Preparing for usage in setup agent cli command.
refs #7423
featureenablecommand.cpp featuredisablecommand.cpp featurelistcommand.cpp featureutility.cpp
objectlistcommand.cpp
pkinewcacommand.cpp pkinewcertcommand.cpp pkisigncsrcommand.cpp pkirequestcommand.cpp pkisavecertcommand.cpp pkiticketcommand.cpp
+ pkiutility.cpp
repositoryobjectcommand.cpp
variablegetcommand.cpp variablelistcommand.cpp
)
******************************************************************************/
#include "cli/pkinewcacommand.hpp"
+#include "cli/pkiutility.hpp"
#include "base/logger.hpp"
-#include "base/application.hpp"
-#include "base/tlsutility.hpp"
-#include <fstream>
using namespace icinga;
*/
int PKINewCACommand::Run(const boost::program_options::variables_map& vm, const std::vector<std::string>& ap) const
{
- String cadir = Application::GetLocalStateDir() + "/lib/icinga2/ca";
-
- if (Utility::PathExists(cadir)) {
- Log(LogCritical, "base")
- << "CA directory '" << cadir << "' already exists.";
- return 1;
- }
-
- if (!Utility::MkDirP(cadir, 0700)) {
- Log(LogCritical, "base")
- << "Could not create CA directory '" << cadir << "'.";
- return 1;
- }
-
- MakeX509CSR("Icinga CA", cadir + "/ca.key", String(), cadir + "/ca.crt", true);
-
- String serialpath = cadir + "/serial.txt";
-
- Log(LogInformation, "cli")
- << "Initializing serial file in '" << serialpath << "'.";
-
- std::ofstream fp;
- fp.open(serialpath.CStr());
- fp << "01";
- fp.close();
-
- if (fp.fail()) {
- Log(LogCritical, "cli")
- << "Could not create serial file '" << serialpath << "'";
- return 1;
- }
-
- return 0;
+ return PkiUtility::NewCa();
}
******************************************************************************/
#include "cli/pkinewcertcommand.hpp"
+#include "cli/pkiutility.hpp"
#include "base/logger.hpp"
-#include "base/tlsutility.hpp"
using namespace icinga;
namespace po = boost::program_options;
if (vm.count("certfile"))
certfile = vm["certfile"].as<std::string>();
- MakeX509CSR(vm["cn"].as<std::string>(), vm["keyfile"].as<std::string>(), csrfile, certfile);
-
- return 0;
+ return PkiUtility::NewCert(vm["cn"].as<std::string>(), vm["keyfile"].as<std::string>(), csrfile, certfile);
}
******************************************************************************/
#include "cli/pkirequestcommand.hpp"
-#include "remote/jsonrpc.hpp"
+#include "cli/pkiutility.hpp"
#include "base/logger.hpp"
-#include "base/tlsutility.hpp"
-#include "base/tlsstream.hpp"
-#include "base/tcpsocket.hpp"
-#include "base/utility.hpp"
-#include "base/application.hpp"
-#include <fstream>
+#include <iostream>
using namespace icinga;
namespace po = boost::program_options;
}
if (!vm.count("keyfile")) {
- Log(LogCritical, "cli", "Key file path (--keyfile) must be specified.");
+ Log(LogCritical, "cli", "Key input file path (--keyfile) must be specified.");
return 1;
}
if (!vm.count("certfile")) {
- Log(LogCritical, "cli", "Certificate file path (--certfile) must be specified.");
+ Log(LogCritical, "cli", "Certificate output file path (--certfile) must be specified.");
return 1;
}
if (!vm.count("cafile")) {
- Log(LogCritical, "cli", "CA certificate file path (--cafile) must be specified.");
+ Log(LogCritical, "cli", "CA certificate output file path (--cafile) must be specified.");
return 1;
}
if (!vm.count("trustedfile")) {
- Log(LogCritical, "cli", "Trusted certificate file path (--trustedfile) must be specified.");
+ Log(LogCritical, "cli", "Trusted certificate input file path (--trustedfile) must be specified.");
return 1;
}
return 1;
}
- TcpSocket::Ptr client = make_shared<TcpSocket>();
-
String port = "5665";
if (vm.count("port"))
port = vm["port"].as<std::string>();
- client->Connect(vm["host"].as<std::string>(), port);
-
- String certfile = vm["certfile"].as<std::string>();
-
- shared_ptr<SSL_CTX> sslContext = MakeSSLContext(certfile, vm["keyfile"].as<std::string>());
-
- TlsStream::Ptr stream = make_shared<TlsStream>(client, RoleClient, sslContext);
-
- stream->Handshake();
-
- shared_ptr<X509> peerCert = stream->GetPeerCertificate();
- shared_ptr<X509> trustedCert = GetX509Certificate(vm["trustedfile"].as<std::string>());
-
- if (CertificateToString(peerCert) != CertificateToString(trustedCert)) {
- Log(LogCritical, "cli", "Peer certificate does not match trusted certificate.");
- return 1;
- }
-
- Dictionary::Ptr request = make_shared<Dictionary>();
-
- String msgid = Utility::NewUniqueID();
-
- request->Set("jsonrpc", "2.0");
- request->Set("id", msgid);
- request->Set("method", "pki::RequestCertificate");
-
- Dictionary::Ptr params = make_shared<Dictionary>();
- params->Set("ticket", String(vm["ticket"].as<std::string>()));
-
- request->Set("params", params);
-
- JsonRpc::SendMessage(stream, request);
-
- Dictionary::Ptr response;
-
- for (;;) {
- response = JsonRpc::ReadMessage(stream);
-
- if (response->Get("id") != msgid)
- continue;
-
- break;
- }
-
- Dictionary::Ptr result = response->Get("result");
-
- if (result->Contains("error")) {
- Log(LogCritical, "cli", result->Get("error"));
- return 1;
- }
-
- String cafile = vm["cafile"].as<std::string>();
-
- std::ofstream fpcert;
- fpcert.open(certfile.CStr());
- fpcert << result->Get("cert");
- fpcert.close();
-
- if (fpcert.fail()) {
- Log(LogCritical, "cli")
- << "Could not write certificate to file '" << certfile << "'.";
- return 1;
- }
-
- std::ofstream fpca;
- fpca.open(cafile.CStr());
- fpca << result->Get("ca");
- fpca.close();
-
- if (fpca.fail()) {
- Log(LogCritical, "cli")
- << "Could not open CA certificate file '" << cafile << "' for writing.";
- return 1;
- }
-
- return 0;
+ return PkiUtility::RequestCertificate(vm["host"].as<std::string>(), port, vm["keyfile"].as<std::string>(),
+ vm["certfile"].as<std::string>(), vm["cafile"].as<std::string>(), vm["trustedfile"].as<std::string>(),
+ vm["ticket"].as<std::string>());
}
******************************************************************************/
#include "cli/pkisavecertcommand.hpp"
-#include "remote/jsonrpc.hpp"
+#include "cli/pkiutility.hpp"
#include "base/logger.hpp"
-#include "base/tlsutility.hpp"
-#include "base/tlsstream.hpp"
-#include "base/tcpsocket.hpp"
-#include "base/utility.hpp"
-#include "base/application.hpp"
-#include <fstream>
using namespace icinga;
namespace po = boost::program_options;
}
if (!vm.count("keyfile")) {
- Log(LogCritical, "cli", "Key file path (--keyfile) must be specified.");
+ Log(LogCritical, "cli", "Key input file path (--keyfile) must be specified.");
return 1;
}
if (!vm.count("certfile")) {
- Log(LogCritical, "cli", "Certificate file path (--certfile) must be specified.");
+ Log(LogCritical, "cli", "Certificate input file path (--certfile) must be specified.");
return 1;
}
if (!vm.count("trustedfile")) {
- Log(LogCritical, "cli", "Trusted certificate file path (--trustedfile) must be specified.");
+ Log(LogCritical, "cli", "Trusted certificate output file path (--trustedfile) must be specified.");
return 1;
}
- TcpSocket::Ptr client = make_shared<TcpSocket>();
-
String port = "5665";
if (vm.count("port"))
port = vm["port"].as<std::string>();
- client->Connect(vm["host"].as<std::string>(), port);
-
