summaryrefslogtreecommitdiff
path: root/mklog.py
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordu.net>2015-06-04 16:58:41 +0200
committerLinus Nordberg <linus@nordu.net>2015-06-04 16:58:41 +0200
commit228aae4427925c7f62f19b96ea009f448fd68b97 (patch)
treec9d388cbac6d5819f36f36c9f42ecbdf44969632 /mklog.py
parentb4ec3393fa5012baed85ba045f9a625495a8579d (diff)
Make mklog.py (more) idempotent.
One should be able to add hosts to $logname.cfg and run again, with the correct result.
Diffstat (limited to 'mklog.py')
-rwxr-xr-xmklog.py37
1 files changed, 22 insertions, 15 deletions
diff --git a/mklog.py b/mklog.py
index 26df433..f8f3510 100755
--- a/mklog.py
+++ b/mklog.py
@@ -18,24 +18,26 @@ def run_openssl(args):
return False
def make_eckey(name):
+ privkey = '%s-private.pem' % name
+ pubkey = '%s.pem' % name
+
+ if os.access(privkey, os.R_OK) and os.access(pubkey, os.R_OK):
+ return True
print "creating EC key \"%s\"" % name
- privkey_filename = '%s-private.pem' % name
- pubkey_filename = '%s.pem' % name
ecparam_args = ['ecparam', '-name', 'prime256v1', '-genkey', '-noout',
- '-out', privkey_filename]
+ '-out', privkey]
if not run_openssl(ecparam_args):
return False
- os.chmod(privkey_filename, stat.S_IRUSR)
+ os.chmod(privkey, stat.S_IRUSR | stat.S_IWUSR)
- ec_args = ['ec', '-in', privkey_filename, '-pubout', '-out', pubkey_filename]
+ ec_args = ['ec', '-in', privkey, '-pubout', '-out', pubkey]
if not run_openssl(ec_args):
return False
- os.chmod(pubkey_filename, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
return True
-def make_ca(logname, cakey_filename, cacert_filename):
+def make_ca(logname, cakey, cacert):
os.makedirs('./demoCA/newcerts', 0700)
f = open('./demoCA/index.txt', 'w')
@@ -56,14 +58,14 @@ def make_ca(logname, cakey_filename, cacert_filename):
f.close()
subject = '/countryName=II/stateOrProvinceName=internets/organizationName=%s/commonName=ca' % logname
- req_args = ['req', '-newkey', 'rsa:2048', '-keyout', cakey_filename, '-out',
+ req_args = ['req', '-newkey', 'rsa:2048', '-keyout', cakey, '-out',
'req.csr', '-nodes', '-subj', subject, '-config', 'caconfig.txt']
if not run_openssl(req_args):
return False
- os.chmod(cakey_filename, stat.S_IRUSR)
+ os.chmod(cakey, stat.S_IRUSR)
- ca_args = ['ca', '-in', 'req.csr', '-selfsign', '-keyfile', cakey_filename,
- '-out', cacert_filename, '-batch']
+ ca_args = ['ca', '-in', 'req.csr', '-selfsign', '-keyfile', cakey,
+ '-out', cacert, '-batch']
if not run_openssl(ca_args):
return False
@@ -87,10 +89,10 @@ def make_certs(logname, nodenames):
cert = './%s.pem' % nodename
subject = '/countryName=II/stateOrProvinceName=internets/organizationName=%s/CN=%s' % (logname, nodename)
- print "creating cert for node %s" % nodename
-
if os.access(key, os.R_OK) and os.access(cert, os.R_OK):
continue
+ print "creating cert for node %s" % nodename
+
req_args = ['req', '-new', '-newkey', 'rsa:2048', '-keyout', key,
'-out', csr, '-nodes', '-subj', subject]
if not run_openssl(req_args):
@@ -115,9 +117,14 @@ def make_authkeys(nodenames):
for nodename in nodenames:
if not make_eckey(nodename):
return False
- shutil.move('%s-private.pem' % nodename, '../nodes/%s/' % nodename)
+ dst = '../nodes/%s/%s-private.pem' % (nodename, nodename)
+ if os.access(dst, os.F_OK) and not os.access(dst, os.W_OK):
+ os.chmod(dst, stat.S_IWUSR)
+ shutil.move('%s-private.pem' % nodename, dst)
for nodename in nodenames:
- shutil.copytree('.', '../nodes/%s/publickeys' % nodename)
+ dst = '../nodes/%s/publickeys' % nodename
+ shutil.rmtree(dst, ignore_errors=True)
+ shutil.copytree('.', dst)
os.chdir('..')
return True