golden hour
/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules
⬆️ Go Up
Upload
File/Folder
Size
Actions
__init__.py
35 B
Del
OK
__pycache__
-
Del
OK
acme.py
12.74 KB
Del
OK
aix_group.py
4.12 KB
Del
OK
aix_shadow.py
1.93 KB
Del
OK
aixpkg.py
24.15 KB
Del
OK
aliases.py
5.07 KB
Del
OK
alternatives.py
5.71 KB
Del
OK
ansiblegate.py
19.51 KB
Del
OK
apache.py
12.47 KB
Del
OK
apcups.py
2.15 KB
Del
OK
apf.py
3.09 KB
Del
OK
apkpkg.py
16 KB
Del
OK
aptly.py
15.28 KB
Del
OK
aptpkg.py
116.64 KB
Del
OK
archive.py
48.63 KB
Del
OK
arista_pyeapi.py
22.06 KB
Del
OK
artifactory.py
24.78 KB
Del
OK
at.py
10.72 KB
Del
OK
at_solaris.py
8.51 KB
Del
OK
augeas_cfg.py
13.93 KB
Del
OK
aws_sqs.py
6.55 KB
Del
OK
azurearm_compute.py
20.8 KB
Del
OK
azurearm_dns.py
15.8 KB
Del
OK
azurearm_network.py
82.99 KB
Del
OK
azurearm_resource.py
35.75 KB
Del
OK
bamboohr.py
7.36 KB
Del
OK
baredoc.py
11.13 KB
Del
OK
bcache.py
28.97 KB
Del
OK
beacons.py
27.82 KB
Del
OK
bigip.py
69.11 KB
Del
OK
bluez_bluetooth.py
6.76 KB
Del
OK
boto3_elasticache.py
37.34 KB
Del
OK
boto3_elasticsearch.py
53.17 KB
Del
OK
boto3_route53.py
39.82 KB
Del
OK
boto3_sns.py
12.93 KB
Del
OK
boto_apigateway.py
61.86 KB
Del
OK
boto_asg.py
35.69 KB
Del
OK
boto_cfn.py
7.95 KB
Del
OK
boto_cloudfront.py
12.75 KB
Del
OK
boto_cloudtrail.py
14.45 KB
Del
OK
boto_cloudwatch.py
10.99 KB
Del
OK
boto_cloudwatch_event.py
9.48 KB
Del
OK
boto_cognitoidentity.py
14.63 KB
Del
OK
boto_datapipeline.py
6.94 KB
Del
OK
boto_dynamodb.py
14.98 KB
Del
OK
boto_ec2.py
79.27 KB
Del
OK
boto_efs.py
14.05 KB
Del
OK
boto_elasticache.py
23.69 KB
Del
OK
boto_elasticsearch_domain.py
15.85 KB
Del
OK
boto_elb.py
35.53 KB
Del
OK
boto_elbv2.py
10.78 KB
Del
OK
boto_iam.py
75.62 KB
Del
OK
boto_iot.py
26.2 KB
Del
OK
boto_kinesis.py
19.62 KB
Del
OK
boto_kms.py
17.29 KB
Del
OK
boto_lambda.py
35.05 KB
Del
OK
boto_rds.py
34.92 KB
Del
OK
boto_route53.py
32.55 KB
Del
OK
boto_s3.py
4.24 KB
Del
OK
boto_s3_bucket.py
31.8 KB
Del
OK
boto_secgroup.py
25.22 KB
Del
OK
boto_sns.py
7.22 KB
Del
OK
boto_sqs.py
6.43 KB
Del
OK
boto_ssm.py
3.63 KB
Del
OK
boto_vpc.py
113.08 KB
Del
OK
bower.py
5.85 KB
Del
OK
bridge.py
10.81 KB
Del
OK
bsd_shadow.py
6.25 KB
Del
OK
btrfs.py
33.66 KB
Del
OK
cabal.py
3.79 KB
Del
OK
capirca_acl.py
40.04 KB
Del
OK
cassandra_cql.py
54.16 KB
Del
OK
cassandra_mod.py
4.3 KB
Del
OK
celery.py
3.33 KB
Del
OK
ceph.py
15.82 KB
Del
OK
chassis.py
1.52 KB
Del
OK
chef.py
4.66 KB
Del
OK
chocolatey.py
41.55 KB
Del
OK
chronos.py
2.89 KB
Del
OK
chroot.py
11.73 KB
Del
OK
cimc.py
23.02 KB
Del
OK
ciscoconfparse_mod.py
14.79 KB
Del
OK
cisconso.py
3.83 KB
Del
OK
cloud.py
9.39 KB
Del
OK
cmdmod.py
163.73 KB
Del
OK
composer.py
10.31 KB
Del
OK
config.py
16.98 KB
Del
OK
consul.py
69.3 KB
Del
OK
container_resource.py
12.94 KB
Del
OK
cp.py
31.98 KB
Del
OK
cpan.py
5.54 KB
Del
OK
cron.py
28.09 KB
Del
OK
cryptdev.py
10.08 KB
Del
OK
csf.py
16.04 KB
Del
OK
cyg.py
8.32 KB
Del
OK
daemontools.py
5.41 KB
Del
OK
data.py
3.85 KB
Del
OK
datadog_api.py
7.76 KB
Del
OK
ddns.py
7.12 KB
Del
OK
deb_apache.py
7.41 KB
Del
OK
deb_postgres.py
4.18 KB
Del
OK
debconfmod.py
4.06 KB
Del
OK
debian_ip.py
64.91 KB
Del
OK
debian_service.py
6.55 KB
Del
OK
debuild_pkgbuild.py
34.68 KB
Del
OK
defaults.py
6.55 KB
Del
OK
devinfo.py
9.07 KB
Del
OK
devmap.py
627 B
Del
OK
dig.py
8.75 KB
Del
OK
disk.py
30.82 KB
Del
OK
djangomod.py
7.53 KB
Del
OK
dnsmasq.py
5.71 KB
Del
OK
dnsutil.py
11.51 KB
Del
OK
dockercompose.py
32.62 KB
Del
OK
dockermod.py
224.85 KB
Del
OK
dpkg_lowpkg.py
12.94 KB
Del
OK
drac.py
10.97 KB
Del
OK
dracr.py
38.53 KB
Del
OK
drbd.py
7.19 KB
Del
OK
dummyproxy_pkg.py
2.46 KB
Del
OK
dummyproxy_service.py
2.91 KB
Del
OK
ebuildpkg.py
38.74 KB
Del
OK
eix.py
1.58 KB
Del
OK
elasticsearch.py
51.44 KB
Del
OK
environ.py
8.96 KB
Del
OK
eselect.py
4.99 KB
Del
OK
esxcluster.py
1.66 KB
Del
OK
esxdatacenter.py
1.68 KB
Del
OK
esxi.py
2.79 KB
Del
OK
esxvm.py
1.63 KB
Del
OK
etcd_mod.py
8.56 KB
Del
OK
ethtool.py
11.12 KB
Del
OK
event.py
7.67 KB
Del
OK
extfs.py
8.78 KB
Del
OK
file.py
232.18 KB
Del
OK
firewalld.py
20.51 KB
Del
OK
freebsd_sysctl.py
4.99 KB
Del
OK
freebsd_update.py
6.19 KB
Del
OK
freebsdjail.py
7.16 KB
Del
OK
freebsdkmod.py
6.17 KB
Del
OK
freebsdpkg.py
17.04 KB
Del
OK
freebsdports.py
13.13 KB
Del
OK
freebsdservice.py
12.53 KB
Del
OK
freezer.py
10.2 KB
Del
OK
gcp_addon.py
4.07 KB
Del
OK
gem.py
10.6 KB
Del
OK
genesis.py
21.75 KB
Del
OK
gentoo_service.py
9.18 KB
Del
OK
gentoolkitmod.py
8.39 KB
Del
OK
git.py
172.01 KB
Del
OK
github.py
53.19 KB
Del
OK
glanceng.py
4.69 KB
Del
OK
glassfish.py
19.49 KB
Del
OK
glusterfs.py
19.55 KB
Del
OK
gnomedesktop.py
6.85 KB
Del
OK
google_chat.py
1.52 KB
Del
OK
gpg.py
39.09 KB
Del
OK
grafana4.py
30.27 KB
Del
OK
grains.py
21.81 KB
Del
OK
groupadd.py
11.87 KB
Del
OK
grub_legacy.py
3.08 KB
Del
OK
guestfs.py
2.37 KB
Del
OK
hadoop.py
3.76 KB
Del
OK
haproxyconn.py
10.17 KB
Del
OK
hashutil.py
6.77 KB
Del
OK
heat.py
25.25 KB
Del
OK
helm.py
39.27 KB
Del
OK
hg.py
7.16 KB
Del
OK
highstate_doc.py
22.76 KB
Del
OK
hosts.py
10.47 KB
Del
OK
http.py
3.76 KB
Del
OK
icinga2.py
4.46 KB
Del
OK
idem.py
1.75 KB
Del
OK
ifttt.py
2.28 KB
Del
OK
ilo.py
15.98 KB
Del
OK
incron.py
7.68 KB
Del
OK
influxdb08mod.py
15.07 KB
Del
OK
influxdbmod.py
16.13 KB
Del
OK
infoblox.py
17.53 KB
Del
OK
ini_manage.py
14.63 KB
Del
OK
inspectlib
-
Del
OK
inspector.py
8.19 KB
Del
OK
introspect.py
4.02 KB
Del
OK
iosconfig.py
14.78 KB
Del
OK
ipmi.py
25.47 KB
Del
OK
ipset.py
17.97 KB
Del
OK
iptables.py
57.44 KB
Del
OK
iwtools.py
3.99 KB
Del
OK
jboss7.py
20.51 KB
Del
OK
jboss7_cli.py
15.23 KB
Del
OK
jenkinsmod.py
11.9 KB
Del
OK
jinja.py
2.66 KB
Del
OK
jira_mod.py
7.07 KB
Del
OK
junos.py
73.96 KB
Del
OK
k8s.py
24.87 KB
Del
OK
kapacitor.py
5.37 KB
Del
OK
kerberos.py
5.42 KB
Del
OK
kernelpkg_linux_apt.py
6.71 KB
Del
OK
kernelpkg_linux_yum.py
7.26 KB
Del
OK
key.py
1007 B
Del
OK
keyboard.py
2.64 KB
Del
OK
keystone.py
43.14 KB
Del
OK
keystoneng.py
21.82 KB
Del
OK
keystore.py
7.18 KB
Del
OK
kmod.py
7.65 KB
Del
OK
kubeadm.py
34.64 KB
Del
OK
kubernetesmod.py
46.77 KB
Del
OK
launchctl_service.py
9.69 KB
Del
OK
layman.py
4.22 KB
Del
OK
ldap3.py
18.81 KB
Del
OK
ldapmod.py
5.9 KB
Del
OK
libcloud_compute.py
23.48 KB
Del
OK
libcloud_dns.py
9.73 KB
Del
OK
libcloud_loadbalancer.py
13.14 KB
Del
OK
libcloud_storage.py
12.16 KB
Del
OK
linux_acl.py
7.7 KB
Del
OK
linux_ip.py
5.55 KB
Del
OK
linux_lvm.py
17.86 KB
Del
OK
linux_service.py
4.64 KB
Del
OK
linux_shadow.py
12.96 KB
Del
OK
linux_sysctl.py
7.5 KB
Del
OK
localemod.py
11.84 KB
Del
OK
locate.py
2.58 KB
Del
OK
logadm.py
9.44 KB
Del
OK
logmod.py
1.25 KB
Del
OK
logrotate.py
7.72 KB
Del
OK
lvs.py
11.54 KB
Del
OK
lxc.py
147.27 KB
Del
OK
lxd.py
90.07 KB
Del
OK
mac_assistive.py
11.37 KB
Del
OK
mac_brew_pkg.py
19.91 KB
Del
OK
mac_desktop.py
2.77 KB
Del
OK
mac_group.py
6.62 KB
Del
OK
mac_keychain.py
6.39 KB
Del
OK
mac_pkgutil.py
2.84 KB
Del
OK
mac_portspkg.py
11.36 KB
Del
OK
mac_power.py
13.29 KB
Del
OK
mac_service.py
19.64 KB
Del
OK
mac_shadow.py
14.23 KB
Del
OK
mac_softwareupdate.py
14.52 KB
Del
OK
mac_sysctl.py
5.13 KB
Del
OK
mac_system.py
15.07 KB
Del
OK
mac_timezone.py
8.34 KB
Del
OK
mac_user.py
16.41 KB
Del
OK
mac_xattr.py
6.27 KB
Del
OK
macdefaults.py
2.33 KB
Del
OK
macpackage.py
6.66 KB
Del
OK
makeconf.py
17.31 KB
Del
OK
mandrill.py
6.31 KB
Del
OK
marathon.py
5.36 KB
Del
OK
match.py
13 KB
Del
OK
mattermost.py
3.4 KB
Del
OK
mdadm_raid.py
9.86 KB
Del
OK
mdata.py
3.38 KB
Del
OK
memcached.py
6.13 KB
Del
OK
mine.py
18.84 KB
Del
OK
minion.py
7.68 KB
Del
OK
mod_random.py
7.18 KB
Del
OK
modjk.py
12.48 KB
Del
OK
mongodb.py
29.75 KB
Del
OK
monit.py
5.51 KB
Del
OK
moosefs.py
3.87 KB
Del
OK
mount.py
58.44 KB
Del
OK
mssql.py
14.64 KB
Del
OK
msteams.py
2.11 KB
Del
OK
munin.py
2.4 KB
Del
OK
mysql.py
90.66 KB
Del
OK
nacl.py
9.72 KB
Del
OK
nagios.py
6.53 KB
Del
OK
nagios_rpc.py
5.09 KB
Del
OK
namecheap_domains.py
12.84 KB
Del
OK
namecheap_domains_dns.py
5.93 KB
Del
OK
namecheap_domains_ns.py
4.51 KB
Del
OK
namecheap_ssl.py
25.69 KB
Del
OK
namecheap_users.py
2.4 KB
Del
OK
napalm_bgp.py
9.72 KB
Del
OK
napalm_formula.py
11.33 KB
Del
OK
napalm_mod.py
61.37 KB
Del
OK
napalm_netacl.py
28.59 KB
Del
OK
napalm_network.py
93.22 KB
Del
OK
napalm_ntp.py
10.22 KB
Del
OK
napalm_probes.py
13.25 KB
Del
OK
napalm_route.py
5.09 KB
Del
OK
napalm_snmp.py
7.05 KB
Del
OK
napalm_users.py
6.49 KB
Del
OK
napalm_yang_mod.py
20.28 KB
Del
OK
netaddress.py
1.6 KB
Del
OK
netbox.py
32.22 KB
Del
OK
netbsd_sysctl.py
3.92 KB
Del
OK
netbsdservice.py
6.43 KB
Del
OK
netmiko_mod.py
19.61 KB
Del
OK
netscaler.py
27.02 KB
Del
OK
network.py
63.42 KB
Del
OK
neutron.py
44.92 KB
Del
OK
neutronng.py
15.02 KB
Del
OK
nexus.py
22.95 KB
Del
OK
nfs3.py
3.9 KB
Del
OK
nftables.py
33.58 KB
Del
OK
nginx.py
3.83 KB
Del
OK
nilrt_ip.py
36.18 KB
Del
OK
nix.py
8.03 KB
Del
OK
nova.py
19.6 KB
Del
OK
npm.py
10.4 KB
Del
OK
nspawn.py
41.35 KB
Del
OK
nxos.py
24.65 KB
Del
OK
nxos_api.py
14.72 KB
Del
OK
nxos_upgrade.py
14.74 KB
Del
OK
omapi.py
3.6 KB
Del
OK
openbsd_sysctl.py
3.74 KB
Del
OK
openbsdpkg.py
10.97 KB
Del
OK
openbsdrcctl_service.py
6.33 KB
Del
OK
openbsdservice.py
8.31 KB
Del
OK
openscap.py
2.81 KB
Del
OK
openstack_config.py
3.21 KB
Del
OK
openstack_mng.py
2.71 KB
Del
OK
openvswitch.py
17.19 KB
Del
OK
opkg.py
49.67 KB
Del
OK
opsgenie.py
3.29 KB
Del
OK
oracle.py
5.82 KB
Del
OK
osquery.py
24.93 KB
Del
OK
out.py
2.53 KB
Del
OK
pacmanpkg.py
31.92 KB
Del
OK
pagerduty.py
4.7 KB
Del
OK
pagerduty_util.py
13.48 KB
Del
OK
pam.py
2.01 KB
Del
OK
panos.py
61.05 KB
Del
OK
parallels.py
19.85 KB
Del
OK
parted_partition.py
21.53 KB
Del
OK
pcs.py
14.11 KB
Del
OK
pdbedit.py
10.79 KB
Del
OK
pecl.py
3.79 KB
Del
OK
peeringdb.py
8.39 KB
Del
OK
pf.py
9.51 KB
Del
OK
philips_hue.py
1.55 KB
Del
OK
pillar.py
21.37 KB
Del
OK
pip.py
53.42 KB
Del
OK
pkg_resource.py
12.3 KB
Del
OK
pkgin.py
17.29 KB
Del
OK
pkgng.py
61.07 KB
Del
OK
pkgutil.py
9.85 KB
Del
OK
portage_config.py
22.73 KB
Del
OK
postfix.py
16.24 KB
Del
OK
postgres.py
88.24 KB
Del
OK
poudriere.py
7.85 KB
Del
OK
powerpath.py
2.57 KB
Del
OK
proxy.py
11.49 KB
Del
OK
ps.py
20.89 KB
Del
OK
publish.py
10.25 KB
Del
OK
puppet.py
10.9 KB
Del
OK
purefa.py
33.59 KB
Del
OK
purefb.py
13.69 KB
Del
OK
pushbullet.py
1.88 KB
Del
OK
pushover_notify.py
3.48 KB
Del
OK
pw_group.py
4.62 KB
Del
OK
pw_user.py
12.47 KB
Del
OK
pyenv.py
6.93 KB
Del
OK
qemu_img.py
1.53 KB
Del
OK
qemu_nbd.py
3.28 KB
Del
OK
quota.py
6.43 KB
Del
OK
rabbitmq.py
38.4 KB
Del
OK
rallydev.py
6.09 KB
Del
OK
random_org.py
23.76 KB
Del
OK
rbac_solaris.py
16.05 KB
Del
OK
rbenv.py
10.75 KB
Del
OK
rdp.py
6.08 KB
Del
OK
rebootmgr.py
7.68 KB
Del
OK
redismod.py
16.36 KB
Del
OK
reg.py
16.36 KB
Del
OK
rest_pkg.py
2.26 KB
Del
OK
rest_sample_utils.py
558 B
Del
OK
rest_service.py
3.63 KB
Del
OK
restartcheck.py
24.1 KB
Del
OK
restconf.py
3.15 KB
Del
OK
ret.py
1.27 KB
Del
OK
rh_ip.py
38.55 KB
Del
OK
rh_service.py
16.61 KB
Del
OK
riak.py
5.19 KB
Del
OK
rpm_lowpkg.py
27.67 KB
Del
OK
rpmbuild_pkgbuild.py
24.53 KB
Del
OK
rsync.py
8.04 KB
Del
OK
runit.py
17.17 KB
Del
OK
rvm.py
11.1 KB
Del
OK
s3.py
9.93 KB
Del
OK
s6.py
3.62 KB
Del
OK
salt_proxy.py
4.48 KB
Del
OK
salt_version.py
4.58 KB
Del
OK
saltcheck.py
46.66 KB
Del
OK
saltcloudmod.py
954 B
Del
OK
saltutil.py
57.49 KB
Del
OK
schedule.py
50.81 KB
Del
OK
scp_mod.py
6.22 KB
Del
OK
scsi.py
2.66 KB
Del
OK
sdb.py
2.48 KB
Del
OK
seed.py
8.87 KB
Del
OK
selinux.py
24.2 KB
Del
OK
sensehat.py
7.79 KB
Del
OK
sensors.py
1.3 KB
Del
OK
serverdensity_device.py
8.1 KB
Del
OK
servicenow.py
4.36 KB
Del
OK
slack_notify.py
7.83 KB
Del
OK
slackware_service.py
6.84 KB
Del
OK
slsutil.py
19.04 KB
Del
OK
smartos_imgadm.py
12.04 KB
Del
OK
smartos_nictagadm.py
6.46 KB
Del
OK
smartos_virt.py
5.21 KB
Del
OK
smartos_vmadm.py
26.2 KB
Del
OK
smbios.py
10.05 KB
Del
OK
smf_service.py
8.52 KB
Del
OK
smtp.py
5.41 KB
Del
OK
snapper.py
27.14 KB
Del
OK
solaris_fmadm.py
11.2 KB
Del
OK
solaris_group.py
2.8 KB
Del
OK
solaris_shadow.py
7.98 KB
Del
OK
solaris_system.py
3.72 KB
Del
OK
solaris_user.py
11.06 KB
Del
OK
solarisipspkg.py
18.68 KB
Del
OK
solarispkg.py
15.4 KB
Del
OK
solr.py
45.54 KB
Del
OK
solrcloud.py
14.63 KB
Del
OK
splunk.py
8.14 KB
Del
OK
splunk_search.py
8.76 KB
Del
OK
sqlite3.py
2.54 KB
Del
OK
ssh.py
43.89 KB
Del
OK
ssh_pkg.py
1.08 KB
Del
OK
ssh_service.py
3.39 KB
Del
OK
state.py
82.34 KB
Del
OK
status.py
57.79 KB
Del
OK
statuspage.py
14.67 KB
Del
OK
supervisord.py
11.15 KB
Del
OK
suse_apache.py
2.45 KB
Del
OK
suse_ip.py
35.72 KB
Del
OK
svn.py
10.75 KB
Del
OK
swarm.py
13.5 KB
Del
OK
swift.py
5.53 KB
Del
OK
sysbench.py
6.62 KB
Del
OK
sysfs.py
6.61 KB
Del
OK
syslog_ng.py
31.52 KB
Del
OK
sysmod.py
22.59 KB
Del
OK
sysrc.py
3.38 KB
Del
OK
system.py
19.28 KB
Del
OK
system_profiler.py
3.54 KB
Del
OK
systemd_service.py
46.29 KB
Del
OK
telegram.py
3.28 KB
Del
OK
telemetry.py
12.87 KB
Del
OK
temp.py
831 B
Del
OK
test.py
15.4 KB
Del
OK
test_virtual.py
237 B
Del
OK
testinframod.py
9.92 KB
Del
OK
textfsm_mod.py
16.22 KB
Del
OK
timezone.py
19.98 KB
Del
OK
tls.py
58.63 KB
Del
OK
tomcat.py
18.59 KB
Del
OK
trafficserver.py
10.44 KB
Del
OK
transactional_update.py
35.83 KB
Del
OK
travisci.py
2.05 KB
Del
OK
tuned.py
2.34 KB
Del
OK
twilio_notify.py
2.95 KB
Del
OK
udev.py
3.72 KB
Del
OK
upstart_service.py
16.92 KB
Del
OK
uptime.py
3.23 KB
Del
OK
useradd.py
22.63 KB
Del
OK
uwsgi.py
996 B
Del
OK
vagrant.py
20.4 KB
Del
OK
varnish.py
3.08 KB
Del
OK
vault.py
15.61 KB
Del
OK
vbox_guest.py
10.55 KB
Del
OK
vboxmanage.py
14.71 KB
Del
OK
vcenter.py
1.61 KB
Del
OK
victorops.py
6.54 KB
Del
OK
virt.py
287.71 KB
Del
OK
virtualenv_mod.py
15.09 KB
Del
OK
vmctl.py
9.56 KB
Del
OK
vsphere.py
380.41 KB
Del
OK
webutil.py
3.66 KB
Del
OK
win_auditpol.py
4.74 KB
Del
OK
win_autoruns.py
2.29 KB
Del
OK
win_certutil.py
4.55 KB
Del
OK
win_dacl.py
32.27 KB
Del
OK
win_disk.py
1.8 KB
Del
OK
win_dism.py
20.7 KB
Del
OK
win_dns_client.py
4.19 KB
Del
OK
win_dsc.py
27.54 KB
Del
OK
win_event.py
22.32 KB
Del
OK
win_file.py
64.39 KB
Del
OK
win_firewall.py
20.15 KB
Del
OK
win_groupadd.py
11.27 KB
Del
OK
win_iis.py
68.78 KB
Del
OK
win_ip.py
11.43 KB
Del
OK
win_lgpo.py
491.76 KB
Del
OK
win_lgpo_reg.py
17.9 KB
Del
OK
win_license.py
2.72 KB
Del
OK
win_network.py
13.9 KB
Del
OK
win_ntp.py
1.8 KB
Del
OK
win_path.py
11.12 KB
Del
OK
win_pkg.py
86.43 KB
Del
OK
win_pki.py
15.8 KB
Del
OK
win_powercfg.py
9.85 KB
Del
OK
win_psget.py
8.97 KB
Del
OK
win_servermanager.py
14.21 KB
Del
OK
win_service.py
32.96 KB
Del
OK
win_shadow.py
3.03 KB
Del
OK
win_shortcut.py
16.49 KB
Del
OK
win_smtp_server.py
17.67 KB
Del
OK
win_snmp.py
13.38 KB
Del
OK
win_status.py
16.94 KB
Del
OK
win_system.py
40.61 KB
Del
OK
win_task.py
79.17 KB
Del
OK
win_timezone.py
13.3 KB
Del
OK
win_useradd.py
27.39 KB
Del
OK
win_wua.py
38.29 KB
Del
OK
win_wusa.py
5.88 KB
Del
OK
winrepo.py
6.09 KB
Del
OK
wordpress.py
4.71 KB
Del
OK
x509.py
63.1 KB
Del
OK
x509_v2.py
74.15 KB
Del
OK
xapi_virt.py
24.07 KB
Del
OK
xbpspkg.py
15.84 KB
Del
OK
xfs.py
15.35 KB
Del
OK
xml.py
2.14 KB
Del
OK
xmpp.py
5.28 KB
Del
OK
yaml.py
1.94 KB
Del
OK
yumpkg.py
116.5 KB
Del
OK
zabbix.py
97.55 KB
Del
OK
zcbuildout.py
28.16 KB
Del
OK
zenoss.py
5.64 KB
Del
OK
zfs.py
34.44 KB
Del
OK
zk_concurrency.py
11.16 KB
Del
OK
znc.py
2.26 KB
Del
OK
zoneadm.py
15.05 KB
Del
OK
zonecfg.py
21.85 KB
Del
OK
zookeeper.py
14.72 KB
Del
OK
zpool.py
44.02 KB
Del
OK
zypperpkg.py
94.87 KB
Del
OK
Edit: x509.py
""" Manage X509 certificates .. versionadded:: 2015.8.0 :depends: M2Crypto .. deprecated:: 3006.0 .. warning:: This module has been deprecated and will be removed in Salt 3009 (Potassium). Please migrate to the replacement modules. For breaking changes between both versions, you can refer to the :ref:`x509_v2 execution module docs <x509-setup>`. They will become the default ``x509`` modules in Salt 3008 (Argon). You can explicitly switch to the new modules before that release by setting ``features: {x509_v2: true}`` in your minion configuration. """ import ast import ctypes import datetime import glob import hashlib import logging import os import random import re import sys import tempfile import salt.exceptions import salt.utils.data import salt.utils.files import salt.utils.path import salt.utils.platform import salt.utils.stringutils import salt.utils.versions from salt.state import STATE_INTERNAL_KEYWORDS as _STATE_INTERNAL_KEYWORDS from salt.utils.odict import OrderedDict try: import M2Crypto HAS_M2 = True except ImportError: HAS_M2 = False try: import OpenSSL HAS_OPENSSL = True except ImportError: HAS_OPENSSL = False __virtualname__ = "x509" log = logging.getLogger(__name__) EXT_NAME_MAPPINGS = OrderedDict( [ ("basicConstraints", "X509v3 Basic Constraints"), ("keyUsage", "X509v3 Key Usage"), ("extendedKeyUsage", "X509v3 Extended Key Usage"), ("subjectKeyIdentifier", "X509v3 Subject Key Identifier"), ("authorityKeyIdentifier", "X509v3 Authority Key Identifier"), ("issuserAltName", "X509v3 Issuer Alternative Name"), ("authorityInfoAccess", "X509v3 Authority Info Access"), ("subjectAltName", "X509v3 Subject Alternative Name"), ("crlDistributionPoints", "X509v3 CRL Distribution Points"), ("issuingDistributionPoint", "X509v3 Issuing Distribution Point"), ("certificatePolicies", "X509v3 Certificate Policies"), ("policyConstraints", "X509v3 