- shared_ptr<SSL_CTX> sslContext = MakeSSLContext(vm["certfile"].as<std::string>(), vm["keyfile"].as<std::string>());
-
- TlsStream::Ptr stream = make_shared<TlsStream>(client, RoleClient, sslContext);
-
- try {
- stream->Handshake();
- } catch (...) {
-
- }
-
- shared_ptr<X509> cert = stream->GetPeerCertificate();
-
- String trustedfile = vm["trustedfile"].as<std::string>();
-
- std::ofstream fpcert;
- fpcert.open(trustedfile.CStr());
- fpcert << CertificateToString(cert);
- fpcert.close();
-
- if (fpcert.fail()) {
- Log(LogCritical, "cli")
- << "Could not write certificate to file '" << trustedfile << "'.";
- return 1;
- }
-
- return 0;
+ return PkiUtility::SaveCert(vm["host"].as<std::string>(), port, vm["keyfile"].as<std::string>(), vm["certfile"].as<std::string>(), vm["trustedfile"].as<std::string>());
}
******************************************************************************/
#include "cli/pkisigncsrcommand.hpp"
+#include "cli/pkiutility.hpp"
#include "base/logger.hpp"
-#include "base/tlsutility.hpp"
-#include "base/application.hpp"
-#include <fstream>
using namespace icinga;
namespace po = boost::program_options;
return 1;
}
- std::stringstream msgbuf;
- char errbuf[120];
-
- InitializeOpenSSL();
-
- String csrfile = vm["csrfile"].as<std::string>();
-
- BIO *csrbio = BIO_new_file(csrfile.CStr(), "r");
- X509_REQ *req = PEM_read_bio_X509_REQ(csrbio, NULL, NULL, NULL);
-
- if (!req) {
- Log(LogCritical, "SSL")
- << "Could not read X509 certificate request from '" << csrfile << "': " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\"";
- return 1;
- }
-
- BIO_free(csrbio);
-
- shared_ptr<X509> cert = CreateCertIcingaCA(X509_REQ_get_pubkey(req), X509_REQ_get_subject_name(req));
-
- X509_REQ_free(req);
-
- String certfile = vm["certfile"].as<std::string>();
-
- std::ofstream fpcert;
- fpcert.open(certfile.CStr());
-
- if (!fpcert) {
- Log(LogCritical, "cli")
- << "Failed to open certificate file '" << certfile << "' for output";
- return 1;
- }
-
- fpcert << CertificateToString(cert);
- fpcert.close();
-
- return 0;
+ return PkiUtility::SignCsr(vm["csrfile"].as<std::string>(), vm["certfile"].as<std::string>());
}
******************************************************************************/
#include "cli/pkiticketcommand.hpp"
-#include "remote/jsonrpc.hpp"
+#include "cli/pkiutility.hpp"
#include "base/logger.hpp"
-#include "base/tlsutility.hpp"
-#include "base/tlsstream.hpp"
-#include "base/tcpsocket.hpp"
-#include "base/utility.hpp"
-#include "base/application.hpp"
#include <iostream>
using namespace icinga;
return 1;
}
- std::cout << PBKDF2_SHA1(vm["cn"].as<std::string>(), vm["salt"].as<std::string>(), 50000) << std::endl;
-
- return 0;
+ return PkiUtility::GenTicket(vm["cn"].as<std::string>(), vm["salt"].as<std::string>(), std::cout);
}
--- /dev/null
+/******************************************************************************
+ * Icinga 2 *
+ * Copyright (C) 2012-2014 Icinga Development Team (http://www.icinga.org) *
+ * *
+ * This program is free software; you can redistribute it and/or *
+ * modify it under the terms of the GNU General Public License *
+ * as published by the Free Software Foundation; either version 2 *
+ * of the License, or (at your option) any later version. *
+ * *
+ * This program is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with this program; if not, write to the Free Software Foundation *
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. *
+ ******************************************************************************/
+
+#include "cli/pkiutility.hpp"
