Fixed certificates CN

39926c6c · Guillaume Bury · 8e0a7ede · 39926c6c · 39926c6c · 39926c6c
Commit 39926c6c authored Jul 16, 2012 by Guillaume Bury
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 16 deletions

openvpn.py openvpn.py +0 -1

registry.py registry.py +5 -2

server/ca.crt server/ca.crt +17 -8

setup.py setup.py +5 -2

vifibnet.py vifibnet.py +5 -3

No files found.
--- a/openvpn.py
+++ b/openvpn.py
@@ -28,7 +28,6 @@ def server(ip, pipe_fd, *args, **kw):
    return openvpn(
        '--tls-server',
        '--mode', 'server',
-        '--duplicate-cn', # XXX : to be removed
        '--up', 'up-server %s/%u' % (ip, len(config.vifibnet)),
        '--client-connect', 'client-connect ' + str(pipe_fd),
        '--client-disconnect', 'client-connect ' + str(pipe_fd),

--- a/registry.py
+++ b/registry.py
@@ -6,6 +6,9 @@ from SimpleXMLRPCServer import SimpleXMLRPCServer, SimpleXMLRPCRequestHandler
 from OpenSSL import crypto
 import traceback

+# To generate server ca and key with correct serial
+# openssl req -nodes -new -x509 -key ca.key -set_serial 0x120010db80042 -days 365 -out ca.crt
+
 IPV6_V6ONLY = 26
 SOL_IPV6 = 41

@@ -148,7 +151,7 @@ class main(object):
            cert.gmtime_adj_notAfter(self.cert_duration)
            cert.set_issuer(self.ca.get_subject())
            subject = req.get_subject()
-            subject.serialNumber = "%u/%u" % (int(prefix, 2), prefix_len)
+            subject.CN = "%u/%u" % (int(prefix, 2), prefix_len)
            cert.set_subject(subject)
            cert.set_pubkey(req.get_pubkey())
            cert.sign(self.key, 'sha1')
@@ -181,7 +184,7 @@ class main(object):
        if client_ip.startswith(self.network):
            prefix = client_ip[len(self.network):]
            prefix, = self.db.execute("SELECT prefix FROM vifib WHERE prefix <= ? ORDER BY prefix DESC LIMIT 1", (prefix,)).next()
-            self.db.execute("INSERT OR REPLACE INTO peers VALUES (?,?,?,?)", (prefix, ip, port, proto))
+            self.db.execute("INSERT OR REPLACE INTO peers (prefix, ip, port, proto) VALUES (?,?,?,?)", (prefix, ip, port, proto))
            return True
        else:
            # TODO: use log + DO NOT PRINT BINARY IP

--- a/server/ca.crt
+++ b/server/ca.crt
 -----BEGIN CERTIFICATE-----
-MIIBejBkAgcBIAENuABCMA0GCSqGSIb3DQEBBQUAMAAwHhcNMTIwNzEyMTE1OTQz
-WhcNMTMwNzA0MjEyOTQ4WjAeMQswCQYDVQQGEwJGUjEPMA0GA1UEChMGVlBOIEFD
-MAgwAwYBAAMBADANBgkqhkiG9w0BAQUFAAOCAQEAFYuU4QGUcs60LlThDqQhhyN8
-ZFAaHcPROkUkHE5HNqQ1kOjApzneA7lcEV2gO6vO0qmHW5aBfUYQKGxosqiiCtaT
-SD6IltD7qMxx0dtXH0W/SSo7d0JifnZh15isjHi0jEv5Cq3NOKlX0115+HrS/uS2
-scI1ujV9PHUUJiwigb2AZ7gHZP/Ug54yYY+w6Ail85CmZ6txmZvC16obqeRmRZyv
-g7fvNEg9dmuG8Lj/eXZZTZlrRA5jv2NdWjFl09469t3rGFDFFLop+76H10qR3U/F
-Fn8h12o4qLJhIaDV0vRZh9/tg18N0BrBTkX4BET5AD3mqZ6w8xkrs4pVqHM9/A==
+MIIDDTCCAfWgAwIBAgIHASABDbgAQjANBgkqhkiG9w0BAQUFADAeMQswCQYDVQQG
+EwJGUjEPMA0GA1UEAwwGVlBOIENBMB4XDTEyMDcxNjExNTMwNVoXDTEzMDcxNjEx
+NTMwNVowHjELMAkGA1UEBhMCRlIxDzANBgNVBAMMBlZQTiBDQTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALMp1ojWB123yI3kxM0x75sq5W3QJ+rfg5SH
+TLvc1CbUeNQwMeJT/l2OQG7D5jyrw4wjAK43w+DKnoJ8WK8sfdrjZ5uDEmfaR9Tv
+TvyCJsIS4g9YP0ZdCNKA/7swlW/erbiDhhlOxrqUonxjU58/aLa41He/v/cEEiyh
+vymJqXaRsuDP3ov5zMOM85WxX5Uf3UySrqQ7uN82k2gEdVJfORClW6nGLzrAQUiu
+TOUBhlGZjR9FymuGi8jWIMul2wmxj/LI+B9c0mT3GFOU9Sg3HIfQQ+Ea/QoCslmT
+CXN0OPlFVhhwtMSB7fviCvUQgzLN7H+Q3nLVqza1f2XBdNE5zmkCAwEAAaNQME4w
+HQYDVR0OBBYEFKAM2cc4IXnFIZuYD1IK6MItGzSdMB8GA1UdIwQYMBaAFKAM2cc4
+IXnFIZuYD1IK6MItGzSdMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
+AFIqN4FoxebGAd2f60J9s60a7IExmrrGOCEL+x74XCV+4QBI4UQ27KYzGltXgBO6
+eyY2urg2b8MyCjU/U/N5iK6QhzIUw9oGY927V/6WxlMX/DzKAx9VQg2oIxDrj+tA
+TpUw9MxlhL/VBJDxuJe6tjM0zdevTVeDgQAJa0UGMTqfMDFjN53WY+ZUyI/0TXwg
+tDmEguWFuE/1O1lzZIq9Bv+5lsIsXynzshDLX8t5VGHrPQ8kBs6v7wTLfdtJyDZz
+/jLm5Us3/tUB71aMUa3+7bJEFdqtdasbhBAJAgI4hKszmZfsI9H4NHKWQ51cQKNh
+P7R0fzBg1J/ueLW5vuPCkXE=
 -----END CERTIFICATE-----
--- a/setup.py
+++ b/setup.py
@@ -10,6 +10,8 @@ def main():
            help='To only get CA form server')
    _('--db-only', action='store_true',
            help='To only get CA and setup peer db with bootstrap peer')
+    _('--no-boot', action='store_true',
+            help='Enable to skip getting bootstrap peer')
    _('--server', required=True,
            help='Address of the server delivering certifiactes')
    _('--port', required=True, type=int,
@@ -36,7 +38,6 @@ def main():
        sys.exit(0)

