%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /lib/python2.7/site-packages/salt/modules/
Upload File :
Create Path :
Current File : //lib/python2.7/site-packages/salt/modules/tls.pyc

�
���^c@@s�dZddlmZmZmZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlmZddl
ZddlZddlZddlmZddlmZddlmZddlmZeZeay1ddlZeZeej j!d	d
��Z"Wne#k
r:nXe	j$e%�Z&dZ'dZ(d
�Z)d�Z*dd�Z,dd�Z-d�Z.d�Z/d�Z0dd�Z1ddd�Z2ddd�Z3ddd�Z4dd�Z5edd�Z6deddd�Z7deddd�Z8d�Z9d�Z:d d!�Z;d"�Z<d#d$dd%d&d'd(ddeddd)dded*�Z=d+�Z>d#dd%d&d'd(dddddddd)ed,ed-�Z?d.d#d$dd%d&d'd(ddddd)ed/�Z@d$ddddd)deed0�	ZAd1ded2�ZBd)d3�ZCdddd4�ZDdddddd5�ZEe%d6kr�e?d7d8d9d:d%d;d&d<d=d>d(d?dd@dA�eAd7d9�eBd7d9dBdC�ndS(Du_
A salt module for SSL/TLS.
Can create a Certificate Authority (CA)
or use Self-Signed certificates.

:depends: PyOpenSSL Python module (0.10 or later, 0.14 or later for X509
    extension support)

:configuration: Add the following values in /etc/salt/minion for the CA module
    to function properly:

    .. code-block:: yaml

        ca.cert_base_path: '/etc/pki'


CLI Example #1:
Creating a CA, a server request and its signed certificate:

.. code-block:: bash

    # salt-call tls.create_ca my_little \
    days=5 \
    CN='My Little CA' \
    C=US \
    ST=Utah \
    L=Salt Lake City \
    O=Saltstack \
    emailAddress=pleasedontemail@example.com

    Created Private Key: "/etc/pki/my_little/my_little_ca_cert.key"
    Created CA "my_little_ca": "/etc/pki/my_little_ca/my_little_ca_cert.crt"

    # salt-call tls.create_csr my_little CN=www.example.com
    Created Private Key: "/etc/pki/my_little/certs/www.example.com.key
    Created CSR for "www.example.com": "/etc/pki/my_little/certs/www.example.com.csr"

    # salt-call tls.create_ca_signed_cert my_little CN=www.example.com
    Created Certificate for "www.example.com": /etc/pki/my_little/certs/www.example.com.crt"

CLI Example #2:
Creating a client request and its signed certificate

.. code-block:: bash

    # salt-call tls.create_csr my_little CN=DBReplica_No.1 cert_type=client
    Created Private Key: "/etc/pki/my_little/certs//DBReplica_No.1.key."
    Created CSR for "DBReplica_No.1": "/etc/pki/my_little/certs/DBReplica_No.1.csr."

    # salt-call tls.create_ca_signed_cert my_little CN=DBReplica_No.1
    Created Certificate for "DBReplica_No.1": "/etc/pki/my_little/certs/DBReplica_No.1.crt"

CLI Example #3:
Creating both a server and client req + cert for the same CN

.. code-block:: bash

    # salt-call tls.create_csr my_little CN=MasterDBReplica_No.2  \
        cert_type=client
    Created Private Key: "/etc/pki/my_little/certs/MasterDBReplica_No.2.key."
    Created CSR for "DBReplica_No.1": "/etc/pki/my_little/certs/MasterDBReplica_No.2.csr."

    # salt-call tls.create_ca_signed_cert my_little CN=MasterDBReplica_No.2
    Created Certificate for "DBReplica_No.1": "/etc/pki/my_little/certs/DBReplica_No.1.crt"

    # salt-call tls.create_csr my_little CN=MasterDBReplica_No.2 \
        cert_type=server
    Certificate "MasterDBReplica_No.2" already exists

    (doh!)

    # salt-call tls.create_csr my_little CN=MasterDBReplica_No.2 \
        cert_type=server type_ext=True
    Created Private Key: "/etc/pki/my_little/certs/DBReplica_No.1_client.key."
    Created CSR for "DBReplica_No.1": "/etc/pki/my_little/certs/DBReplica_No.1_client.csr."

    # salt-call tls.create_ca_signed_cert my_little CN=MasterDBReplica_No.2
    Certificate "MasterDBReplica_No.2" already exists

    (DOH!)

    # salt-call tls.create_ca_signed_cert my_little CN=MasterDBReplica_No.2 \
        cert_type=server type_ext=True
    Created Certificate for "MasterDBReplica_No.2": "/etc/pki/my_little/certs/MasterDBReplica_No.2_server.crt"


CLI Example #4:
Create a server req + cert with non-CN filename for the cert

.. code-block:: bash

    # salt-call tls.create_csr my_little CN=www.anothersometh.ing \
        cert_type=server type_ext=True
    Created Private Key: "/etc/pki/my_little/certs/www.anothersometh.ing_server.key."
    Created CSR for "DBReplica_No.1": "/etc/pki/my_little/certs/www.anothersometh.ing_server.csr."

    # salt-call tls_create_ca_signed_cert my_little CN=www.anothersometh.ing \
        cert_type=server cert_filename="something_completely_different"
    Created Certificate for "www.anothersometh.ing": /etc/pki/my_little/certs/something_completely_different.crt
i(tabsolute_importtunicode_literalstprint_functionN(tdatetime(tCommandExecutionError(tLooseVersion(tsix(trangeu__version__u0.0u
%y%m%d%H%M%SZu
%Y%m%d%H%M%SZcC@sztrfttd�krfttd�kr@tatjd�n"ttd�krbtjd�ntStatdfSdS(u@
    Only load this module if the ca config options are set
    u0.10u0.14ufYou should upgrade pyOpenSSL to at least 0.14.1 to enable the use of X509 extensions in the tls moduleu0.15ukYou should upgrade pyOpenSSL to at least 0.15.1 to enable the full use of X509 extensions in the tls moduleuQPyOpenSSL version 0.10 or later must be installed before this module can be used.N(tHAS_SSLtOpenSSL_versiont
_LooseVersiontFalsetX509_EXT_ENABLEDtlogtdebugtTrue(((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt__virtual__�scC@s7tjtj��\}}t|�}dj||�S(uD
    Return a Unix timestamp as a string of digits
    :return:
    u{0:f}{1}(tmathtmodfttimetinttformat(tval1tval2((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt
_microtime�scC@sN|s%tjdtdd��}n|sJtjdtdd��}n|S(u�
    Return the base path for certs from CLI or from options

    cacert_path
        absolute path to ca certificates root directory

    CLI Example:

    .. code-block:: bash

        salt '*' tls.cert_base_path
    uca.contextual_cert_base_pathu
config.optionuca.cert_base_path(t__context__tgett__salt__(tcacert_path((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pytcert_base_path�s
cC@s
t|�S(u!
    Retrocompatible wrapper
    (R(R((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt_cert_base_path�scC@s|r|td<nt�S(u�
    If wanted, store the aforementioned cacert_path in context
    to be used as the basepath for further operations

    CLI Example:

    .. code-block:: bash

        salt '*' tls.set_ca_path /etc/certs
    uca.contextual_cert_base_path(RR(R((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pytset_ca_path�s
cC@sttjdjtjjjt��t	j
r<tjd�ntjd�j
d�f��d�}tjd|�td}tjd|�dj||�}tjj|�s�tj|�ntjj|�s�d	}nd
}tjjj||��}|jt|��WdQX|S(u�
    Return a serial number in hex using os.urandom() and a Unix timestamp
    in microseconds.

    ca_name
        name of the CA
    CN
        common name in the request
    t_iuhexiuHashnum: %sucachedirucachedir: %su{0}/{1}.serialuwua+N(Rtbinasciithexlifytjointsalttutilststringutilstto_bytesRRtPY3tosturandomtencodeR
Rt__opts__Rtpathtexiststmakedirstfilestfopentwritetstr(tca_namethashnumtcachedirtserial_filetmodetofile((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt_new_serial�s$
6	
	cC@s
|jt�S(N(tstrftimettwo_digit_year_fmt(tdatetimeObj((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt_four_digit_year_to_two_digitsc	C@s�|dkr$djt�|�}ndj|�}t|�}tt|��}t|j�d�}d}|djg|j�j	�D]\}}dj||�^q��7}|d7}||||fS(u6
    Get basic info to write out to the index.txt
    u{0}/{1}u
{0}/index.txtuXu/u{0}={1}u
N(
tNoneRRt
_read_certR>t_get_expiration_datetget_serial_numberR#tget_subjecttget_components(	R4tcerttca_dirt
index_filetexpire_datet
serial_numbertsubjecttxty((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt_get_basic_infos	8
uVcC@s�t|�djt�|�}t|||�\}}}}dj||||�}	tjjj|d��#}
|
jtjj	j
|	��WdQXdS(u�
    write out the index.txt database file in the appropriate directory to
    track certificates

    ca_name
        name of the CA
    cert
        certificate to be recorded
    u{0}/{1}u{0}	{1}		{2}	unknown	{3}ua+N(RRRRMR$R%R0R1R2R&tto_str(R4RERtstatusRFRGRHRIRJt
index_dataR9((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt_write_cert_to_database!s

	cC@s�t|�|s"dj|�}ndjt�||�}djt�||�}tjjj|��f}tjj	tjj
|j��}|j�dkr�t
jd|�tjjj|��}y1tjjtjj
|j��}|j�}	Wntk
rd}	nXy)tj|j�d�tj�j}
Wnttfk
rXd}
nX|j�}t|d	|	d
|
d|jd|jd
|jd|jd|jd|j d|j!dt"�
WdQXnWdQXdS(u�
    Check that the X509 version is correct
    (was incorrectly set in previous salt versions).
    This will fix the version if needed.

    ca_name
        ca authority name
    cacert_path
        absolute path to ca certificates root directory
    ca_filename
        alternative filename for the CA

        .. versionadded:: 2015.5.3


    CLI Example:

    .. code-block:: bash

        salt '*' tls.maybe_fix_ssl_version test_ca /etc/certs
    u{0}_ca_certu{0}/{1}/{2}.crtu{0}/{1}/{2}.keyiu2Regenerating wrong x509 version for certificate %siu
%Y%m%d%H%M%SZimtbitstdaystCNtCtSTtLtOtOUtemailAddresstfixmodeN(#RRRR$R%R0R1tOpenSSLtcryptotload_certificatetFILETYPE_PEMtreadtget_versionR
tinfotload_privatekeyRRt	ExceptionRtstrptimetget_notAftertutcnowRSt
ValueErrort	TypeErrorRCt	create_caRTRURVRWRXRYRZR(R4Rtca_filenametcertptca_keyptficREtfic2tkeyRRRStsubj((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pytmaybe_fix_ssl_version=sV
				

	
							cC@sjt|�|s"dj|�}ndjt�||�}tjj|�rft|d|d|�tStS(ul
    Verify whether a Certificate Authority (CA) already exists

    ca_name
        name of the CA
    cacert_path
        absolute path to ca certificates root directory
    ca_filename
        alternative filename for the CA

        .. versionadded:: 2015.5.3


    CLI Example:

    .. code-block:: bash

        salt '*' tls.ca_exists test_ca /etc/certs
    u{0}_ca_certu{0}/{1}/{2}.crtRRk(	RRRR)R-R.RrRR(R4RRkRl((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt	ca_exists�s
		cC@s
t||�S(uRetrocompatible wrapper(Rs(R4R((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt
_ca_exists�scC@s�t|�djt�||�}tjj|�sLtdj|���nB|r�tjj	j
|��"}tjjj|j
��}WdQXn|S(u_
    Get the certificate path or content

    ca_name
        name of the CA
    as_text
        if true, return the certificate content instead of the path
    cacert_path
        absolute path to ca certificates root directory

    CLI Example:

    .. code-block:: bash

        salt '*' tls.get_ca test_ca as_text=False cacert_path=/etc/certs
    u{0}/{1}/{2}_ca_cert.crtu"Certificate does not exist for {0}N(RRRR)R-R.RhR$R%R0R1R&t
to_unicodeR`(R4tas_textRRlRn((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pytget_ca�s
	$u	localhostcC@s�t|�|s|}ndjt�||�}tjj|�s[tdj|���nB|r�tjj	j
|��"}tjjj|j
��}WdQXn|S(u;
    Get the certificate path or content

    ca_name
        name of the CA
    CN
        common name of the certificate
    as_text
        if true, return the certificate content instead of the path
    cacert_path
        absolute path to certificates root directory
    cert_filename
        alternative filename for the certificate, useful when using special characters in the CN

        .. versionadded:: 2015.5.3


    CLI Example:

    .. code-block:: bash

        salt '*' tls.get_ca_signed_cert test_ca CN=localhost as_text=False cacert_path=/etc/certs
    u{0}/{1}/certs/{2}.crtu#Certificate does not exists for {0}N(RRRR)R-R.RhR$R%R0R1R&RuR`(R4RTRvRt
cert_filenameRlRn((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pytget_ca_signed_cert�s
		$cC@s�t|�|s|}ndjt�||�}tjj|�s[tdj|���nB|r�tjj	j
|��"}tjjj|j
��}WdQXn|S(ui
    Get the certificate path or content

    ca_name
        name of the CA
    CN
        common name of the certificate
    as_text
        if true, return the certificate content instead of the path
    cacert_path
        absolute path to certificates root directory
    key_filename
        alternative filename for the key, useful when using special characters

        .. versionadded:: 2015.5.3

        in the CN

    CLI Example:

    .. code-block:: bash

        salt '*' tls.get_ca_signed_key                 test_ca CN=localhost                 as_text=False                 cacert_path=/etc/certs
    u{0}/{1}/certs/{2}.keyu#Certificate does not exists for {0}N(RRRR)R-R.RhR$R%R0R1R&RuR`(R4RTRvRtkey_filenametkeypRn((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pytget_ca_signed_key�s 
		$cC@s�t|tj�r{yAtjjj|��&}tjj	tjj
|j��SWdQXWq�tk
rwt
jd|�dSXn't|d�s�t
jd|�dS|SdS(Nu Failed to read cert from path %suget_notAfteru"%s is not a valid cert path/object(t
isinstanceRtstring_typesR$R%R0R1R\R]R^R_R`RdR
t	exceptionR?thasattrterror(REtrfh((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyR@&s		
cC@sUt|�}|dkr0tdj|���ntjtjjj	|j
��t�S(u,
    Returns a datetime.datetime object
    u1Failed to read cert from {0}, see log for detailsN(R@R?RRRReR$R%R&RNRftfour_digit_year_fmt(REtcert_obj((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyRA9su%Y-%m-%dcC@st|�j|�S(u

    .. versionadded:: 2019.2.0

    Get a certificate's expiration date

    cert
        Full path to the certificate

    date_format
        By default this will return the expiration date in YYYY-MM-DD format,
        use this to specify a different strftime format string. Note that the
        expiration time will be in UTC.

    CLI Examples:

    .. code-block:: bash

        salt '*' tls.get_expiration_date /path/to/foo.crt
        salt '*' tls.get_expiration_date /path/to/foo.crt date_format='%d/%m/%Y'
    (RAR;(REtdate_format((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pytget_expiration_dateJscC@s,d}td}|dk	r�t|tj�sN|s�idd6td6}q�q�t|tj�r�||�dkr�idd6td6}tjd�q�q�n|dk	r(t|tj�s�|r%idd6td6}q%q(t|tj�r(||�dkr%idd6td6}tjd�q%q(n|S(Nucmd.retcodeuonlyif condition is falseucommenturesultiuunless condition is true(R?RR}RR~RR
R(tonlyiftunlesstrettretcode((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt_check_onlyif_unlessbs&
iimuUSuUtahuSalt Lake Cityu	SaltStackusha256c!C@s�t||�}|dk	rdSt|�|sAdj|�}ndjt�||�}djt�||�}|r�|
r�t|d|�r�dj|�S|
r�tjj|�r�t	dj|���ntjjdjt�|��stj
djt�|��nd}tjj|�r�tjj
j|���}y%tjjtjj|j��}Wnmtjjk
r�}tjd||�d	j|tj�jd
��}tjd|�tj||�nXWdQXn|stjj�}|jtjj|�ntjj�}|j d
�|j!t"|��||j#�_$||j#�_%||j#�_&||j#�_'|r�||j#�_(n||j#�_)|	r�|	|j#�_*n|j+d�|j,t-|�ddd�|j.|j#��|j/|�t0r�|j1tjj2dt3d�tjj2dt3d�tjj2dt4dd|�g�|j1tjj2dt4dd|�g�n|j5|tjj6j7|
��tjj8tjj|�}t3}tjj|�r�dj|tj�jd
��}tjj
j|���}tjj6j9|j��j:�}|j:�|j:�krQt4}nNtjd|�tjj
j|d��$}|j;|�tj<|d�WdQXWdQXn|r�tjj
j|d��#}|j;tjj6j=|��WdQXntjj
j|d��8}|j;tjj6j=tjj>tjj|���WdQXt?||�d jt�||�} | d!j|t�||�7} | S("u`
    Create a Certificate Authority (CA)

    ca_name
        name of the CA
    bits
        number of RSA key bits, default is 2048
    days
        number of days the CA will be valid, default is 365
    CN
        common name in the request, default is "localhost"
    C
        country, default is "US"
    ST
        state, default is "Utah"
    L
        locality, default is "Centerville", the city where SaltStack originated
    O
        organization, default is "SaltStack"
    OU
        organizational unit, default is None
    emailAddress
        email address for the CA owner, default is None
    cacert_path
        absolute path to ca certificates root directory
    ca_filename
        alternative filename for the CA

        .. versionadded:: 2015.5.3

    digest
        The message digest algorithm. Must be a string describing a digest
        algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically).
        For example, "md5" or "sha1". Default: 'sha256'
    replace
        Replace this certificate even if it exists

        .. versionadded:: 2015.5.1

    Writes out a CA certificate based upon defined config values. If the file
    already exists, the function just returns assuming the CA certificate
    already exists.

    If the following values were set::

        ca.cert_base_path='/etc/pki'
        ca_name='koji'

    the resulting CA, and corresponding key, would be written in the following
    location::

        /etc/pki/koji/koji_ca_cert.crt
        /etc/pki/koji/koji_ca_cert.key

    CLI Example:

    .. code-block:: bash

        salt '*' tls.create_ca test_ca
    u{0}_ca_certu{0}/{1}/{2}.crtu{0}/{1}/{2}.keyRku-Certificate for CA named "{0}" already existsu{0} does not exists, can't fixu{0}/{1}u?Error loading existing private key %s, generating a new key: %su{0}.unloadable.{1}u%Y%m%d%H%M%Su"Saving unloadable CA ssl key in %sNiiii<tbasicConstraintssCA:TRUE, pathlen:0tkeyUsageskeyCertSign, cRLSigntsubjectKeyIdentifierthashRJtauthorityKeyIdentifiersissuer:always,keyid:alwaystissueru{0}.{1}uSaving old CA ssl key in %suwi�uwbu(Created Private Key: "{0}/{1}/{2}.key." u$Created CA "{0}": "{1}/{2}/{3}.crt."(@R�R?RRRRsR)R-R.RhR/R$R%R0R1R\R]RcR_R`tErrorR
twarningRRgR;RbtrenametPKeytgenerate_keytTYPE_RSAtX509tset_versiontset_serial_numberR:RCRURVRWRXRYRTRZtgmtime_adj_notBeforetgmtime_adj_notAfterRt
set_issuert
set_pubkeyRtadd_extensionst
X509ExtensionRRtsignR&RNtdump_privatekeyRutstripR2tchmodR'tdump_certificateRQ(!R4RRRSRTRURVRWRXRYRZR[RRktdigestR�R�treplaceRORlRmRpRoterrtbcktcat
keycontentt	write_keyRntold_keytbckftca_keytca_crtR�((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyRjxs�M
 

		
	


					!	
%		
	cC@sgtstdjt���i}|dkrCtjd�d}nytddt�|d<Wn tk
r�}tj	|�nX|ds�|ddkr�iidd	6d
6idd6d
d6d6|d<nytddt�|d<Wn tk
r	}tj	|�nX|ds%|ddkrNiidd6dd6d
6id6|d<nytddt�|d<Wn tk
r�}tj	|�nX|ds�|ddkr�iidd6dd6d
6id6|d<n||kr/y!tddj|��||<Wq/tk
r+}tj	dj||��q/Xn|d}x'|D]}||j
|||�q@W|S(uO
    Fetch X509 and CSR extension definitions from tls:extensions:
    (common|server|client) or set them to standard defaults.

    .. versionadded:: 2015.8.0

    cert_type:
        The type of certificate such as ``server`` or ``client``.

    CLI Example:

    .. code-block:: bash

        salt '*' tls.get_extensions client

    uYX509 extensions are not supported in pyOpenSSL prior to version 0.15.1. Your version: {0}uuKcert_type set to empty in tls_ca.get_extensions(); defaulting to ``server``userveru
pillar.getutls.extensions:commonucommonuCA:FALSEubasicConstraintsucsrukeyid,issuer:alwaysuauthorityKeyIdentifieruhashusubjectKeyIdentifierucertutls.extensions:serveru
serverAuthuextendedKeyUsageu!digitalSignature, keyEnciphermentukeyUsageutls.extensions:clientuclientu
clientAuthu1nonRepudiation, digitalSignature, keyEnciphermentutls.extensions:{0}uOpillar, tls:extensions:{0} not available or not operating in a salt context
{1}(RtAssertionErrorRR	R
R�RRt	NameErrorRtupdate(t	cert_typetextR�tetretvaltUse((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pytget_extensions>sb
	

uservercC@s�t|
�|s"dj|�}nt|d|�sAdj|�S|s_djt�|�}ntjj|�s�tj|�n|r�dj|�nd}|
s�dj||�}
ndj||
�}|r�tjj|�r�d	j|�Stj	j
�}|jtj	j|�tj	j
�}||j�_||j�_||j�_||j�_|rw||j�_n||j�_|r�||j�_ny�t|�d
}g}xr|j�D]d\}}t|tj�r�tjjj|�}n|jtj	j tjjj|�t!|��q�WWn&t"k
rU}t#j$|�g}nX|	r�t%r�t|	tj�r�|	g}	n|jtj	j dt!dj&tjj'j(|	����q�t)d
jt*���nt%r�|j+|�n|j,|�|j-|tjjj.|��tjj/j0dj||
�d��8}|j1tjjjtj	j2tj	j3|���WdQXtjj/j0|d��8}|j1tjjjtj	j4tj	j3|���WdQXdj||
�}|dj|||
�7}|S(u,
    Create a Certificate Signing Request (CSR) for a
    particular Certificate Authority (CA)

    ca_name
        name of the CA
    bits
        number of RSA key bits, default is 2048
    CN
        common name in the request, default is "localhost"
    C
        country, default is "US"
    ST
        state, default is "Utah"
    L
        locality, default is "Centerville", the city where SaltStack originated
    O
        organization, default is "SaltStack"
        NOTE: Must the same as CA certificate or an error will be raised
    OU
        organizational unit, default is None
    emailAddress
        email address for the request, default is None
    subjectAltName
        valid subjectAltNames in full form, e.g. to add DNS entry you would call
        this function with this value:

        examples: ['DNS:somednsname.com',
                'DNS:1.2.3.4',
                'IP:1.2.3.4',
                'IP:2001:4801:7821:77:be76:4eff:fe11:e51',
                'email:me@i.like.pie.com']

    .. note::
        some libraries do not properly query IP: prefixes, instead looking
        for the given req. source with a DNS: prefix. To be thorough, you
        may want to include both DNS: and IP: entries if you are using
        subjectAltNames for destinations for your TLS connections.
        e.g.:
        requests to https://1.2.3.4 will fail from python's
        requests library w/out the second entry in the above list

    .. versionadded:: 2015.8.0

    cert_type
        Specify the general certificate type. Can be either `server` or
        `client`. Indicates the set of common extensions added to the CSR.

        .. code-block:: cfg

            server: {
               'basicConstraints': 'CA:FALSE',
               'extendedKeyUsage': 'serverAuth',
               'keyUsage': 'digitalSignature, keyEncipherment'
            }

            client: {
               'basicConstraints': 'CA:FALSE',
               'extendedKeyUsage': 'clientAuth',
               'keyUsage': 'nonRepudiation, digitalSignature, keyEncipherment'
            }

    type_ext
        boolean.  Whether or not to extend the filename with CN_[cert_type]
        This can be useful if a server and client certificate are needed for
        the same CN. Defaults to False to avoid introducing an unexpected file
        naming pattern

        The files normally named some_subject_CN.csr and some_subject_CN.key
        will then be saved

    replace
        Replace this signing request even if it exists

        .. versionadded:: 2015.5.1

    Writes out a Certificate Signing Request (CSR) If the file already
    exists, the function just returns assuming the CSR already exists.

    If the following values were set::

        ca.cert_base_path='/etc/pki'
        ca_name='koji'
        CN='test.egavas.org'

    the resulting CSR, and corresponding key, would be written in the
    following location::

        /etc/pki/koji/certs/test.egavas.org.csr
        /etc/pki/koji/certs/test.egavas.org.key

    CLI Example:

    .. code-block:: bash

        salt '*' tls.create_csr test
    u{0}_ca_certRkuFCertificate for CA named "{0}" does not exist, please create it first.u{0}/{1}/certs/u_{0}uu{0}{1}u{0}/{1}.csru(Certificate Request "{0}" already existsucsrtsubjectAltNames, uzsubjectAltName cannot be set as X509 extensions are not supported in pyOpenSSL prior to version 0.15.1. Your version: {0}.u{0}/{1}.keyuwb+Nu#Created Private Key: "{0}{1}.key." u$Created CSR for "{0}": "{1}{2}.csr."(5RRRsRR)R-R.R/R\R]R�R�R�tX509ReqRCRURVRWRXRYRTRZR�titemsR}RR~R$R%R&R'tappendR�RR�R
R�RR#tdataR+RhR	R�R�R�RNR0R1R2R�R_tdump_certificate_request(R4RRRTRURVRWRXRYRZR�RRktcsr_pathtcsr_filenameR�ttype_extR�R�tCN_exttcsr_fRptreqt
extensionstextension_addsR�tvalueR�tpriv_keytcsrR�((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt
create_csr�s�s

	

	%	
				
utlscC@s�t|
�tjjdjt�|��sJtjdjt�|��n|sY|}n|
r�tjjdjt�||��r�dj|�Stjj	�}|j
tjj|�tjj�}|j
d�|jd�|jt|�ddd�||j�_||j�_||j�_||j�_|rR||j�_n||j�_|	ry|	|j�_n|jt|��|j|j��|j|�|j|tjj j!|��djt�||�}tjj"j#|d	��8}|j$tjj j%tjj&tjj'|���Wd
QXdjt�||�}tjj"j#|d	��8}|j$tjj j%tjj(tjj'|���Wd
QXt)||�djt�||�}|djt�||�7}|S(
u�
    Create a Self-Signed Certificate (CERT)

    tls_dir
        location appended to the ca.cert_base_path, default is 'tls'
    bits
        number of RSA key bits, default is 2048
    CN
        common name in the request, default is "localhost"
    C
        country, default is "US"
    ST
        state, default is "Utah"
    L
        locality, default is "Centerville", the city where SaltStack originated
    O
        organization, default is "SaltStack"
        NOTE: Must the same as CA certificate or an error will be raised
    OU
        organizational unit, default is None
    emailAddress
        email address for the request, default is None
    cacert_path
        absolute path to ca certificates root directory
    digest
        The message digest algorithm. Must be a string describing a digest
        algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically).
        For example, "md5" or "sha1". Default: 'sha256'
    replace
        Replace this certificate even if it exists

        .. versionadded:: 2015.5.1

    Writes out a Self-Signed Certificate (CERT). If the file already
    exists, the function just returns.

    If the following values were set::

        ca.cert_base_path='/etc/pki'
        tls_dir='koji'
        CN='test.egavas.org'

    the resulting CERT, and corresponding key, would be written in the
    following location::

        /etc/pki/koji/certs/test.egavas.org.crt
        /etc/pki/koji/certs/test.egavas.org.key

    CLI Example:

    .. code-block:: bash

        salt '*' tls.create_self_signed_cert

    Passing options from the command line:

    .. code-block:: bash

        salt 'minion' tls.create_self_signed_cert CN='test.mysite.org'
    u{0}/{1}/certs/u{0}/{1}/certs/{2}.crtu Certificate "{0}" already existsiiii<u{0}/{1}/certs/{2}.keyuwb+Nu.Created Private Key: "{0}/{1}/certs/{2}.key." u-Created Certificate: "{0}/{1}/certs/{2}.crt."(*RR)R-R.RRR/R\R]R�R�R�R�R�R�R�RRCRURVRWRXRYRTRZR�R:R�R�R�R$R%R&RNR0R1R2R'R�R_R�RQ(ttls_dirRRRSRTRURVRWRXRYRZRRxR�R�RpREt
priv_key_pathR�tcrt_pathtcrtR�((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pytcreate_self_signed_cert�spJ
!
	



				
		
c
C@s�i}t|�|s(dj|�}n|sFdjt�|�}n|	r~|sctjd�|S|r�dj|�}q�nd}dj||�}
|s�dj||�}n|
r
tjjtjjtjj	jdjt�||�j
d����r
d	j|�Sy�t|d
|d|�tj
jjdjt�||���(}tjjtjj|j��}Wd
QXtj
jjdjt�||���(}tjjtjj|j��}Wd
QXWn/tk
r�d|d<dj|�|d<|SXyUdj||
�}tj
jj|��(}tjjtjj|j��}Wd
QXWn/tk
r�d|d<dj|�|d<|SXg}y|j|j��Wn�tk
rwy�tjdjt��tjjj|j �}xft!tjjj"|��D]I}tjj#j$tjj#�}tjjj%||�|_&|j'|�q�WWqxt(k
rstjdjt��qxXnXtjj)�}|j*d�|j+|j,��|j-d�|j.t/|�ddd�|j0t1|��|j2|j,��|j3|j4��|j5|�|j6|tj
j7j8|��dj||�}tj
jj|d��8}|j9tj
j7j:tjj;tjj|���Wd
QXt<||�dj|||�S(u

    Create a Certificate (CERT) signed by a named Certificate Authority (CA)

    If the certificate file already exists, the function just returns assuming
    the CERT already exists.

    The CN *must* match an existing CSR generated by create_csr. If it
    does not, this method does nothing.

    ca_name
        name of the CA
    CN
        common name matching the certificate signing request
    days
        number of days certificate is valid, default is 365 (1 year)

    cacert_path
        absolute path to ca certificates root directory

    ca_filename
        alternative filename for the CA

        .. versionadded:: 2015.5.3


    cert_path
        full path to the certificates directory

    cert_filename
        alternative filename for the certificate, useful when using special
        characters in the CN. If this option is set it will override
        the certificate filename output effects of ``cert_type``.
        ``type_ext`` will be completely overridden.

        .. versionadded:: 2015.5.3


    digest
        The message digest algorithm. Must be a string describing a digest
        algorithm supported by OpenSSL (by EVP_get_digestbyname, specifically).
        For example, "md5" or "sha1". Default: 'sha256'
    replace
        Replace this certificate even if it exists

        .. versionadded:: 2015.5.1

    cert_type
        string. Either 'server' or 'client' (see create_csr() for details).

        If create_csr(type_ext=True) this function **must** be called with the
        same cert_type so it can find the CSR file.

