mc_ssl / ssl registry

If you alter this module and want to test it, do not forget to deploy it on minion using:

salt '*' saltutil.sync_modules

Documentation of this module is available with:

salt '*' sys.doc mc_ssl
class mc_states.modules.mc_ssl.PKey

A class representing an DSA or RSA public key or key pair.

bits()

Returns the number of bits of the key :return: The number of bits of the key.

check()

Check the consistency of an RSA private key. This is the Python equivalent of OpenSSL’s RSA_check_key. :return: True if key is consistent. :raise Error: if the key is inconsistent. :raise TypeError: if the key is of a type which cannot be checked. Only RSA keys can currently be checked.

generate_key(type, bits)

Generate a key pair of the given type, with the given number of bits. This generates a key “into” the this object. :param type: The key type. :type type: TYPE_RSA or TYPE_DSA :param bits: The number of bits. :type bits: int >= 0 :raises TypeError: If type or bits isn’t of the appropriate type. :raises ValueError: If the number of bits isn’t an integer of the appropriate size. :return: None

type()

Returns the type of the key :return: The type of the key.

mc_states.modules.mc_ssl.ca_ssl_certs(domains, gen=False, as_text=False, keytype=None, **kwargs)

Wrapper to ssl_certs to also return the cacert information Return a triple (cert, key, ca) if ca is none: ca==’‘

mc_states.modules.mc_ssl.domain_match(domain, cert_domain, wildcard_match=False)

Test if a domain exactly match other domain the other domain can be a wildcard, and this only match top level wildcards as per openssl spec

>>> from mc_states.modules.mc_ssl import domain_match
>>> domain_match('a.com', 'a.com')
True
>>> domain_match('a.a.com', '*.a.com')
True
>>> domain_match('a.a.a.com', '*.a.com')
False
>>> domain_match('aaa.a.com', '*.a.com')
True
>>> domain_match('a', '*')
False
>>> domain_match('a.a', '*.a')
False
>>> domain_match('a.com', '*.a.com')
True
>>> domain_match('a.com', '*.a.a.com')
False
mc_states.modules.mc_ssl.domain_match_wildcard(domain, wildcard_or_domain)

Test if a common name matches a wild card

>>> from mc_states.modules.mc_ssl \
...     import domain_match_wildcard as match_wildcard
>>> match_wildcard('foo.dom.net', '*.foo.dom.net')
True
>>> match_wildcard('www.foo.dom.net', '*.foo.dom.net')
True
>>> match_wildcard('foo.dom.net', 'foo.dom.net')
True
>>> match_wildcard('www.foo.dom.net', 'foo.dom.net')
True
>>> match_wildcard('dom.net', '*.dom.net')
True
>>> match_wildcard('www.dom.net', '*.dom.net')
True
>>> match_wildcard('dom.net', 'dom.net')
True
>>> match_wildcard('www.dom.net', 'dom.net')
True
mc_states.modules.mc_ssl.get_cert_infos(cn_or_cert, key=None, sinfos=None, ttl=60, gen=False, keytype=None, trusted_certs_path=None, full_certs_path=None, separate_ssl_files_path=None, full_basename=None, auth_basename=None, authr_basename=None, crt_basename=None, crt_full_basename=None, key_basename=None, bundle_basename=None, only_basename=None, trust_basename=None, public_key_basename=None, rsa_key_basename=None)

Get infos for a certificate, either by being configured by makina-states or given in parameters:

salt-call mc_ssl.get_cert_infos foo.net # configured in pillar
salt-call -- mc_ssl.get_cert_infos            /tmp/devhost5-1.crt            key='/tmp/devhost5-1.key'
salt-call mc_ssl.get_cert_infos --             '-----BEGIN CERTIFICATE-----
    XXX
    -----END CERTIFICATE-----'            key='-----BEGIN PRIVATE KEY-----
    YYY
    -----END PRIVATE KEY-----'

return a struct:

{'cn': common name,
 'altnames': defined alt names,
 'cert_data': see bellow,
 'cert': cert + chain content,
 'crt': path where the crt should be installed,
 'trust': VALUE,
 'only': VALUE,
 'bundle': VALUE,
 'full': VALUE,
 'auth': VALUE,
 'authr': VALUE,
 'unlock_key': VALUE,
 'public_key':  public_key_or_empty_string_content,
 'rsa_key': unlocked_private_key_or_key_content,
 'key': VALUE}

cert_data contains a 4th tuple with the certificate/key/chain contents:

(cert,
 key,
 chain_or_empty_string)
mc_states.modules.mc_ssl.get_configured_cert(domain, gen=False, selfsigned=True, ttl=60, data=None, as_text=False, keytype=None)

Return any configured ssl cert for domain or the wildward domain matching the precise domain. It will prefer to use any real signed certificate over a self signed certificate

mc_states.modules.mc_ssl.get_selfsigned_cert_for(domain, gen=False, keytype=None, domain_csr_data=None, as_text=False)

Generate or return certificate for domain

The certificates are stored inside a local registry

mc_states.modules.mc_ssl.load_publickey(type, buffer)

Load a public key from a buffer. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1). :param buffer: The buffer the key is stored in. :type buffer: A Python string object, either unicode or bytestring. :return: The PKey object. :rtype: PKey

COPIED AS IS FROM PYOPENSSL (because <0.16 does not have the method)

mc_states.modules.mc_ssl.selfsigned_last(ctuple)

Certificate tuple containing in first element the text of the PEM certificate

mc_states.modules.mc_ssl.settings()

ssl registry

country
country
st
st
l
l
o
organization
cn
common name
email
mail
certs

mapping of COMMON_NAME: (cert_text, key_text, cacert_chain_txt)

  • cert_text and cacert_chain_txt contain x509 certs, concatenated
  • chain_txt is an empty string if selfsigned or not found
  • key we will validated to be a valid private key
  • all certs will be validated to be x509 certs
mc_states.modules.mc_ssl.ssl_certs(domains, gen=False, as_text=False, keytype=None, **kw)

Maybe Generate and Return SSL certificate and key paths for domain Certicates are generated inside pillar/cloudcontroller/<minionid>. this generates a signed certificate with a generated certificate authority with the name of the current minion.

Return a xtuple (cert, key) Cert can contain multiple certs (full chain of certification)

mc_states.modules.mc_ssl.ssl_chain(common_name, cert_string)

Extract the cerfificate and auth chain for a certificate file or string containing one or multiple certificates

Return a tuble:

  • The certificate maching the common name If not found, assume the first of the given certs
  • The rest of certificates as the ssl chain authentication
mc_states.modules.mc_ssl.ssl_infos(cert_text, **kw)

Get some infos out of a PEM certificates kw can contain default values

issuer
cert issuer
subject
cert subject
mc_states.modules.mc_ssl.ssl_key(cert_string)

Extract valid ssl keys from a string or a file & return the first

mc_states.modules.mc_ssl.ssl_keys(cert_string)

Extract valid ssl keys from a string or a file