meta

2014-05-14 11:57:11 +02:00 · 2014-05-14 11:57:11 +02:00 · d385853186
commit d385853186
parent edd42dfd76
48 changed files with 1344 additions and 488 deletions
--- a/oml/node/cert.py
+++ b/oml/node/cert.py
@ -0,0 +1,42 @@
+# -*- coding: utf-8 -*-
+# vi:si:et:sw=4:sts=4:ts=4
+
+import os
+import hashlib
+import OpenSSL
+import settings
+
+def get_fingerprint():
+    with open(settings.ssl_cert_path) as fd:
+        data = fd.read()
+    cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, data)
+    return hashlib.sha1(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, cert)).hexdigest()
+
+def generate_ssl():
+    key = OpenSSL.crypto.PKey()
+    key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
+    with open(settings.ssl_key_path, 'wb') as fd:
+        os.chmod(settings.ssl_key_path, 0600)
+        fd.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key))
+        os.chmod(settings.ssl_key_path, 0400)
+
+    ca = OpenSSL.crypto.X509()
+    ca.set_version(2)
+    ca.set_serial_number(1)
+    ca.get_subject().CN = settings.USER_ID
+    ca.gmtime_adj_notBefore(0)
+    ca.gmtime_adj_notAfter(24 * 60 * 60)
+    ca.set_issuer(ca.get_subject())
+    ca.set_pubkey(key)
+    ca.add_extensions([
+      OpenSSL.crypto.X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
+      OpenSSL.crypto.X509Extension("nsCertType", True, "sslCA"),
+      OpenSSL.crypto.X509Extension("extendedKeyUsage", True,
+        "serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"),
+      OpenSSL.crypto.X509Extension("keyUsage", False, "keyCertSign, cRLSign"),
+      OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=ca),
+    ])
+    ca.sign(key, "sha1")
+    with open(settings.ssl_cert_path, 'wb') as fd:
+        fd.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca))
+    return get_fingerprint()
--- a/oml/node/gencert.py
+++ b/oml/node/gencert.py
@ -1,25 +0,0 @@
-import OpenSSL
-
-key = OpenSSL.crypto.PKey()
-key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
-
-ca = OpenSSL.crypto.X509()
-ca.set_version(2)
-ca.set_serial_number(1)
-ca.get_subject().CN = "put_ed25519_key_here"
-ca.gmtime_adj_notBefore(0)
-ca.gmtime_adj_notAfter(24 * 60 * 60)
-ca.set_issuer(ca.get_subject())
-ca.set_pubkey(key)
-ca.add_extensions([
-  OpenSSL.crypto.X509Extension("basicConstraints", True,
-                               "CA:TRUE, pathlen:0"),
-  OpenSSL.crypto.X509Extension("keyUsage", True,
-                               "keyCertSign, cRLSign"),
-  OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash",
-                               subject=ca),
-  OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always",issuer=ca)
-  ])
-ca.sign(key, "sha1")
-open("MyCertificate.crt.bin", "wb").write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, ca))
-
--- a/oml/node/server.py
+++ b/oml/node/server.py
@ -19,6 +19,7 @@ import user
 import json
 from ed25519_utils import valid
 import api
+import cert

 class NodeHandler(tornado.web.RequestHandler):

@ -53,9 +54,10 @@ class NodeHandler(tornado.web.RequestHandler):
                    }
                else:
                    with self.app.app_context():
+                        u = user.models.User.get(key)
                        if action in (
                            'requestPeering', 'acceptPeering', 'rejectPeering', 'removePeering'
-                        ) or user.models.User.get(key):
+                        ) or (u and u.peered):
                            content = getattr(api, 'api_' + action)(self.app, key, *args)
                        else:
                            print 'PEER', key, 'IS UNKNOWN SEND 403'
@ -103,14 +105,22 @@ class ShareHandler(tornado.web.RequestHandler):


 def start(app):
-    http_server = tornado.web.Application([
+    application = tornado.web.Application([
        (r"/get/(.*)", ShareHandler, dict(app=app)),
        (r".*", NodeHandler, dict(app=app)),
    ])
+    if not os.path.exists(settings.ssl_cert_path):
+        settings.server['cert'] = cert.generate_ssl()
+
+    http_server = tornado.httpserver.HTTPServer(application, ssl_options={
+        "certfile": settings.ssl_cert_path,
+        "keyfile": settings.ssl_key_path
+    })
    http_server.listen(settings.server['node_port'], settings.server['node_address'])
    host = utils.get_public_ipv6()
    state.online = directory.put(settings.sk, {
        'host': host,
-        'port': settings.server['node_port']
+        'port': settings.server['node_port'],
+        'cert': settings.server['cert']
    })
    return http_server