    # Create and initialize peers DB
-    boot_ip, boot_port, boot_proto = s.getBootstrapPeer()
    db = sqlite3.connect(os.path.join(config.dir, 'peers.db'), isolation_level=None)
    try:
        db.execute("""CREATE TABLE peers (
@@ -48,7 +49,9 @@ def main():
                   date INTEGER DEFAULT (strftime('%s', 'now')))""")
        db.execute("CREATE INDEX _peers_used ON peers(used)")
        db.execute("CREATE UNIQUE INDEX _peers_address ON peers(ip, port, proto)")
-        db.execute("INSERT INTO peers (ip, port, proto) VALUES (?,?,?)", (boot_ip, boot_port, boot_proto))
+        if not config.no_boot:
+            boot_ip, boot_port, boot_proto = s.getBootstrapPeer()
+            db.execute("INSERT INTO peers (ip, port, proto) VALUES (?,?,?)", (boot_ip, boot_port, boot_proto))
    except sqlite3.OperationalError, e:
        if e.args[0] == 'table peers already exists':
            print "Table peers already exists, leaving it as it is"

--- a/vifibnet.py
+++ b/vifibnet.py
@@ -124,17 +124,20 @@ def getConfig():
            help="Common OpenVPN options (e.g. certificates)")
    openvpn.config = config = parser.parse_args()
    log.verbose = config.verbose
+
    # Get network prefix from ca.crt
    with open(config.ca, 'r') as f:
        ca = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
        config.vifibnet = bin(ca.get_serial_number())[3:]
+
    # Get ip from cert.crt
    with open(config.cert, 'r') as f:
        cert = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
        subject = cert.get_subject()
-        prefix, prefix_len = subject.serialNumber.split('/')
+        prefix, prefix_len = subject.CN.split('/')
        config.internal_ip = ipFromPrefix(prefix, int(prefix_len))
        log.log('Intranet ip : %s' % (config.internal_ip,), 3)
+
    # Treat openvpn arguments
    if config.openvpn_args[0] == "--":
        del config.openvpn_args[0]
@@ -234,8 +237,6 @@ def main():
            stdout=os.open(os.path.join(config.log, 'vifibnet.server.log'), os.O_WRONLY | os.O_CREAT | os.O_TRUNC))
    startNewConnection(config.client_count, write_pipe)

-    peers_db.populate(10)
-
    # Timed refresh initializing
    next_refresh = time.time() + config.refresh_time

@@ -248,6 +249,7 @@ def main():
            if ready:
                handle_message(read_pipe.readline())
            if time.time() >= next_refresh:
+                peers_db.populate(10)
                refreshConnections(write_pipe)
                next_refresh = time.time() + config.refresh_time
    except KeyboardInterrupt: