1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
#!/usr/bin/env python3
#
# Copyright (C) 2019 Wind River Systems, Inc.
#
# SPDX-License-Identifier: GPL-2.0-only
#
import os, sys, getopt
banner = \
'''\
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! "ip_address" field of server.info must be IP address of the server. !!
!! For more details, please refer to: !!
!! https://libvirt.org/remote.html#Remote_certificates !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Please deploy cacert.pem to CA and server and client /etc/pki/CA/cacert.pem
Please deploy serverkey.pem to server /etc/pki/libvirt/private/serverkey.pem
Please deploy servercert.pem to server /etc/pki/libvirt/servercert.pem
Please deploy clientkey.pem to client /etc/pki/libvirt/private/clientkey.pem
Please deploy clientcert.pem to client /etc/pki/libvirt/clientcert.pem"
'''
if os.system('which certtool > /dev/null 2>&1') != 0:
print('certtool is not available. It is provided by \n\
gnutls-bin on Yocto like Linux or \n\
gnutls-bin on Debian like distribution or \n\
gnutls-utils on Redhat like distribution.')
sys.exit()
cainfo = ""
serverinfo = ""
clientinfo = ""
yes = 0
try:
opts, args = getopt.getopt(sys.argv[1:], "ha:b:c:y", ["help", "ca-info=", "server-info=", "client-info=", "yes"])
except getopt.GetoptError:
print('Usage:\n{} [-a|--ca-info] <ca.info> [-b|--server-info] <server.info> [-c|--client-info] <client.info> [-y|--yes]'.format(sys.argv[0]))
print('If ca.info or server.info or client.info is not provided, a corresponding sample file will be generated.')
sys.exit(2)
for opt, arg in opts:
if opt in ("-h", "--help"):
print('Usage:\n{} [-a|--ca-info] <ca.info> [-b|--server-info] <server.info> [-c|--client-info] <client.info> [-y|--yes]'.format(sys.argv[0]))
print('If ca.info or server.info or client.info is not provided, a corresponding sample file will be generated.\n')
print(banner)
sys.exit()
elif opt in ("-a", "--ca-info"):
cainfo = arg
elif opt in ("-b", "--server-info"):
serverinfo = arg
elif opt in ("-c", "--client-info"):
clientinfo = arg
elif opt in ("-y", "--yes"):
yes = 1
cainfodefault = \
'''cn = CA
ca
cert_signing_key
'''
serverinfodefault = \
'''organization = Organization
cn = Server
dns_name = DNS Name
ip_address = 127.0.0.1
tls_www_server
encryption_key
signing_key
'''
clientinfodefault = \
'''country = Country
state = State
locality = Locality
organization = Organization
cn = Client
tls_www_client
encryption_key
signing_key
'''
if not cainfo:
if yes == 0:
opt = input('{}\nca.info not provided by -a, the above will be used [y/n]?'.format(cainfodefault))
if opt != 'y':
exit()
cainfo = "ca.info"
with open(cainfo, mode='w') as f:
f.write(cainfodefault)
if not serverinfo:
if yes == 0:
opt = input('{}\nserver.info not provided by -b, the above will be used [y/n]?'.format(serverinfodefault))
if opt != 'y':
exit()
serverinfo = "server.info"
with open(serverinfo, mode='w') as f:
f.write(serverinfodefault)
if not clientinfo:
if yes == 0:
opt = input('{}\nclient.info not provided by -c, the above will be used [y/n]?'.format(clientinfodefault))
if opt != 'y':
sys.exit()
clientinfo = "client.info"
with open(clientinfo, mode='w') as f:
f.write(clientinfodefault)
if os.system("certtool --generate-privkey > cakey.pem") != 0:
print('ca private key failed.')
sys.exit()
if os.system("certtool --generate-self-signed --load-privkey cakey.pem --template {} --outfile cacert.pem".format(cainfo)) != 0:
print('ca cert failed.')
sys.exit()
if os.system("certtool --generate-privkey > serverkey.pem") != 0:
print('server private key failed.')
sys.exit()
if os.system("certtool --generate-certificate --load-privkey serverkey.pem --load-ca-certificate cacert.pem --load-ca-privkey cakey.pem --template {} --outfile servercert.pem".format(serverinfo)) != 0:
print('server cert failed.')
sys.exit()
if os.system("certtool --generate-privkey > clientkey.pem") != 0:
print('client private key failed.')
sys.exit()
if os.system("certtool --generate-certificate --load-privkey clientkey.pem --load-ca-certificate cacert.pem --load-ca-privkey cakey.pem --template {} --outfile clientcert.pem".format(clientinfo)) != 0:
print('client cert failed.')
sys.exit()
print(banner)
|
