Verified Commit 519d4288 authored by Vojtech Myslivec's avatar Vojtech Myslivec
Browse files

ca: Move cert valid days parameters to config

parent c601126c
......@@ -15,12 +15,6 @@ from .db import ca_exists_in_db, get_ca_id, get_certs, store_ca, store_cert
logger = logging.getLogger("ca")
# default certificate validity
CERT_DAYS = 60
# 25% before end of validity
VALID_DAYS = int(0.25*CERT_DAYS)
class CA:
def __init__(self, conf, db, ignore_errors=False):
cert_path = conf.get("ca", "cert")
......@@ -41,28 +35,32 @@ class CA:
if not ignore_errors:
raise
self.valid_days = conf.getint("ca", "valid_days")
self.valid_days_min = conf.getint("ca", "valid_days_min")
self.db = db
if not ca_exists_in_db(self.db, self.cert):
store_ca(self.db, self.cert)
self.id = get_ca_id(self.db, self.cert)
def get_valid_cert_matching_csr(self, identity, csr, days=VALID_DAYS):
def get_valid_cert_matching_csr(self, identity, csr):
"""
Returns certificate for the common name 'identity', that would be valid
at least for 'days' and match public key in the request 'csr'
Return certificate for the common name 'identity' matching public key
in the request 'csr' and that would be valid for at least
(preconfigured attribute) 'valid_days_min'
"""
date = datetime.datetime.utcnow() + datetime.timedelta(days=days)
date = datetime.datetime.utcnow() + datetime.timedelta(days=self.valid_days_min)
for cert in get_certs(self.db, identity, date):
if key_match(cert, csr):
return cert
return None
def issue_cert(self, csr, identity, days=CERT_DAYS):
def issue_cert(self, csr, identity):
serial_number = random_serial_number()
not_before = datetime.datetime.utcnow()
not_after = not_before + datetime.timedelta(days=days)
not_after = not_before + datetime.timedelta(days=self.valid_days)
# raise a CAError when CA cert will not be valid till not_after
self.check_cert_valid_at(not_after)
......
......@@ -17,6 +17,8 @@ logger = logging.getLogger("ca")
CONFIG_DEFAULT_PATH = "ca.ini"
VALID_DAYS_DEFAULT = "60"
VALID_DAYS_MIN_DEFAULT = "15"
MESSAGE_TYPE = "sentinel/certificator/checker"
AUTH_REQUEST_KEYS = (
......@@ -74,6 +76,8 @@ def prepare_config():
conf.set("ca", "cert", "")
conf.set("ca", "key", "")
conf.set("ca", "password", "")
conf.set("ca", "valid_days", VALID_DAYS_DEFAULT)
conf.set("ca", "valid_days_min", VALID_DAYS_MIN_DEFAULT)
return conf
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment