
| 680 |
|
|
| 681 |
return pem |
|
| 682 |
|
|
| 683 |
|
|
| 684 |
def _RenewCrypto(new_cluster_cert, new_rapi_cert, #pylint: disable=R0911 |
|
| 685 |
rapi_cert_filename, new_spice_cert, spice_cert_filename, |
|
| 686 |
spice_cacert_filename, new_confd_hmac_key, new_cds, |
|
| 687 |
cds_filename, force): |
|
| 652 | 688 |
"""Renews cluster certificates, keys and secrets. |
| 653 | 689 |
|
| 654 | 690 |
@type new_cluster_cert: bool |
| ... | ... | |
| 657 | 693 |
@param new_rapi_cert: Whether to generate a new RAPI certificate |
| 658 | 694 |
@type rapi_cert_filename: string |
| 659 | 695 |
@param rapi_cert_filename: Path to file containing new RAPI certificate |
| 696 |
@type new_spice_cert: bool |
|
| 697 |
@param new_spice_cert: Whether to generate a new SPICE certificate |
|
| 698 |
@type spice_cert_filename: string |
|
| 699 |
@param spice_cert_filename: Path to file containing new SPICE certificate |
|
| 700 |
@type spice_cacert_filename: string |
|
| 701 |
@param spice_cacert_filename: Path to file containing the certificate of the |
|
| 702 |
CA that signed the SPICE certificate |
|
| 660 | 703 |
@type new_confd_hmac_key: bool |
| 661 | 704 |
@param new_confd_hmac_key: Whether to generate a new HMAC key |
| 662 | 705 |
@type new_cds: bool |
| ... | ... | |
| 678 | 721 |
" the same time.") |
| 679 | 722 |
return 1 |
| 680 | 723 |
|
| 681 |
if rapi_cert_filename: |
|
| 682 |
# Read and verify new certificate |
|
| 683 |
try: |
|
| 684 |
rapi_cert_pem = utils.ReadFile(rapi_cert_filename) |
|
| 685 |
|
|
| 686 |
OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, |
|
| 687 |
rapi_cert_pem) |
|
| 688 |
except Exception, err: # pylint: disable=W0703 |
|
| 689 |
ToStderr("Can't load new RAPI certificate from %s: %s" %
|
|
| 690 |
(rapi_cert_filename, str(err))) |
|
| 691 |
return 1 |
|
| 724 |
if new_spice_cert and (spice_cert_filename or spice_cacert_filename): |
|
| 725 |
ToStderr("When using --new-spice-certificate, the --spice-certificate"
|
|
| 726 |
" and --spice-ca-certificate must not be used.") |
|
| 727 |
return 1 |
|
| 692 | 728 |
|
| 693 |
try: |
|
| 694 |
OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, rapi_cert_pem) |
|
| 695 |
except Exception, err: # pylint: disable=W0703 |
|
| 696 |
ToStderr("Can't load new RAPI private key from %s: %s" %
|
|
| 697 |
(rapi_cert_filename, str(err))) |
|
| 698 |
return 1 |
|
| 729 |
if bool(spice_cacert_filename) ^ bool(spice_cert_filename): |
|
| 730 |
ToStderr("Both --spice-certificate and --spice-ca-certificate must be"
|
|
| 731 |
" specified.") |
|
| 732 |
return 1 |
|
| 699 | 733 |
|
| 700 |
else: |
|
| 701 |
rapi_cert_pem = None |
|
| 734 |
rapi_cert_pem, spice_cert_pem, spice_cacert_pem = (None, None, None) |
|
| 735 |
try: |
|
| 736 |
if rapi_cert_filename: |
|
| 737 |
rapi_cert_pem = _ReadAndVerifyCert(rapi_cert_filename, True) |
|
| 738 |
if spice_cert_filename: |
|
| 739 |
spice_cert_pem = _ReadAndVerifyCert(spice_cert_filename, True) |
|
| 740 |
spice_cacert_pem = _ReadAndVerifyCert(spice_cacert_filename) |
|
| 741 |
except errors.X509CertError, err: |
|
| 742 |
ToStderr("Unable to load X509 certificate from %s: %s", err[0], err[1])
|
|
| 743 |
return 1 |
|
| 702 | 744 |
|
| 703 | 745 |
if cds_filename: |
| 704 | 746 |
try: |
| ... | ... | |
| 718 | 760 |
|
| 719 | 761 |
def _RenewCryptoInner(ctx): |
| 720 | 762 |
ctx.feedback_fn("Updating certificates and keys")
|
| 721 |
bootstrap.GenerateClusterCrypto(new_cluster_cert, new_rapi_cert, |
|
| 763 |
bootstrap.GenerateClusterCrypto(new_cluster_cert, |
|
| 764 |
new_rapi_cert, |
|
| 765 |
new_spice_cert, |
|
| 722 | 766 |
new_confd_hmac_key, |
| 723 | 767 |
new_cds, |
| 724 | 768 |
rapi_cert_pem=rapi_cert_pem, |
| 769 |
spice_cert_pem=spice_cert_pem, |
|
| 770 |
spice_cacert_pem=spice_cacert_pem, |
|
| 725 | 771 |
cds=cds) |
| 726 | 772 |
|
| 727 | 773 |
files_to_copy = [] |
| ... | ... | |
| 732 | 778 |
if new_rapi_cert or rapi_cert_pem: |
| 733 | 779 |
files_to_copy.append(constants.RAPI_CERT_FILE) |
| 734 | 780 |
|
| 781 |
if new_spice_cert or spice_cert_pem: |
|
| 782 |
files_to_copy.append(constants.SPICE_CERT_FILE) |
|
| 783 |
files_to_copy.append(constants.SPICE_CACERT_FILE) |
|
| 784 |
|
|
| 735 | 785 |
if new_confd_hmac_key: |
| 736 | 786 |
files_to_copy.append(constants.CONFD_HMAC_KEY) |
| 737 | 787 |
|
| ... | ... | |
| 760 | 810 |
return _RenewCrypto(opts.new_cluster_cert, |
| 761 | 811 |
opts.new_rapi_cert, |
| 762 | 812 |
opts.rapi_cert, |
| 813 |
opts.new_spice_cert, |
|
| 814 |
opts.spice_cert, |
|
| 815 |
opts.spice_cacert, |
|
| 763 | 816 |
opts.new_confd_hmac_key, |
| 764 | 817 |
opts.new_cluster_domain_secret, |
| 765 | 818 |
opts.cluster_domain_secret, |
| ... | ... | |
| 1348 | 1401 |
RenewCrypto, ARGS_NONE, |
| 1349 | 1402 |
[NEW_CLUSTER_CERT_OPT, NEW_RAPI_CERT_OPT, RAPI_CERT_OPT, |
| 1350 | 1403 |
NEW_CONFD_HMAC_KEY_OPT, FORCE_OPT, |
| 1351 |
NEW_CLUSTER_DOMAIN_SECRET_OPT, CLUSTER_DOMAIN_SECRET_OPT], |
|
| 1404 |
NEW_CLUSTER_DOMAIN_SECRET_OPT, CLUSTER_DOMAIN_SECRET_OPT, |
|
| 1405 |
NEW_SPICE_CERT_OPT, SPICE_CERT_OPT, SPICE_CACERT_OPT], |
|
| 1352 | 1406 |
"[opts...]", |
| 1353 | 1407 |
"Renews cluster certificates, keys and secrets"), |
| 1354 | 1408 |
"epo": ( |
Also available in: Unified diff