+#include "cli/clicommand.hpp"
+#include "base/logger.hpp"
+#include "base/application.hpp"
+#include "base/tlsutility.hpp"
+#include "base/tlsstream.hpp"
+#include "base/tcpsocket.hpp"
+#include "base/utility.hpp"
+#include "remote/jsonrpc.hpp"
+#include <fstream>
+#include <iostream>
+
+using namespace icinga;
+
+int PkiUtility::NewCa(void)
+{
+ String cadir = Application::GetLocalStateDir() + "/lib/icinga2/ca";
+
+ if (Utility::PathExists(cadir)) {
+ Log(LogCritical, "cli")
+ << "CA directory '" << cadir << "' already exists.";
+ return 1;
+ }
+
+ if (!Utility::MkDirP(cadir, 0700)) {
+ Log(LogCritical, "base")
+ << "Could not create CA directory '" << cadir << "'.";
+ return 1;
+ }
+
+ MakeX509CSR("Icinga CA", cadir + "/ca.key", String(), cadir + "/ca.crt", true);
+
+ String serialpath = cadir + "/serial.txt";
+
+ Log(LogInformation, "cli")
+ << "Initializing serial file in '" << serialpath << "'.";
+
+ std::ofstream fp;
+ fp.open(serialpath.CStr());
+ fp << "01";
+ fp.close();
+
+ if (fp.fail()) {
+ Log(LogCritical, "cli")
+ << "Could not create serial file '" << serialpath << "'";
+ return 1;
+ }
+
+ return 0;
+}
+
+int PkiUtility::NewCert(const String& cn, const String& keyfile, const String& csrfile, const String& certfile)
+{
+ try {
+ MakeX509CSR(cn, keyfile, csrfile, certfile);
+ } catch(std::exception&) {
+ return 1;
+ }
+
+ return 0;
+}
+
+int PkiUtility::SignCsr(const String& csrfile, const String& certfile)
+{
+ std::stringstream msgbuf;
+ char errbuf[120];
+
+ InitializeOpenSSL();
+
+ BIO *csrbio = BIO_new_file(csrfile.CStr(), "r");
+ X509_REQ *req = PEM_read_bio_X509_REQ(csrbio, NULL, NULL, NULL);
+
+ if (!req) {
+ Log(LogCritical, "SSL")
+ << "Could not read X509 certificate request from '" << csrfile << "': " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\"";
+ return 1;
+ }
+
+ BIO_free(csrbio);
+
+ shared_ptr<X509> cert = CreateCertIcingaCA(X509_REQ_get_pubkey(req), X509_REQ_get_subject_name(req));
+
+ X509_REQ_free(req);
+
+ std::ofstream fpcert;
+ fpcert.open(certfile.CStr());
+
+ if (!fpcert) {
+ Log(LogCritical, "cli")
+ << "Failed to open certificate file '" << certfile << "' for output";
+ return 1;
+ }
+
+ fpcert << CertificateToString(cert);
+ fpcert.close();
+
+ return 0;
+}
+
+int PkiUtility::SaveCert(const String& host, const String& port, const String& keyfile, const String& certfile, const String& trustedfile)
+{
+ TcpSocket::Ptr client = make_shared<TcpSocket>();
+
+ client->Connect(host, port);
+
+ shared_ptr<SSL_CTX> sslContext = MakeSSLContext(certfile, keyfile);
+
+ TlsStream::Ptr stream = make_shared<TlsStream>(client, RoleClient, sslContext);
+
+ try {
+ stream->Handshake();
+ } catch (...) {
+
+ }
+
+ shared_ptr<X509> cert = stream->GetPeerCertificate();
+
+ std::ofstream fpcert;
+ fpcert.open(trustedfile.CStr());
+ fpcert << CertificateToString(cert);
+ fpcert.close();
+
+ if (fpcert.fail()) {
+ Log(LogCritical, "cli")
+ << "Could not write certificate to file '" << trustedfile << "'.";
+ return 1;
+ }
+
+ Log(LogInformation, "cli")
+ << "Writing trusted certificate to file '" << trustedfile << "'.";
+
+ return 0;
+}
+
+int PkiUtility::GenTicket(const String& cn, const String& salt, std::ostream& ticketfp)
+{
+ ticketfp << PBKDF2_SHA1(cn, salt, 50000) << "\n";
+
+ return 0;
+}
+
+int PkiUtility::RequestCertificate(const String& host, const String& port, const String& keyfile,
+ const String& certfile, const String& cafile, const String& trustedfile, const String& ticket)
+{
+ TcpSocket::Ptr client = make_shared<TcpSocket>();
+
+ client->Connect(host, port);