Policy Constraints"), ("inhibitAnyPolicy", "X509v3 Inhibit Any Policy"), ("nameConstraints", "X509v3 Name Constraints"), ("noCheck", "X509v3 OCSP No Check"), ("nsComment", "Netscape Comment"), ("nsCertType", "Netscape Certificate Type"), ] ) CERT_DEFAULTS = { "days_valid": 365, "version": 3, "serial_bits": 64, "algorithm": "sha256", } def __virtual__(): """ only load this module if m2crypto is available """ # salt.features appears to not be setup when invoked via peer publishing if __opts__.get("features", {}).get("x509_v2"): return (False, "Superseded, using x509_v2") if HAS_M2: salt.utils.versions.warn_until( "Potassium", "The x509 modules are deprecated. Please migrate to the replacement " "modules (x509_v2). They are the default from Salt 3008 (Argon) onwards.", ) return __virtualname__ else: return (False, "Could not load x509 module, m2crypto unavailable") class _Ctx(ctypes.Structure): """ This is part of an ugly hack to fix an ancient bug in M2Crypto https://bugzilla.osafoundation.org/show_bug.cgi?id=7530#c13 """ _fields_ = [ ("flags", ctypes.c_int), ("issuer_cert", ctypes.c_void_p), ("subject_cert", ctypes.c_void_p), ("subject_req", ctypes.c_void_p), ("crl", ctypes.c_void_p), ("db_meth", ctypes.c_void_p), ("db", ctypes.c_void_p), ] def _fix_ctx(m2_ctx, issuer=None): """ This is part of an ugly hack to fix an ancient bug in M2Crypto https://bugzilla.osafoundation.org/show_bug.cgi?id=7530#c13 """ ctx = _Ctx.from_address(int(m2_ctx)) ctx.flags = 0 ctx.subject_cert = None ctx.subject_req = None ctx.crl = None if issuer is None: ctx.issuer_cert = None else: ctx.issuer_cert = int(issuer.x509) def _new_extension(name, value, critical=0, issuer=None, _pyfree=1): """ Create new X509_Extension, this is required because M2Crypto doesn't support getting the publickeyidentifier from the issuer to create the authoritykeyidentifier extension. """ if name == "subjectKeyIdentifier" and value.strip("0123456789abcdefABCDEF:") != "": raise salt.exceptions.SaltInvocationError("value must be precomputed hash") # ensure name and value are bytes name = salt.utils.stringutils.to_str(name) value = salt.utils.stringutils.to_str(value) try: ctx = M2Crypto.m2.x509v3_set_nconf() _fix_ctx(ctx, issuer) if ctx is None: raise MemoryError("Not enough memory when creating a new X509 extension") x509_ext_ptr = M2Crypto.m2.x509v3_ext_conf(None, ctx, name, value) lhash = None except AttributeError: lhash = M2Crypto.m2.x509v3_lhash() ctx = M2Crypto.m2.x509v3_set_conf_lhash(lhash) # ctx not zeroed _fix_ctx(ctx, issuer) x509_ext_ptr = M2Crypto.m2.x509v3_ext_conf(lhash, ctx, name, value) # ctx,lhash freed if x509_ext_ptr is None: raise M2Crypto.X509.X509Error( "Cannot create X509_Extension with name '{}' and value '{}'".format( name, value ) ) x509_ext = M2Crypto.X509.X509_Extension(x509_ext_ptr, _pyfree) x509_ext.set_critical(critical) return x509_ext # The next four functions are more hacks because M2Crypto doesn't support # getting Extensions from CSRs. # https://github.com/martinpaljak/M2Crypto/issues/63 def _parse_openssl_req(csr_filename): """ Parses openssl command line output, this is a workaround for M2Crypto's inability to get them from CSR objects. """ if not salt.utils.path.which("openssl"): raise salt.exceptions.SaltInvocationError("openssl binary not found in path") cmd = "openssl req -text -noout -in {}".format(csr_filename) output = __salt__["cmd.run_stdout"](cmd) output = re.sub(r": rsaEncryption", ":", output) output = re.sub(r"[0-9a-f]{2}:", "", output) return salt.utils.data.decode(salt.utils.yaml.safe_load(output)) def _get_csr_extensions(csr): """ Returns a list of dicts containing the name, value and critical value of any extension contained in a csr object. """ ret = OrderedDict() csrtempfile = tempfile.NamedTemporaryFile(delete=True) csrtempfile.write(csr.as_pem()) csrtempfile.flush() csryaml = _parse_openssl_req(csrtempfile.name) csrtempfile.close() if csryaml and "Requested Extensions" in csryaml["Certificate Request"]["Data"]: csrexts = csryaml["Certificate Request"]["Data"]["Requested Extensions"] if not csrexts: return ret for short_name, long_name in EXT_NAME_MAPPINGS.items(): if csrexts and long_name in csrexts: ret[short_name] = csrexts[long_name] return ret # None of python libraries read CRLs. Again have to hack it with the openssl CLI def _parse_openssl_crl(crl_filename): """ Parses openssl command line output, this is a workaround for M2Crypto's inability to get them from CSR objects. """ if not salt.utils.path.which("openssl"): raise salt.exceptions.SaltInvocationError("openssl binary not found in path") cmd = "openssl crl -text -noout -in {}".format(crl_filename) output = __salt__["cmd.run_stdout"](cmd) crl = {} for line in output.split("\n"): line = line.strip() if line.startswith("Version "): crl["Version"] = line.replace("Version ", "") if line.startswith("Signature Algorithm: "): crl["Signature Algorithm"] = line.replace("Signature Algorithm: ", "") if line.startswith("Issuer: "): line = line.replace("Issuer: ", "") subject = {} for sub_entry in line.split("/"): if "=" in sub_entry: sub_entry = sub_entry.split("=") subject[sub_entry[0]] = sub_entry[1] crl["Issuer"] = subject if line.startswith("Last Update: "): crl["Last Update"] = line.replace("Last Update: ", "") last_update = datetime.datetime.strptime( crl["Last Update"], "%b %d %H:%M:%S %Y %Z" ) crl["Last Update"] = last_update.strftime("%Y-%m-%d %H:%M:%S") if line.startswith("Next Update: "): crl["Next Update"] = line.replace("Next Update: ", "") next_update = datetime.datetime.strptime( crl["Next Update"], "%b %d %H:%M:%S %Y %Z" ) crl["Next Update"] = next_update.strftime("%Y-%m-%d %H:%M:%S") if line.startswith("Revoked Certificates:"): break if "No Revoked Certificates." in output: crl["Revoked Certificates"] = [] return crl output = output.split("Revoked Certificates:")[1] output = output.split("Signature Algorithm:")[0] rev = [] for revoked in output.split("Serial Number: "): if not revoked.strip(): continue rev_sn = revoked.split("\n")[0].strip() revoked = rev_sn + ":\n" + "\n".join(revoked.split("\n")[1:]) rev_yaml = salt.utils.data.decode(salt.utils.yaml.safe_load(revoked)) for rev_values in rev_yaml.values(): if "Revocation Date" in rev_values: rev_date = datetime.datetime.strptime( rev_values["Revocation Date"], "%b %d %H:%M:%S %Y %Z" ) rev_values["Revocation Date"] = rev_date.strftime("%Y-%m-%d %H:%M:%S") rev.append(rev_yaml) crl["Revoked Certificates"] = rev return crl def _get_signing_policy(name): policies = __salt__["pillar.get"]("x509_signing_policies", None) if policies: signing_policy = policies.get(name) if signing_policy: return signing_policy return __salt__["config.get"]("x509_signing_policies", {}).get(name) def _pretty_hex(hex_str): """ Nicely formats hex strings """ if len(hex_str) % 2 != 0: hex_str = "0" + hex_str return ":".join([hex_str[i : i + 2] for i in range(0, len(hex_str), 2)]).upper() def _dec2hex(decval): """ Converts decimal values to nicely formatted hex strings """ return _pretty_hex("{:X}".format(decval)) def _isfile(path): """ A wrapper around os.path.isfile that ignores ValueError exceptions which can be raised if the input to isfile is too long. """ try: return os.path.isfile(path) except ValueError: pass return False def _text_or_file(input_): """ Determines if input is a path to a file, or a string with the content to be parsed. """ if _isfile(input_): with salt.utils.files.fopen(input_) as fp_: return salt.utils.stringutils.to_str(fp_.read()) else: return salt.utils.stringutils.to_str(input_) def _parse_subject(subject): """ Returns a dict containing all values in an X509 Subject """ ret = OrderedDict() nids = [] ret_list = [] for nid_name, nid_num in subject.nid.items(): if nid_num in nids: continue try: val = getattr(subject, nid_name) if val: ret_list.append((nid_num, nid_name, val)) nids.append(nid_num) except TypeError as err: log.trace("Missing attribute '%s'. Error: %s", nid_name, err) for nid_num, nid_name, val in sorted(ret_list): ret[nid_name] = val return ret def _get_certificate_obj(cert): """ Returns a certificate object based on PEM text. """ if isinstance(cert, M2Crypto.X509.X509): return cert text = _text_or_file(cert) text = get_pem_entry(text, pem_type="CERTIFICATE") return M2Crypto.X509.load_cert_string(text) def _get_private_key_obj(private_key, passphrase=None): """ Returns a private key object based on PEM text. """ private_key = _text_or_file(private_key) private_key = get_pem_entry(private_key, pem_type="(?:RSA )?PRIVATE KEY") rsaprivkey = M2Crypto.RSA.load_key_string( private_key, callback=_passphrase_callback(passphrase) ) evpprivkey = M2Crypto.EVP.PKey() evpprivkey.assign_rsa(rsaprivkey) return evpprivkey def _passphrase_callback(passphrase): """ Returns a callback function used to supply a passphrase for private keys """ def f(*args): return salt.utils.stringutils.to_bytes(passphrase) return f def _get_request_obj(csr): """ Returns a CSR object based on PEM text. """ text = _text_or_file(csr) text = get_pem_entry(text, pem_type="CERTIFICATE REQUEST") return M2Crypto.X509.load_request_string(text) def _get_pubkey_hash(cert): """ Returns the sha1 hash of the modulus of a public key in a cert Used for generating subject key identifiers """ sha_hash = hashlib.sha1(cert.get_pubkey().get_modulus()).hexdigest() return _pretty_hex(sha_hash) def _keygen_callback(): """ Replacement keygen callback function which silences the output sent to stdout by the default keygen function """ return def _make_regex(pem_type): """ Dynamically generate a regex to match pem_type """ return re.compile( r"\s*(?P<pem_header>-----BEGIN {0}-----)\s+" r"(?:(?P<proc_type>Proc-Type: 4,ENCRYPTED)\s*)?" r"(?:(?P<dek_info>DEK-Info:" r" (?:DES-[3A-Z\-]+,[0-9A-F]{{16}}|[0-9A-Z\-]+,[0-9A-F]{{32}}))\s*)?" r"(?P<pem_body>.+?)\s+(?P<pem_footer>" r"-----END {0}-----)\s*".format(pem_type), re.DOTALL, ) def _valid_pem(pem, pem_type=None): pem_type = "[0-9A-Z ]+" if pem_type is None else pem_type _dregex = _make_regex(pem_type) for _match in _dregex.finditer(pem): if _match: return _match return None def _match_minions(test, minion): if "@" in test: match = __salt__["publish.publish"](tgt=minion, fun="match.compound", arg=test) return match.get(minion, False) else: return __salt__["match.glob"](test, minion) def get_pem_entry(text, pem_type=None): """ Returns a properly formatted PEM string from the input text fixing any whitespace or line-break issues text: Text containing the X509 PEM entry to be returned or path to a file containing the text. pem_type: If specified, this function will only return a pem of a certain type, for example 'CERTIFICATE' or 'CERTIFICATE REQUEST'. CLI Example: .. code-block:: bash salt '*' x509.get_pem_entry "-----BEGIN CERTIFICATE REQUEST-----MIICyzCC Ar8CAQI...-----END CERTIFICATE REQUEST" """ text = _text_or_file(text) # Replace encoded newlines text = text.replace("\\n", "\n") if ( len(text.splitlines()) == 1 and text.startswith("-----") and text.endswith("-----") ): # mine.get returns the PEM on a single line, we fix this pem_fixed = [] pem_temp = text while pem_temp: if pem_temp.startswith("-----"): # Grab ----(.*)---- blocks pem_fixed.append(pem_temp[: pem_temp.index("-----", 5) + 5]) pem_temp = pem_temp[pem_temp.index("-----", 5) + 5 :] else: # grab base64 chunks if pem_temp[:64].count("-") == 0: pem_fixed.append(pem_temp[:64]) pem_temp = pem_temp[64:] else: pem_fixed.append(pem_temp[: pem_temp.index("-")]) pem_temp = pem_temp[pem_temp.index("-") :] text = "\n".join(pem_fixed) errmsg = "PEM text not valid:\n{}".format(text) if pem_type: errmsg = "PEM does not contain a single entry of type {}:\n{}".format( pem_type, text ) _match = _valid_pem(text, pem_type) if not _match: raise salt.exceptions.SaltInvocationError(errmsg) _match_dict = _match.groupdict() pem_header = _match_dict["pem_header"] proc_type = _match_dict["proc_type"] dek_info = _match_dict["dek_info"] pem_footer = _match_dict["pem_footer"] pem_body = _match_dict["pem_body"] # Remove all whitespace from body pem_body = "".join(pem_body.split()) # Generate correctly formatted pem ret = pem_header + "\n" if proc_type: ret += proc_type + "\n" if dek_info: ret += dek_info + "\n" + "\n" for i in range(0, len(pem_body), 64): ret += pem_body[i : i + 64] + "\n" ret += pem_footer + "\n" return salt.utils.stringutils.to_bytes(ret, encoding="ascii") def get_pem_entries(glob_path): """ Returns a dict containing PEM entries in files matching a glob glob_path: A path to certificates to be read and returned. CLI Example: .. code-block:: bash salt '*' x509.get_pem_entries "/etc/pki/*.crt" """ ret = {} for path in glob.glob(glob_path): if os.path.isfile(path): try: ret[path] = get_pem_entry(text=path) except ValueError: pass return ret def read_certificate(certificate): """ Returns a dict containing details of a certificate. Input can be a PEM string or file path. certificate: The certificate to be read. Can be a path to a certificate file, or a string containing the PEM formatted text of the certificate. CLI Example: .. code-block:: bash salt '*' x509.read_certificate /etc/pki/mycert.crt """ cert = _get_certificate_obj(certificate) ret = { # X509 Version 3 has a value of 2 in the field. # Version 2 has a value of 1. # https://tools.ietf.org/html/rfc5280#section-4.1.2.1 "Version": cert.get_version() + 1, # Get size returns in bytes. The world thinks of key sizes in bits. "Key Size": cert.get_pubkey().size() * 8, "Serial Number": _dec2hex(cert.get_serial_number()), "SHA-256 Finger Print": _pretty_hex(cert.get_fingerprint(md="sha256")), "SHA1 Finger Print": _pretty_hex(cert.get_fingerprint(md="sha1")), "Subject": _parse_subject(cert.get_subject()), "Subject Hash": _dec2hex(cert.get_subject().as_hash()), "Issuer": _parse_subject(cert.get_issuer()), "Issuer Hash": _dec2hex(cert.get_issuer().as_hash()), "Not Before": cert.get_not_before() .get_datetime() .strftime("%Y-%m-%d %H:%M:%S"), "Not After": cert.get_not_after().get_datetime().strftime("%Y-%m-%d %H:%M:%S"), "Public Key": get_public_key(cert), } if __opts__["fips_mode"] is False: ret["MD5 Finger Print"] = _pretty_hex(cert.get_fingerprint(md="md5")) exts = OrderedDict() for ext_index in range(0, cert.get_ext_count()): ext = cert.get_ext_at(ext_index) name = ext.get_name() val = ext.get_value() if ext.get_critical(): val = "critical " + val exts[name] = val if exts: ret["X509v3 Extensions"] = exts return ret def read_certificates(glob_path): """ Returns a dict containing details of all certificates matching a glob glob_path: A path to certificates to be read and returned. CLI Example: .. code-block:: bash salt '*' x509.read_certificates "/etc/pki/*.crt" """ ret = {} for path in glob.glob(glob_path): if os.path.isfile(path): try: ret[path] = read_certificate(certificate=path) except ValueError: pass return ret def read_csr(csr): """ Returns a dict containing details of a certificate request. :depends: - OpenSSL command line tool csr: A path or PEM encoded string containing the CSR to read. CLI Example: .. code-block:: bash salt '*' x509.read_csr /etc/pki/mycert.csr """ csr = _get_request_obj(csr) ret = { # X509 Version 3 has a value of 2 in the field. # Version 2 has a value of 1. # https://tools.ietf.org/html/rfc5280#section-4.1.2.1 "Version": csr.get_version() + 1, # Get size returns in bytes. The world thinks of key sizes in bits. "Subject": _parse_subject(csr.get_subject()), "Subject Hash": _dec2hex(csr.get_subject().as_hash()), "Public Key Hash": hashlib.sha1(csr.get_pubkey().get_modulus()).hexdigest(), } ret["X509v3 Extensions"] = _get_csr_extensions(csr) return ret def read_crl(crl): """ Returns a dict containing details of a certificate revocation list. Input can be a PEM string or file path. :depends: - OpenSSL command line tool crl: A path or PEM encoded string containing the CRL to read. CLI Example: .. code-block:: bash salt '*' x509.read_crl /etc/pki/mycrl.crl """ text = _text_or_file(crl) text = get_pem_entry(text, pem_type="X509 CRL") crltempfile = tempfile.NamedTemporaryFile(delete=True) crltempfile.write(salt.utils.stringutils.to_bytes(text, encoding="ascii")) crltempfile.flush() crlparsed = _parse_openssl_crl(crltempfile.name) crltempfile.close() return crlparsed def get_public_key(key, passphrase=None, asObj=False): """ Returns a string containing the public key in PEM format. key: A path or PEM encoded string containing a CSR, Certificate or Private Key from which a public key can be retrieved. CLI Example: .. code-block:: bash salt '*' x509.get_public_key /etc/pki/mycert.cer """ if isinstance(key, M2Crypto.X509.X509): rsa = key.get_pubkey().get_rsa() text = b"" else: text = _text_or_file(key) text = get_pem_entry(text) if text.startswith(b"-----BEGIN PUBLIC KEY-----"): if not asObj: return text bio = M2Crypto.BIO.MemoryBuffer() bio.write(text) rsa = M2Crypto.RSA.load_pub_key_bio(bio) bio = M2Crypto.BIO.MemoryBuffer() if text.startswith(b"-----BEGIN CERTIFICATE-----"): cert = M2Crypto.X509.load_cert_string(text) rsa = cert.get_pubkey().get_rsa() if text.startswith(b"-----BEGIN CERTIFICATE REQUEST-----"): csr = M2Crypto.X509.load_request_string(text) rsa = csr.get_pubkey().get_rsa() if text.startswith(b"-----BEGIN PRIVATE KEY-----") or text.startswith( b"-----BEGIN RSA PRIVATE KEY-----" ): rsa = M2Crypto.RSA.load_key_string( text, callback=_passphrase_callback(passphrase) ) if asObj: evppubkey = M2Crypto.EVP.PKey() evppubkey.assign_rsa(rsa) return evppubkey rsa.save_pub_key_bio(bio) return bio.read_all() def get_private_key_size(private_key, passphrase=None): """ Returns the bit length of a private key in PEM format. private_key: A path or PEM encoded string containing a private key. CLI Example: .. code-block:: bash salt '*' x509.get_private_key_size /etc/pki/mycert.key """ return _get_private_key_obj(private_key, passphrase).size() * 8 def write_pem(text, path, overwrite=True, pem_type=None): """ Writes out a PEM string fixing any formatting or whitespace issues before writing. text: PEM string input to be written out. path: Path of the file to write the PEM out to. overwrite: If ``True`` (default), write_pem will overwrite the entire PEM file. Set False to preserve existing private keys and dh params that may exist in the PEM file. pem_type: The PEM type to be saved, for example ``CERTIFICATE`` or ``PUBLIC KEY``. Adding this will allow the function to take input that may contain multiple PEM types. CLI Example: .. code-block:: bash salt '*' x509.write_pem "-----BEGIN CERTIFICATE-----MIIGMzCCBBugA..." path=/etc/pki/mycert.crt """ text = get_pem_entry(text, pem_type=pem_type) with salt.utils.files.set_umask(0o077): _dhparams = "" _private_key = "" if ( pem_type and pem_type == "CERTIFICATE" and os.path.isfile(path) and not overwrite ): _filecontents = _text_or_file(path) try: _dhparams = get_pem_entry(_filecontents, "DH PARAMETERS") except salt.exceptions.SaltInvocationError as err: log.debug("Error when getting DH PARAMETERS: %s", err) log.trace(err, exc_info=err) try: _private_key = get_pem_entry(_filecontents, "(?:RSA )?PRIVATE KEY") except salt.exceptions.SaltInvocationError as err: log.debug("Error when getting PRIVATE KEY: %s", err) log.trace(err, exc_info=err) with salt.utils.files.fopen(path, "w") as _fp: if pem_type and pem_type == "CERTIFICATE" and _private_key: _fp.write(salt.utils.stringutils.to_str(_private_key)) _fp.write(salt.utils.stringutils.to_str(text)) if pem_type and pem_type == "CERTIFICATE" and _dhparams: _fp.write(salt.utils.stringutils.to_str(_dhparams)) return "PEM written to {}".format(path) def create_private_key( path=None, text=False, bits=2048, passphrase=None, cipher="aes_128_cbc", verbose=True, ): """ Creates a private key in PEM format. path: The path to write the file to, either ``path`` or ``text`` are required. text: If ``True``, return the PEM text without writing to a file. Default ``False``. bits: Length of the private key in bits. Default 2048 passphrase: Passphrase for encrypting the private key cipher: Cipher for encrypting the private key. Has no effect if passphrase is None. verbose: Provide visual feedback on stdout. Default True .. versionadded:: 2016.11.0 CLI Example: .. code-block:: bash salt '*' x509.create_private_key path=/etc/pki/mykey.key """ if not path and not text: raise salt.exceptions.SaltInvocationError( "Either path or text must be specified." ) if path and text: raise salt.exceptions.SaltInvocationError( "Either path or text must be specified, not both." ) if verbose: _callback_func = M2Crypto.RSA.keygen_callback else: _callback_func = _keygen_callback rsa = M2Crypto.RSA.gen_key(bits, M2Crypto.m2.RSA_F4, _callback_func) bio = M2Crypto.BIO.MemoryBuffer() if passphrase is None: cipher = None rsa.save_key_bio(bio, cipher=cipher, callback=_passphrase_callback(passphrase)) if path: return write_pem( text=bio.read_all(), path=path, pem_type="(?:RSA )?PRIVATE KEY" ) else: return salt.utils.stringutils.to_str(bio.read_all()) def create_crl( path=None, text=False, signing_private_key=None, signing_private_key_passphrase=None, signing_cert=None, revoked=None, include_expired=False, days_valid=100, digest="", ): r""" Create a CRL :depends: - PyOpenSSL Python module path: Path to write the CRL to. text: If ``True``, return the PEM text without writing to a file. Default ``False``. signing_private_key: A path or string of the private key in PEM format that will be used to sign the CRL. This is required. signing_private_key_passphrase: Passphrase to decrypt the private key. signing_cert: A certificate matching the private key that will be used to sign the CRL. This is required. revoked: A list of dicts containing all the certificates to revoke. Each dict represents one certificate. A dict must contain either the key ``serial_number`` with the value of the serial number to revoke, or ``certificate`` with either the PEM encoded text of the certificate, or a path to the certificate to revoke. The dict can optionally contain the ``revocation_date`` key. If this key is omitted the revocation date will be set to now. If should be a string in the format "%Y-%m-%d %H:%M:%S". The dict can also optionally contain the ``not_after`` key. This is redundant if the ``certificate`` key is included. If the ``Certificate`` key is not included, this can be used for the logic behind the ``include_expired`` parameter. If should be a string in the format "%Y-%m-%d %H:%M:%S". The dict can also optionally contain the ``reason`` key. This is the reason code for the revocation. Available choices are ``unspecified``, ``keyCompromise``, ``CACompromise``, ``affiliationChanged``, ``superseded``, ``cessationOfOperation`` and ``certificateHold``. include_expired: Include expired certificates in the CRL. Default is ``False``. days_valid: The number of days that the CRL should be valid. This sets the Next Update field in the CRL. digest: The digest to use for signing the CRL. This has no effect on versions of pyOpenSSL less than 0.14 .. note At this time the pyOpenSSL library does not allow choosing a signing algorithm for CRLs See https://github.com/pyca/pyopenssl/issues/159 CLI Example: .. code-block:: bash salt '*' x509.create_crl path=/etc/pki/mykey.key \ signing_private_key=/etc/pki/ca.key \ signing_cert=/etc/pki/ca.crt \ revoked="{'compromized-web-key': {'certificate': '/etc/pki/certs/www1.crt', 'revocation_date': '2015-03-01 00:00:00'}}" """ # pyOpenSSL is required for dealing with CSLs. Importing inside these # functions because Client operations like creating CRLs shouldn't require # pyOpenSSL Note due to current limitations in pyOpenSSL it is impossible # to specify a digest For signing the CRL. This will hopefully be fixed # soon: https://github.com/pyca/pyopenssl/pull/161 if not HAS_OPENSSL: raise salt.exceptions.SaltInvocationError( "Could not load OpenSSL module, OpenSSL unavailable" ) crl = OpenSSL.crypto.CRL() if revoked is None: revoked = [] for rev_item in revoked: if "certificate" in rev_item: rev_cert = read_certificate(rev_item["certificate"]) rev_item["serial_number"] = rev_cert["Serial Number"] rev_item["not_after"] = rev_cert["Not After"] serial_number = rev_item["serial_number"].replace(":", "") # OpenSSL bindings requires this to be a non-unicode string serial_number = salt.utils.stringutils.to_bytes(serial_number) if "not_after" in rev_item and not include_expired: not_after = datetime.datetime.strptime( rev_item["not_after"], "%Y-%m-%d %H:%M:%S" ) if datetime.datetime.now() > not_after: continue if "revocation_date" not in rev_item: rev_item["revocation_date"] = datetime.datetime.now().strftime( "%Y-%m-%d %H:%M:%S" ) rev_date = datetime.datetime.strptime( rev_item["revocation_date"], "%Y-%m-%d %H:%M:%S" ) rev_date = rev_date.strftime("%Y%m%d%H%M%SZ") rev_date = salt.utils.stringutils.to_bytes(rev_date) rev = OpenSSL.crypto.Revoked() rev.set_serial(salt.utils.stringutils.to_bytes(serial_number)) rev.set_rev_date(salt.utils.stringutils.to_bytes(rev_date)) if "reason" in rev_item: # Same here for OpenSSL bindings and non-unicode strings reason = salt.utils.stringutils.to_bytes(rev_item["reason"]) rev.set_reason(reason) crl.add_revoked(rev) signing_cert = _text_or_file(signing_cert) cert = OpenSSL.crypto.load_certificate( OpenSSL.crypto.FILETYPE_PEM, get_pem_entry(signing_cert, pem_type="CERTIFICATE") ) signing_private_key = _get_private_key_obj( signing_private_key, passphrase=signing_private_key_passphrase ).as_pem(cipher=None) key = OpenSSL.crypto.load_privatekey( OpenSSL.crypto.FILETYPE_PEM, get_pem_entry(signing_private_key) ) export_kwargs = { "cert": cert, "key": key, "type": OpenSSL.crypto.FILETYPE_PEM, "days": days_valid, } if digest: export_kwargs["digest"] = salt.utils.stringutils.to_bytes(digest) else: log.warning("No digest specified. The default md5 digest will be used.") try: crltext = crl.export(**export_kwargs) except (TypeError, ValueError): log.warning( "Error signing crl with specified digest. Are you using " "pyopenssl 0.15 or newer? The default md5 digest will be used." ) export_kwargs.pop("digest", None) crltext = crl.export(**export_kwargs) if text: return crltext return write_pem(text=crltext, path=path, pem_type="X509 CRL") def sign_remote_certificate(argdic, **kwargs): """ Request a certificate to be remotely signed according to a signing policy. argdic: A dict containing all the arguments to be passed into the create_certificate function. This will become kwargs when passed to create_certificate. kwargs: kwargs delivered from publish.publish CLI Example: .. code-block:: bash salt '*' x509.sign_remote_certificate argdic="{'public_key': '/etc/pki/www.key', 'signing_policy': 'www'}" __pub_id='www1' """ if "signing_policy" not in argdic: return "signing_policy must be specified" if not isinstance(argdic, dict): argdic = ast.literal_eval(argdic) signing_policy = {} if "signing_policy" in argdic: signing_policy = _get_signing_policy(argdic["signing_policy"]) if not signing_policy: return "Signing policy {} does not exist.".format(argdic["signing_policy"]) if isinstance(signing_policy, list): dict_ = {} for item in signing_policy: dict_.update(item) signing_policy = dict_ if "minions" in signing_policy: if "__pub_id" not in kwargs: return "minion sending this request could not be identified" if not _match_minions(signing_policy["minions"], kwargs["__pub_id"]): return "{} not permitted to use signing policy {}".format( kwargs["__pub_id"], argdic["signing_policy"] ) try: return create_certificate(path=None, text=True, **argdic) except Exception as except_: # pylint: disable=broad-except return str(except_) def get_signing_policy(signing_policy_name): """ Returns the details of a names signing policy, including the text of the public key that will be used to sign it. Does not return the private key. CLI Example: .. code-block:: bash salt '*' x509.get_signing_policy www """ signing_policy = _get_signing_policy(signing_policy_name) if not signing_policy: return "Signing policy {} does not exist.".format(signing_policy_name) if isinstance(signing_policy, list): dict_ = {} for item in signing_policy: dict_.update(item) signing_policy = dict_ try: del signing_policy["signing_private_key"] except KeyError: pass try: signing_policy["signing_cert"] = get_pem_entry( signing_policy["signing_cert"], "CERTIFICATE" ) except KeyError: pass return signing_policy def create_certificate(path=None, text=False, overwrite=True, ca_server=None, **kwargs): """ Create an X509 certificate. path: Path to write the certificate to. text: If ``True``, return the PEM text without writing to a file. Default ``False``. overwrite: If ``True`` (default), create_certificate will overwrite the entire PEM file. Set False to preserve existing private keys and dh params that may exist in the PEM file. kwargs: Any of the properties below can be included as additional keyword arguments. ca_server: Request a remotely signed certificate from ca_server. For this to work, a ``signing_policy`` must be specified, and that same policy must be configured on the ca_server. See ``signing_policy`` for details. Also, the salt master must permit peers to call the ``sign_remote_certificate`` function. Example: /etc/salt/master.d/peer.conf .. code-block:: yaml peer: .*: - x509.sign_remote_certificate subject properties: Any of the values below can be included to set subject properties Any other subject properties supported by OpenSSL should also work. C: 2 letter Country code CN: Certificate common name, typically the FQDN. Email: Email address GN: Given Name L: Locality O: Organization OU: Organization Unit SN: SurName ST: State or Province signing_private_key: A path or string of the private key in PEM format that will be used to sign this certificate. If neither ``signing_cert``, ``public_key``, or ``csr`` are included, it will be assumed that this is a self-signed certificate, and the public key matching ``signing_private_key`` will be used to create the certificate. signing_private_key_passphrase: Passphrase used to decrypt the signing_private_key. signing_cert: A certificate matching the private key that will be used to sign this certificate. This is used to populate the issuer values in the resulting certificate. Do not include this value for self-signed certificates. public_key: The public key to be included in this certificate. This can be sourced from a public key, certificate, CSR or private key. If a private key is used, the matching public key from the private key will be generated before any processing is done. This means you can request a certificate from a remote CA using a private key file as your public_key and only the public key will be sent across the network to the CA. If neither ``public_key`` or ``csr`` are specified, it will be assumed that this is a self-signed certificate, and the public key derived from ``signing_private_key`` will be used. Specify either ``public_key`` or ``csr``, not both. Because you can input a CSR as a public key or as a CSR, it is important to understand the difference. If you import a CSR as a public key, only the public key will be added to the certificate, subject or extension information in the CSR will be lost. public_key_passphrase: If the public key is supplied as a private key, this is the passphrase used to decrypt it. csr: A file or PEM string containing a certificate signing request. This will be used to supply the subject, extensions and public key of a certificate. Any subject or extensions specified explicitly will overwrite any in the CSR. basicConstraints: X509v3 Basic Constraints extension. extensions: The following arguments set X509v3 Extension values. If the value starts with ``critical``, the extension will be marked as critical. Some special extensions are ``subjectKeyIdentifier`` and ``authorityKeyIdentifier``. ``subjectKeyIdentifier`` can be an explicit value or it can be the special string ``hash``. ``hash`` will set the subjectKeyIdentifier equal to the SHA1 hash of the modulus of the public key in this certificate. Note that this is not the exact same hashing method used by OpenSSL when using the hash value. ``authorityKeyIdentifier`` Use values acceptable to the openssl CLI tools. This will automatically populate ``authorityKeyIdentifier`` with the ``subjectKeyIdentifier`` of ``signing_cert``. If this is a self-signed cert these values will be the same. basicConstraints: X509v3 Basic Constraints keyUsage: X509v3 Key Usage extendedKeyUsage: X509v3 Extended Key Usage subjectKeyIdentifier: X509v3 Subject Key Identifier issuerAltName: X509v3 Issuer Alternative Name subjectAltName: X509v3 Subject Alternative Name crlDistributionPoints: X509v3 CRL Distribution Points issuingDistributionPoint: X509v3 Issuing Distribution Point certificatePolicies: X509v3 Certificate Policies policyConstraints: X509v3 Policy Constraints inhibitAnyPolicy: X509v3 Inhibit Any Policy nameConstraints: X509v3 Name Constraints noCheck: X509v3 OCSP No Check nsComment: Netscape Comment nsCertType: Netscape Certificate Type days_valid: The number of days this certificate should be valid. This sets the ``notAfter`` property of the certificate. Defaults to 365. version: The version of the X509 certificate. Defaults to 3. This is automatically converted to the version value, so ``version=3`` sets the certificate version field to 0x2. serial_number: The serial number to assign to this certificate. If omitted a random serial number of size ``serial_bits`` is generated. serial_bits: The number of bits to use when randomly generating a serial number. Defaults to 64. algorithm: The hashing algorithm to be used for signing this certificate. Defaults to sha256. copypath: An additional path to copy the resulting certificate to. Can be used to maintain a copy of all certificates issued for revocation purposes. prepend_cn: If set to True, the CN and a dash will be prepended to the copypath's filename. Example: /etc/pki/issued_certs/www.example.com-DE:CA:FB:AD:00:00:00:00.crt signing_policy: A signing policy that should be used to create this certificate. Signing policies should be defined in the minion configuration, or in a minion pillar. It should be a YAML formatted list of arguments which will override any arguments passed to this function. If the ``minions`` key is included in the signing policy, only minions matching that pattern (see match.glob and match.compound) will be permitted to remotely request certificates from that policy. In order to ``match.compound`` to work salt master must peers permit peers to call it. Example: /etc/salt/master.d/peer.conf .. code-block:: yaml peer: .*: - match.compound Example: .. code-block:: yaml x509_signing_policies: www: - minions: 'www*' - signing_private_key: /etc/pki/ca.key - signing_cert: /etc/pki/ca.crt - C: US - ST: Utah - L: Salt Lake City - basicConstraints: "critical CA:false" - keyUsage: "critical cRLSign, keyCertSign" - subjectKeyIdentifier: hash - authorityKeyIdentifier: keyid,issuer:always - days_valid: 90 - copypath: /etc/pki/issued_certs/ The above signing policy can be invoked with ``signing_policy=www`` not_before: Initial validity date for the certificate. This date must be specified in the format '%Y-%m-%d %H:%M:%S'. .. versionadded:: 3001 not_after: Final validity date for the certificate. This date must be specified in the format '%Y-%m-%d %H:%M:%S'. .. versionadded:: 3001 CLI Example: .. code-block:: bash salt '*' x509.create_certificate path=/etc/pki/myca.crt signing_private_key='/etc/pki/myca.key' csr='/etc/pki/myca.csr'} """ if ( not path and not text and ("testrun" not in kwargs or kwargs["testrun"] is False) ): raise salt.exceptions.SaltInvocationError( "Either path or text must be specified." ) if path and text: raise salt.exceptions.SaltInvocationError( "Either path or text must be specified, not both." ) if "public_key_passphrase" not in kwargs: kwargs["public_key_passphrase"] = None if ca_server: if "signing_policy" not in kwargs: raise salt.exceptions.SaltInvocationError( "signing_policy must be specified" "if requesting remote certificate from ca_server {}.".format(ca_server) ) if "csr" in kwargs: kwargs["csr"] = salt.utils.stringutils.to_str( get_pem_entry(kwargs["csr"], pem_type="CERTIFICATE REQUEST") ).replace("\n", "") if "public_key" in kwargs: # Strip newlines to make passing through as cli functions easier kwargs["public_key"] = salt.utils.stringutils.to_str( get_public_key( kwargs["public_key"], passphrase=kwargs["public_key_passphrase"] ) ).replace("\n", "") # Remove system entries in kwargs # Including listen_in and prerequired because they are not included # in STATE_INTERNAL_KEYWORDS # for salt 2014.7.2 for ignore in list(_STATE_INTERNAL_KEYWORDS) + [ "listen_in", "prerequired", "__prerequired__", ]: kwargs.pop(ignore, None) # TODO: Make timeout configurable in 3000 certs = __salt__["publish.publish"]( tgt=ca_server, fun="x509.sign_remote_certificate", arg=salt.utils.data.decode_dict(kwargs, to_str=True), timeout=30, ) if not any(certs): raise salt.exceptions.SaltInvocationError( "ca_server did not respond" " salt master must permit peers to" " call the sign_remote_certificate function." ) cert_txt = certs[ca_server] if isinstance(cert_txt, str): if not _valid_pem(cert_txt, "CERTIFICATE"): raise salt.exceptions.SaltInvocationError(cert_txt) if path: return write_pem( text=cert_txt, overwrite=overwrite, path=path, pem_type="CERTIFICATE" ) else: return cert_txt signing_policy = {} if "signing_policy" in kwargs: signing_policy = _get_signing_policy(kwargs["signing_policy"]) if isinstance(signing_policy, list): dict_ = {} for item in signing_policy: dict_.update(item) signing_policy = dict_ # Overwrite any arguments in kwargs with signing_policy kwargs.update(signing_policy) for prop, default in CERT_DEFAULTS.items(): if prop not in kwargs: kwargs[prop] = default cert = M2Crypto.X509.X509() # X509 Version 3 has a value of 2 in the field. # Version 2 has a value of 1. # https://tools.ietf.org/html/rfc5280#section-4.1.2.1 cert.set_version(kwargs["version"] - 1) # Random serial number if not specified if "serial_number" not in kwargs: kwargs["serial_number"] = _dec2hex(random.getrandbits(kwargs["serial_bits"])) serial_number = int(kwargs["serial_number"].replace(":", ""), 16) # With Python3 we occasionally end up with an INT that is greater than a C # long max_value. This causes an overflow error due to a bug in M2Crypto. # See issue: https://gitlab.com/m2crypto/m2crypto/issues/232 # Remove this after M2Crypto fixes the bug. if salt.utils.platform.is_windows(): INT_MAX = 2147483647 if serial_number >= INT_MAX: serial_number -= int(serial_number / INT_MAX) * INT_MAX else: if serial_number >= sys.maxsize: serial_number -= int(serial_number / sys.maxsize) * sys.maxsize cert.set_serial_number(serial_number) # Handle not_before and not_after dates for custom certificate validity fmt = "%Y-%m-%d %H:%M:%S" if "not_before" in kwargs: try: time = datetime.datetime.strptime(kwargs["not_before"], fmt) except: raise salt.exceptions.SaltInvocationError( "not_before: {} is not in required format {}".format( kwargs["not_before"], fmt ) ) # If we do not set an explicit timezone to this naive datetime object, # the M2Crypto code will assume it is from the local machine timezone # and will try to adjust the time shift. time = time.replace(tzinfo=M2Crypto.ASN1.UTC) asn1_not_before = M2Crypto.ASN1.ASN1_UTCTIME() asn1_not_before.set_datetime(time) cert.set_not_before(asn1_not_before) if "not_after" in kwargs: try: time = datetime.datetime.strptime(kwargs["not_after"], fmt) except: raise salt.exceptions.SaltInvocationError( "not_after: {} is not in required format {}".format( kwargs["not_after"], fmt ) ) # Forcing the datetime to have an explicit tzinfo here as well. time = time.replace(tzinfo=M2Crypto.ASN1.UTC) asn1_not_after = M2Crypto.ASN1.ASN1_UTCTIME() asn1_not_after.set_datetime(time) cert.set_not_after(asn1_not_after) # Set validity dates # if no 'not_before' or 'not_after' dates are setup, both of the following # dates will be the date of today. then the days_valid offset makes sense. not_before = M2Crypto.m2.x509_get_not_before(cert.x509) not_after = M2Crypto.m2.x509_get_not_after(cert.x509) # Only process the dynamic dates if start and end are not specified. if "not_before" not in kwargs: M2Crypto.m2.x509_gmtime_adj(not_before, 0) if "not_after" not in kwargs: valid_seconds = 60 * 60 * 24 * kwargs["days_valid"] # 60s * 60m * 24 * days M2Crypto.m2.x509_gmtime_adj(not_after, valid_seconds) # If neither public_key or csr are included, this cert is self-signed if "public_key" not in kwargs and "csr" not in kwargs: kwargs["public_key"] = kwargs["signing_private_key"] if "signing_private_key_passphrase" in kwargs: kwargs["public_key_passphrase"] = kwargs["signing_private_key_passphrase"] csrexts = {} if "csr" in kwargs: kwargs["public_key"] = kwargs["csr"] csr = _get_request_obj(kwargs["csr"]) cert.set_subject(csr.get_subject()) csrexts = read_csr(kwargs["csr"])["X509v3 Extensions"] cert.set_pubkey( get_public_key( kwargs["public_key"], passphrase=kwargs["public_key_passphrase"], asObj=True ) ) subject = cert.get_subject() for entry in sorted(subject.nid): if entry in kwargs: setattr(subject, entry, kwargs[entry]) if "signing_cert" in kwargs: signing_cert = _get_certificate_obj(kwargs["signing_cert"]) else: signing_cert = cert cert.set_issuer(signing_cert.get_subject()) for extname, extlongname in EXT_NAME_MAPPINGS.items(): if ( extname in kwargs or extlongname in kwargs or extname in csrexts or extlongname in csrexts ) is False: continue # Use explicitly set values first, fall back to CSR values. extval = ( kwargs.get(extname) or kwargs.get(extlongname) or csrexts.get(extname) or csrexts.get(extlongname) ) critical = False if extval.startswith("critical "): critical = True extval = extval[9:] if extname == "subjectKeyIdentifier" and "hash" in extval: extval = extval.replace("hash", _get_pubkey_hash(cert)) issuer = None if extname == "authorityKeyIdentifier": issuer = signing_cert if extname == "subjectAltName": extval = extval.replace("IP Address", "IP") ext = _new_extension( name=extname, value=extval, critical=critical, issuer=issuer ) if not ext.x509_ext: log.info("Invalid X509v3 Extension. %s: %s", extname, extval) continue cert.add_ext(ext) if "signing_private_key_passphrase" not in kwargs: kwargs["signing_private_key_passphrase"] = None if not verify_private_key( private_key=kwargs["signing_private_key"], passphrase=kwargs["signing_private_key_passphrase"], public_key=signing_cert, ): raise salt.exceptions.SaltInvocationError( "signing_private_key: {} does no match signing_cert: {}".format( kwargs["signing_private_key"], kwargs.get("signing_cert", "") ) ) cert.sign( _get_private_key_obj( kwargs["signing_private_key"], passphrase=kwargs["signing_private_key_passphrase"], ), kwargs["algorithm"], ) if not verify_signature(cert, signing_pub_key=signing_cert): raise salt.exceptions.SaltInvocationError( "failed to verify certificate signature" ) if "testrun" in kwargs and kwargs["testrun"] is True: cert_props = read_certificate(cert) cert_props["Issuer Public Key"] = get_public_key( kwargs["signing_private_key"], passphrase=kwargs["signing_private_key_passphrase"], ) return cert_props if "copypath" in kwargs: if "prepend_cn" in kwargs and kwargs["prepend_cn"] is True: prepend = str(kwargs["CN"]) + "-" else: prepend = "" write_pem( text=cert.as_pem(), path=os.path.join( kwargs["copypath"], prepend + kwargs["serial_number"] + ".crt" ), pem_type="CERTIFICATE", ) if path: return write_pem( text=cert.as_pem(), overwrite=overwrite, path=path, pem_type="CERTIFICATE" ) else: return salt.utils.stringutils.to_str(cert.as_pem()) def create_csr(path=None, text=False, **kwargs): """ Create a certificate signing request. path: Path to write the certificate to. text: If ``True``, return the PEM text without writing to a file. Default ``False``. algorithm: The hashing algorithm to be used for signing this request. Defaults to sha256. kwargs: The subject, extension and version arguments from :mod:`x509.create_certificate <salt.modules.x509.create_certificate>` can be used. CLI Example: .. code-block:: bash salt '*' x509.create_csr path=/etc/pki/myca.csr public_key='/etc/pki/myca.key' CN='My Cert' """ if not path and not text: raise salt.exceptions.SaltInvocationError( "Either path or text must be specified." ) if path and text: raise salt.exceptions.SaltInvocationError( "Either path or text must be specified, not both." ) csr = M2Crypto.X509.Request() subject = csr.get_subject() for prop, default in CERT_DEFAULTS.items(): if prop not in kwargs: kwargs[prop] = default csr.set_version(kwargs["version"] - 1) if "private_key" not in kwargs and "public_key" in kwargs: kwargs["private_key"] = kwargs["public_key"] log.warning( "OpenSSL no longer allows working with non-signed CSRs. " "A private_key must be specified. Attempting to use public_key " "as private_key" ) if "private_key" not in kwargs: raise salt.exceptions.SaltInvocationError("private_key is required") if "public_key" not in kwargs: kwargs["public_key"] = kwargs["private_key"] if "private_key_passphrase" not in kwargs: kwargs["private_key_passphrase"] = None if "public_key_passphrase" not in kwargs: kwargs["public_key_passphrase"] = None if kwargs["public_key_passphrase"] and not kwargs["private_key_passphrase"]: kwargs["private_key_passphrase"] = kwargs["public_key_passphrase"] if kwargs["private_key_passphrase"] and not kwargs["public_key_passphrase"]: kwargs["public_key_passphrase"] = kwargs["private_key_passphrase"] csr.set_pubkey( get_public_key( kwargs["public_key"], passphrase=kwargs["public_key_passphrase"], asObj=True ) ) for entry in sorted(subject.nid): if entry in kwargs: setattr(subject, entry, kwargs[entry]) extstack = M2Crypto.X509.X509_Extension_Stack() for extname, extlongname in EXT_NAME_MAPPINGS.items(): if extname not in kwargs and extlongname not in kwargs: continue extval = kwargs[extname] or kwargs[extlongname] critical = False if extval.startswith("critical "): critical = True extval = extval[9:] if extname == "subjectKeyIdentifier" and "hash" in extval: extval = extval.replace("hash", _get_pubkey_hash(csr)) if extname == "subjectAltName": extval = extval.replace("IP Address", "IP") if extname == "authorityKeyIdentifier": continue issuer = None ext = _new_extension( name=extname, value=extval, critical=critical, issuer=issuer ) if not ext.x509_ext: log.info("Invalid X509v3 Extension. %s: %s", extname, extval) continue extstack.push(ext) csr.add_extensions(extstack) csr.sign( _get_private_key_obj( kwargs["private_key"], passphrase=kwargs["private_key_passphrase"] ), kwargs["algorithm"], ) if path: return write_pem(text=csr.as_pem(), path=path, pem_type="CERTIFICATE REQUEST") else: return csr.as_pem() def verify_private_key(private_key, public_key, passphrase=None): """ Verify that 'private_key' matches 'public_key' private_key: The private key to verify, can be a string or path to a private key in PEM format. public_key: The public key to verify, can be a string or path to a PEM formatted certificate, CSR, or another private key. passphrase: Passphrase to decrypt the private key. CLI Example: .. code-block:: bash salt '*' x509.verify_private_key private_key=/etc/pki/myca.key \\ public_key=/etc/pki/myca.crt """ return bool(get_public_key(private_key, passphrase) == get_public_key(public_key)) def verify_signature( certificate, signing_pub_key=None, signing_pub_key_passphrase=None ): """ Verify that ``certificate`` has been signed by ``signing_pub_key`` certificate: The certificate to verify. Can be a path or string containing a PEM formatted certificate. signing_pub_key: The public key to verify, can be a string or path to a PEM formatted certificate, CSR, or private key. signing_pub_key_passphrase: Passphrase to the signing_pub_key if it is an encrypted private key. CLI Example: .. code-block:: bash salt '*' x509.verify_signature /etc/pki/mycert.pem \\ signing_pub_key=/etc/pki/myca.crt """ cert = _get_certificate_obj(certificate) if signing_pub_key: signing_pub_key = get_public_key( signing_pub_key, passphrase=signing_pub_key_passphrase, asObj=True ) return bool(cert.verify(pkey=signing_pub_key) == 1) def verify_crl(crl, cert): """ Validate a CRL against a certificate. Parses openssl command line output, this is a workaround for M2Crypto's inability to get them from CSR objects. crl: The CRL to verify cert: The certificate to verify the CRL against CLI Example: .. code-block:: bash salt '*' x509.verify_crl crl=/etc/pki/myca.crl cert=/etc/pki/myca.crt """ if not salt.utils.path.which("openssl"): raise salt.exceptions.SaltInvocationError("openssl binary not found in path") crltext = _text_or_file(crl) crltext = get_pem_entry(crltext, pem_type="X509 CRL") crltempfile = tempfile.NamedTemporaryFile(delete=True) crltempfile.write(salt.utils.stringutils.to_bytes(crltext, encoding="ascii")) crltempfile.flush() certtext = _text_or_file(cert) certtext = get_pem_entry(certtext, pem_type="CERTIFICATE") certtempfile = tempfile.NamedTemporaryFile(delete=True) certtempfile.write(salt.utils.stringutils.to_bytes(certtext, encoding="ascii")) certtempfile.flush() cmd = "openssl crl -noout -in {} -CAfile {}".format( crltempfile.name, certtempfile.name ) output = __salt__["cmd.run_stderr"](cmd) crltempfile.close() certtempfile.close() return "verify OK" in output def expired(certificate): """ Returns a dict containing limited details of a certificate and whether the certificate has expired. .. versionadded:: 2016.11.0 certificate: The certificate to be read. Can be a path to a certificate file, or a string containing the PEM formatted text of the certificate. CLI Example: .. code-block:: bash salt '*' x509.expired "/etc/pki/mycert.crt" """ ret = {} if os.path.isfile(certificate): try: ret["path"] = certificate cert = _get_certificate_obj(certificate) _now = datetime.datetime.utcnow() _expiration_date = cert.get_not_after().get_datetime() ret["cn"] = _parse_subject(cert.get_subject())["CN"] if _expiration_date.strftime("%Y-%m-%d %H:%M:%S") <= _now.strftime( "%Y-%m-%d %H:%M:%S" ): ret["expired"] = True else: ret["expired"] = False except ValueError: pass return ret def will_expire(certificate, days): """ Returns a dict containing details of a certificate and whether the certificate will expire in the specified number of days. Input can be a PEM string or file path. .. versionadded:: 2016.11.0 certificate: The certificate to be read. Can be a path to a certificate file, or a string containing the PEM formatted text of the certificate. CLI Example: .. code-block:: bash salt '*' x509.will_expire "/etc/pki/mycert.crt" days=30 """ ret = {} if os.path.isfile(certificate): try: ret["path"] = certificate ret["check_days"] = days cert = _get_certificate_obj(certificate) _check_time = datetime.datetime.utcnow() + datetime.timedelta(days=days) _expiration_date = cert.get_not_after().get_datetime() ret["cn"] = _parse_subject(cert.get_subject())["CN"] if _expiration_date.strftime("%Y-%m-%d %H:%M:%S") <= _check_time.strftime( "%Y-%m-%d %H:%M:%S" ): ret["will_expire"] = True else: ret["will_expire"] = False except ValueError: pass return ret
Save