    .. note::
        create_csr() defaults to cert_type='server'; therefore, if it was also
        called with type_ext, cert_type becomes a required argument for
        create_ca_signed_cert()

    type_ext
        bool. If set True, use ``cert_type`` as an extension to the CN when
        formatting the filename.

        e.g.: some_subject_CN_server.crt or some_subject_CN_client.crt

        This facilitates the context where both types are required for the same
        subject

        If ``cert_filename`` is `not None`, setting ``type_ext`` has no
        effect

    If the following values were set:

    .. code-block:: text

        ca.cert_base_path='/etc/pki'
        ca_name='koji'
        CN='test.egavas.org'

    the resulting signed certificate would be written in the following
    location:

    .. code-block:: text

        /etc/pki/koji/certs/test.egavas.org.crt

    CLI Example:

    .. code-block:: bash

        salt '*' tls.create_ca_signed_cert test localhost
    u{0}_ca_certu
{0}/{1}/certsu@type_ext = True but cert_type is unset. Certificate not written.u_{0}uu{0}{1}u{0}/{1}/certs/{2}.crtu/u Certificate "{0}" already existsRRku{0}/{1}/{2}.crtNu{0}/{1}/{2}.keyiuretcodeuThere is no CA named "{0}"ucommentu{0}/{1}.csru)There is no CSR that matches the CN "{0}"u|req.get_extensions() not supported in pyOpenSSL versions prior to 0.15. Processing extensions internally.  Your version: {0}u}X509 extensions are unsupported in pyOpenSSL versions prior to 0.14. Upgrade required to use extensions. Current version: {0}iiii<u{0}/{1}.crtuwb+u,Created Certificate for "{0}": "{1}/{2}.crt"(=RRRR
R�R)R-R.R#tseptsplitRrR$R%R0R1R\R]R^R_R`RctIOErrortload_certificate_requesttextendR�tAttributeErrorRbR	t_utiltlibtX509_REQ_get_extensionst_reqt_rangetsk_X509_EXTENSION_numR�t__new__tsk_X509_EXTENSION_valuet
_extensionR�RdR�R�tset_subjectRCR�R�RR�R:R�R�t
get_pubkeyR�R�R&RNR2R'R�RQ(R4RTRSRRkt	cert_pathRxR�R�R�R�R�R�R�tfhrtca_certR�R�R�textstnative_exts_objtiR�REtcert_full_pathR�((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pytcreate_ca_signed_certs�e

	
				

		









uc
C@s&t|�|rBtjjdjt�||��rBdj|�SyUtjjj	djt�||���(}t
jjt
jj
|j��}WdQXWntk
r�dj|�SXy�tjjj	djt�||���(}t
jjt
jj
|j��}WdQXtjjj	djt�||���(}t
jjt
jj
|j��}WdQXWntk
rxdj|�SXt
jj�}	|	j|�|	j|g�|	j|�tjjj	djt�||�d	��/}
|
j|	jd
tjjj|���WdQXdj|t�||�S(u'
    Create a PKCS#12 browser certificate for a particular Certificate (CN)

    ca_name
        name of the CA
    CN
        common name matching the certificate signing request
    passphrase
        used to unlock the PKCS#12 certificate when loaded into the browser
    cacert_path
        absolute path to ca certificates root directory
    replace
        Replace this certificate even if it exists

        .. versionadded:: 2015.5.1

    If the following values were set::

        ca.cert_base_path='/etc/pki'
        ca_name='koji'
        CN='test.egavas.org'

    the resulting signed certificate would be written in the
    following location::

        /etc/pki/koji/certs/test.egavas.org.p12

    CLI Example:

    .. code-block:: bash

        salt '*' tls.create_pkcs12 test localhost
    u{0}/{1}/certs/{2}.p12u Certificate "{0}" already existsu{0}/{1}/{2}_ca_cert.crtNuThere is no CA named "{0}"u{0}/{1}/certs/{2}.crtu{0}/{1}/certs/{2}.keyu1There is no certificate that matches the CN "{0}"uwbt
passphraseu>Created PKCS#12 Certificate for "{0}": "{1}/{2}/certs/{3}.p12"(RR)R-R.RRR$R%R0R1R\R]R^R_R`R�RctPKCS12tset_certificatetset_ca_certificatestset_privatekeyR2texportR&R'(R4RTR�RR�R�R�RERptpkcs12R9((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt
create_pkcs12s\"

		
				


	cC@s�d}d|kr?tjjj|��}|j�}WdQXntjjtjj|�}i}xx|j	�j
�D]d\}}t|t�r�tjj
j|�}nt|t�r�tjj
j|�}n|||<qsWi}xx|j�j
�D]d\}}t|t�r'tjj
j|�}nt|t�rNtjj
j|�}n|||<q�Witjj
j|jtjj
j|���d6|d6|d6|j�d6tjtjt|j�jt��|��d6tjtj|j�jt�|��d	6}t|d
�r�i|d<x|t|j��D]e}	yH|j|	�}
tjj
j|
j ��}t|
�j!�|d|<Wq3t"k
r�q3q3Xq3Wnd|j#di�kr^d}t$�}x�t|dd�j%d�D]c}
|
j%dd�\}}
||kr:t&j'dj(|d|
dj)|���q�|j*|
�q�Wt+|�|d<nt|d�r�yA|j,�}t|t�r�tjj
j|�}n||d<Wq�t"k
r�q�Xn|S(u:
    Return information for a particular certificate

    cert
        path to the certifiate PEM file or string

        .. versionchanged:: 2018.3.4

    digest
        what digest to use for fingerprinting

    CLI Example:

    .. code-block:: bash

        salt '*' tls.cert_info /dir/for/certs/cert.pem

    u
%Y%m%d%H%M%SZu
-----BEGINNufingerprintusubjectuissueru
serial_numberu
not_beforeu	not_afteruget_extension_countu
extensionsusubjectAltNameuDNSu
IP Addressu, u:iu9Cert {0} has an entry ({1}) which does not start with {2}u/usubject_alt_namesuget_signature_algorithmusignature_algorithm(uDNSu
IP Address(-R$R%R0R1R`R\R]R^R_t
get_issuerRDR}tbytesR&RuRCR�RNRBtcalendarttimegmRReR3t
get_notBeforetdecodet__salt_system_encoding__RfR�R�tget_extension_countt
get_extensiontget_short_nameR�R�RtsetR�R
R�RR#taddtlisttget_signature_algorithm(RER�tdate_fmtt	cert_fileR�RpR�RJR�R�R�t
valid_entriestvalid_namestnametentry((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt	cert_infodsz			"



	$ 
c
	C@s�t|�|s"dj|�}n|s@djt�|�}ntjjdj|��rhdj|�Sy�tjjj	djt
�||���(}tjj
tjj|j��}WdQXtjjj	djt
�||���(}tjjtjj|j��}WdQXWntk
r+dj|�SXtjj�}|j||�}tjjj	|d	��#}	|	jtjjj|��WdQXd
j|�S(u
    Create an empty Certificate Revocation List.

    .. versionadded:: 2015.8.0

    ca_name
        name of the CA
    cacert_path
        absolute path to ca certificates root directory
    ca_filename
        alternative filename for the CA

        .. versionadded:: 2015.5.3

    crl_file
        full path to the CRL file

    CLI Example:

    .. code-block:: bash

        salt '*' tls.create_empty_crl ca_name='koji'                 ca_filename='ca'                 crl_file='/etc/openvpn/team1/crl.pem'
    u{0}_ca_certu{0}/{1}/crl.pemu{0}uCRL "{0}" already existsu{0}/{1}/{2}.crtNu{0}/{1}/{2}.keyuThere is no CA named "{0}"uwuCreated an empty CRL: "{0}"(RRRR)R-R.R$R%R0R1RR\R]R^R_R`RcR�tCRLR�R2R&RN(
R4RRktcrl_filetfp_R�R�tcrltcrl_texttf((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pytcreate_empty_crl�s>

				
"c
C@svt|�djt�|�}|dkr=dj|�}n|dkradjt�|�}n|dkrdj|�}ny�tjjjdjt�||���(}t	j
jt	j
j|j
��}	WdQXtjjjdjt�||���(}t	j
jt	j
j|j
��}
WdQXWntk
rBdj|�SXtd	j||��}|dkrtd
j|�St|||�\}}
}}dj||�}dj|
|�}tjd
|
dtj|��}dj|
ttj��|�}i}tjjj|���}x�|D]�}tjjj|�}|j|�r�|jd�d}y'tj|t�dj|||�SWq�tk
r�d|d<dj|t�|d<|SXq ||kr td|||dt �Pq q WWdQXt	j
j!�}tjjj|���}x�|D]�}tjjj|�}|j"d�r|jd�}t	j
j#�}|j$|d�tj|dt�}|j%|j&t'��|j(|�qqWWdQX|j)|	|
�}|dkr�djt�|�}nt*j+j,|�r&d|d<dj|�|d<|Stjjj|d��#}|j-tjjj.|��WdQXdj|||�S(u�
    Revoke a certificate.

    .. versionadded:: 2015.8.0

    ca_name
        Name of the CA.

    CN
        Common name matching the certificate signing request.

    cacert_path
        Absolute path to ca certificates root directory.

    ca_filename
        Alternative filename for the CA.

    cert_path
        Path to the cert file.

    cert_filename
        Alternative filename for the certificate, useful when using special
        characters in the CN.

    crl_file
        Full path to the CRL file.

    CLI Example:

    .. code-block:: bash

        salt '*' tls.revoke_cert ca_name='koji'                 ca_filename='ca'                 crl_file='/etc/openvpn/team1/crl.pem'

    u{0}/{1}u{0}_ca_certu
{0}/{1}/certsu{0}u{0}/{1}/{2}.crtNu{0}/{1}/{2}.keyuThere is no CA named "{0}"u{0}/{1}.crtu*There is no client certificate named "{0}"u{0}	unknown	{1}u
V	{0}		{1}uR\tu\t\d{12}Z\tu
R	{0}	{1}	{2}u	iu5"{0}/{1}.crt" was already revoked, serial number: {2}iuretcodeu0Revocation date '{0}' does not matchformat '{1}'ucommentufile.replacetbackupuRiu{0}/{1}/crl.pemu'crl_file "{0}" is an existing directoryuwu6Revoked Certificate: "{0}/{1}.crt", serial number: {2}(/RRRR?RR$R%R0R1R\R]R^R_R`RcR�R@RMtretcompiletescapeR>RRgR&RutmatchR�ReR<RhRRRt
startswithtRevokedt
set_serialtset_rev_dateR;R�tadd_revokedR�R)R-tisdirR2RN(R4RTRRkR�RxRRFR	R�R�tclient_certRGRHRIRJtindex_serial_subjecttindex_v_datatindex_r_data_patterntindex_r_dataR�tlinetrevoke_dateR
tfieldstrevokedtrevoke_date_2_digitR((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pytrevoke_certs�-
				

			





	


"u__main__ukojiRTutest_systemRURVRWuCentervilleRXRYRZutest_system@saltstack.orgR�utest(Ft__doc__t
__future__RRRR)RRR�tloggingRR!Rtsalt.utils.dataR$tsalt.utils.filestsalt.utils.stringutilstsalt.exceptionsRtsalt.utils.versionsRR
tsalt.extRtsalt.ext.six.movesRR�RRRRR\t__dict__RR	tImportErrort	getLoggert__name__R
R<R�RRR?RRRR:R>RMRQRrRsRtRwRyR|R@RAR�R�RjR�R�R�R�R�RR
R#(((s4/usr/lib/python2.7/site-packages/salt/modules/tls.pyt<module>es
		
		%	D# *-			�	[���`cI�


Zerion Mini Shell 1.0