Add serial number handling

2014-03-21 14:30:23 +00:00 · 2014-03-21 14:30:23 +00:00 · 76e4f0418d
parent e8f5e8eca0
commit 76e4f0418d
4 changed files with 18 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -4,3 +4,5 @@ config.yaml
 ephemeral_ca.egg-info
 .venv
 *.sw[op]
+certs/*.crt
+CA/serial
--- a/certs/.empty
+++ b/certs/.empty
--- a/config.yaml.sample
+++ b/config.yaml.sample
@ -1,5 +1,7 @@
 ca_cert: "CA/root-ca.crt"
 ca_key: "CA/root-ca-unwrapped.key"
+serial_file: "CA/serial"
+certs_directory: "certs"
 valid_hours: 24
 signing_hash: "sha1"

--- a/ephemeral_ca/init.py
+++ b/ephemeral_ca/init.py
@ -4,6 +4,8 @@ FlaskCA
 """

 import M2Crypto
+import fcntl
+import os
 import sys
 import time
 import uuid
@ -28,6 +30,14 @@ def sign(csr,encoding):
    if encoding != 'pem':
        return False

+    with open(CONFIG['serial_file'], 'a+') as f:
+        f.seek(0)
+        fcntl.lockf(f, fcntl.LOCK_EX)
+        serial = int(f.read() or "1")
+        f.seek(0)
+        f.truncate(0)
+        f.write(str(serial+1))
+
    ca = M2Crypto.X509.load_cert(CONFIG["ca_cert"])
    key = M2Crypto.EVP.load_key(CONFIG["ca_key"])
    req = M2Crypto.X509.load_request_string(csr.encode('ascii'))
@ -47,11 +57,13 @@ def sign(csr,encoding):
    new_cert.set_pubkey(pkey=req.get_pubkey())
    new_cert.set_subject(req.get_subject())
    new_cert.set_issuer(ca.get_subject())
-    new_cert.set_serial_number(31337)
+    new_cert.set_serial_number(serial)

    new_cert.sign(key, CONFIG['signing_hash'])

-    new_cert.save("temp-" + str(uuid.uuid1()) + '.crt')
+    new_cert.save(os.path.join(
+        CONFIG['certs_directory'],
+        '%06i-%s.crt' % (serial, new_cert.get_fingerprint(CONFIG['signing_hash']))))

    return new_cert.as_pem()