forked from mmagr/iotagent-mosca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
initialConf.py
executable file
·95 lines (82 loc) · 3.26 KB
/
initialConf.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#!/usr/bin/python
# This script makes the initial configuration to use TLS with mosca.
# It generates the mosca key-pair
# and retrieves a certificate and CRL from CA.
# If the configuration has already been done, this script does nothing!
import conf
import os
import binascii
from OpenSSL import crypto
import certUtils
from time import sleep
import requests
def generateKeys():
if not os.path.isfile(conf.certsDir + 'mosca.key'):
certUtils.generatePrivateKey(conf.certsDir + "/mosca.key",
conf.keyLength)
print "mosca key-pair created"
def generateCSR():
if not os.path.isfile(conf.certsDir + "/mosca.csr"):
certUtils.generateCSR(CName='mosca',
privateKeyFile=conf.certsDir + "/mosca.key",
csrFileName=conf.certsDir + "/mosca.csr",
dnsname=['mqtt', 'mosca', 'localhost'])
def askCertSign():
if not os.path.isfile(conf.certsDir + "/mosca.crt"):
passwd = binascii.b2a_hex(os.urandom(16))
try:
certUtils.createEJBCAUser(conf.EJBCA_API_URL, conf.CAName,
"mosca", passwd)
except certUtils.EJBCARESTException as err:
print("Cant create EJBCA user. Error: " + err.message)
exit(-1)
try:
cert = certUtils.signCert(conf.EJBCA_API_URL,
conf.certsDir + "/mosca.csr",
"mosca", passwd)
except certUtils.EJBCARESTException as err:
print("Cant sign the CRT. EJBCA-REST return code: " + err.message)
exit(-1)
certUtils.saveCRT(conf.certsDir + "/mosca.crt", cert)
print("mosca certificate signed")
def retrieveCAChain():
if not os.path.isfile(conf.certsDir + "/ca.crt"):
try:
rawCrt = certUtils.retrieveCAChain(conf.EJBCA_API_URL, conf.CAName)
certUtils.saveCRT(conf.certsDir + "/ca.crt", rawCrt)
print("CA certificates retrieved")
except KeyError:
print "Invalid answer returned from EJBCA."
exit(-1)
def retrieveCRL():
if not os.path.isfile(conf.certsDir + "/ca.crl"):
try:
rawCRL = certUtils.retrieveCACRL(conf.EJBCA_API_URL, conf.CAName)
certUtils.saveCRL(conf.certsDir + "/ca.crl", rawCRL)
except KeyError:
print "Invalid answer returned from EJBCA."
exit(-1)
except crypto.Error:
print("Could not decode retrieved CRL")
exit(-1)
if __name__ == '__main__':
while True:
try:
print("Retrieving CA Chain")
retrieveCAChain()
print("Generating keys")
generateKeys()
print("Generating CSR")
generateCSR()
print("Asking certification signature")
askCertSign()
print("Retrieving CRL")
retrieveCRL()
break
except requests.exceptions.ConnectionError:
print("Cant connect to EJBCA server at "
+ conf.EJBCA_API_URL + " for initial configuration")
print("Chances are the server is not ready yet."
" Will retry in 30sec")
sleep(30)
exit(0)