+
+ shared_ptr<SSL_CTX> sslContext = MakeSSLContext(certfile, keyfile);
+
+ TlsStream::Ptr stream = make_shared<TlsStream>(client, RoleClient, sslContext);
+
+ stream->Handshake();
+
+ shared_ptr<X509> peerCert = stream->GetPeerCertificate();
+ shared_ptr<X509> trustedCert = GetX509Certificate(trustedfile);
+
+ if (CertificateToString(peerCert) != CertificateToString(trustedCert)) {
+ Log(LogCritical, "cli", "Peer certificate does not match trusted certificate.");
+ return 1;
+ }
+
+ Dictionary::Ptr request = make_shared<Dictionary>();
+
+ String msgid = Utility::NewUniqueID();
+
+ request->Set("jsonrpc", "2.0");
+ request->Set("id", msgid);
+ request->Set("method", "pki::RequestCertificate");
+
+ Dictionary::Ptr params = make_shared<Dictionary>();
+ params->Set("ticket", String(ticket));
+
+ request->Set("params", params);
+
+ JsonRpc::SendMessage(stream, request);
+
+ Dictionary::Ptr response;
+
+ for (;;) {
+ response = JsonRpc::ReadMessage(stream);
+
+ if (response->Get("id") != msgid)
+ continue;
+
+ break;
+ }
+
+ Dictionary::Ptr result = response->Get("result");
+
+ if (result->Contains("error")) {
+ Log(LogCritical, "cli", result->Get("error"));
+ return 1;
+ }
+
+ std::ofstream fpcert;
+ fpcert.open(certfile.CStr());
+ fpcert << result->Get("cert");
+ fpcert.close();
+
+ if (fpcert.fail()) {
+ Log(LogCritical, "cli")
+ << "Could not write certificate to file '" << certfile << "'.";
+ return 1;
+ }
+
+ Log(LogInformation, "cli")
+ << "Writing signed certificate to file '" << certfile << "'.";
+
+ std::ofstream fpca;
+ fpca.open(cafile.CStr());
+ fpca << result->Get("ca");
+ fpca.close();
+
+ if (fpca.fail()) {
+ Log(LogCritical, "cli")
+ << "Could not open CA certificate file '" << cafile << "' for writing.";
+ return 1;
+ }
+
+ Log(LogInformation, "cli")
+ << "Writing CA certificate to file '" << certfile << "'.";
+
+ return 0;
+}
--- /dev/null
+/******************************************************************************
+ * Icinga 2 *
+ * Copyright (C) 2012-2014 Icinga Development Team (http://www.icinga.org) *
+ * *
+ * This program is free software; you can redistribute it and/or *
+ * modify it under the terms of the GNU General Public License *
+ * as published by the Free Software Foundation; either version 2 *
+ * of the License, or (at your option) any later version. *
+ * *
+ * This program is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with this program; if not, write to the Free Software Foundation *
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. *
+ ******************************************************************************/
+
+#ifndef PKIUTILITY_H
+#define PKIUTILITY_H
+
+#include "base/i2-base.hpp"
+#include "base/dictionary.hpp"
+#include "base/string.hpp"
+
+namespace icinga
+{
+
+/**
+ * @ingroup cli
+ */
+class PkiUtility
+{
+public:
+ static int NewCa(void);
+ static int NewCert(const String& cn, const String& keyfile, const String& csrfile, const String& certfile);
+ static int SignCsr(const String& csrfile, const String& certfile);
+ static int SaveCert(const String& host, const String& port, const String& keyfile, const String& certfile, const String& trustedfile);
+ static int GenTicket(const String& cn, const String& salt, std::ostream& ticketfp);
+ static int RequestCertificate(const String& host, const String& port, const String& keyfile,
+ const String& certfile, const String& cafile, const String& trustedfile, const String& ticket);
+
+private:
+ PkiUtility(void);
+};
+
+}
+
+#endif /* PKIUTILITY_H */
projects / icinga2 / commitdiff