From 243ccc9eda77a243f224fd69b9aec86164c7ce65 Mon Sep 17 00:00:00 2001 From: Chris Allan Date: Wed, 12 Oct 2022 10:34:01 +0000 Subject: [PATCH 01/12] Depend on a version of cryptography that ships universal2 wheels --- setup.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 868c2c1..96259bd 100755 --- a/setup.py +++ b/setup.py @@ -18,7 +18,10 @@ url="https://github.com/ome/omero-certificates", packages=["omero_certificates", "omero.plugins"], setup_requires=["setuptools_scm"], - install_requires=["omero-py>=5.6.0"], + install_requires=[ + "omero-py>=5.6.0", + "cryptography>=36.0.0", + ], use_scm_version={"write_to": "omero_certificates/_version.py"}, classifiers=[ "Environment :: Console", From 11251101e9fdab24375b376dbe25e00466a80cd5 Mon Sep 17 00:00:00 2001 From: Chris Allan Date: Wed, 12 Oct 2022 10:51:19 +0000 Subject: [PATCH 02/12] Port `openssl genrsa` to use cryptography --- omero_certificates/certificates.py | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/omero_certificates/certificates.py b/omero_certificates/certificates.py index ae27dc1..67ff532 100644 --- a/omero_certificates/certificates.py +++ b/omero_certificates/certificates.py @@ -7,6 +7,12 @@ import logging import os import subprocess +from cryptography.hazmat.primitives.asymmetric import rsa +from cryptography.hazmat.primitives.serialization import ( + Encoding, + NoEncryption, + PrivateFormat, +) from omero.config import ConfigXml log = logging.getLogger(__name__) @@ -78,7 +84,16 @@ def create_certificates(omerodir): log.info("Using existing key: %s", keypath) else: log.info("Creating self-signed CA key: %s", keypath) - run_openssl(["genrsa", "-out", keypath, "2048"]) + # Do what `openssl genrsa -out ` would do + rsa_private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048) + with open(keypath, "wb") as pem_openssl_key: + pem_openssl_key.write( + rsa_private_key.private_bytes( + Encoding.PEM, + PrivateFormat.TraditionalOpenSSL, # Essentially PKCS#1 + NoEncryption(), + ) + ) created_files.append(keypath) # Self-signed certificate From 3e09e95a21c7d6e7b0a704079bebc67b876037f1 Mon Sep 17 00:00:00 2001 From: Chris Allan Date: Wed, 12 Oct 2022 13:58:51 +0000 Subject: [PATCH 03/12] Port `openssl req -x509` to use cryptography Note that this commit also changes the format of `omero.certificates.owner` from the OpenSSL command line `/` separated format to RFC 4514 (which supercedes RFC 2253) `,` separated format. As this plugin saves the owner in OMERO server configuration the upgrade user experience will have to be considered in a follow up commit. --- omero_certificates/certificates.py | 43 +++++++++++++++++------------- tests/unit/test_certificates.py | 6 ++--- 2 files changed, 28 insertions(+), 21 deletions(-) diff --git a/omero_certificates/certificates.py b/omero_certificates/certificates.py index 67ff532..3b2e7e6 100644 --- a/omero_certificates/certificates.py +++ b/omero_certificates/certificates.py @@ -7,7 +7,11 @@ import logging import os import subprocess +from datetime import datetime, timedelta +from cryptography import x509 +from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa +from cryptography.hazmat.primitives.hashes import SHA256 from cryptography.hazmat.primitives.serialization import ( Encoding, NoEncryption, @@ -36,7 +40,7 @@ def set_if_empty(cfgkey, default): os.path.join(cfgdict.get("omero.data.dir", "/OMERO"), "certs"), ) set_if_empty("omero.certificates.commonname", "localhost") - set_if_empty("omero.certificates.owner", "/L=OMERO/O=OMERO.server") + set_if_empty("omero.certificates.owner", "L=OMERO,O=OMERO.server") set_if_empty("omero.certificates.key", "server.key") set_if_empty("omero.glacier2.IceSSL.CertFile", "server.p12") set_if_empty("omero.glacier2.IceSSL.CAs", "server.pem") @@ -63,7 +67,7 @@ def create_certificates(omerodir): cn = cfgmap["omero.certificates.commonname"] owner = cfgmap["omero.certificates.owner"] - days = "365" + days = 365 pkcs12path = os.path.join(certdir, cfgmap["omero.glacier2.IceSSL.CertFile"]) keypath = os.path.join(certdir, cfgmap["omero.certificates.key"]) certpath = os.path.join(certdir, cfgmap["omero.glacier2.IceSSL.CAs"]) @@ -82,6 +86,11 @@ def create_certificates(omerodir): # Private key if os.path.exists(keypath): log.info("Using existing key: %s", keypath) + with open(keypath, "rb") as pem_openssl_key: + rsa_private_key = serialization.load_pem_private_key( + pem_openssl_key.read(), + password=None, + ) else: log.info("Creating self-signed CA key: %s", keypath) # Do what `openssl genrsa -out ` would do @@ -98,23 +107,21 @@ def create_certificates(omerodir): # Self-signed certificate log.info("Creating self-signed certificate: %s", certpath) - run_openssl( - [ - "req", - "-new", - "-x509", - "-subj", - "{}/CN={}".format(owner, cn), - "-days", - days, - "-key", - keypath, - "-out", - certpath, - "-extensions", - "v3_ca", - ] + # Do what `openssl req -x509 ...` would do + utcnow = datetime.utcnow() + subject = issuer = x509.Name.from_rfc4514_string("{},CN={}".format(owner, cn)) + cert = ( + x509.CertificateBuilder() + .subject_name(subject) + .issuer_name(issuer) + .not_valid_before(utcnow) + .not_valid_after(utcnow + timedelta(days=days)) + .public_key(rsa_private_key.public_key()) + .serial_number(x509.random_serial_number()) + .sign(rsa_private_key, SHA256()) ) + with open(certpath, "wb") as pem_cert: + pem_cert.write(cert.public_bytes(Encoding.PEM)) created_files.append(certpath) # PKCS12 format diff --git a/tests/unit/test_certificates.py b/tests/unit/test_certificates.py index 19c80a4..8b45b60 100644 --- a/tests/unit/test_certificates.py +++ b/tests/unit/test_certificates.py @@ -31,7 +31,7 @@ def test_config_from_empty(self, tmpdir): "omero.glacier2.IceSSL.Protocols": "TLS1_0,TLS1_1,TLS1_2", "omero.certificates.commonname": "localhost", "omero.certificates.key": "server.key", - "omero.certificates.owner": "/L=OMERO/O=OMERO.server", + "omero.certificates.owner": "L=OMERO,O=OMERO.server", } def test_config_keep_existing(self, tmpdir): @@ -89,8 +89,8 @@ def test_create_certificates(self, tmpdir): ) out = out.decode().splitlines() for line in ( - "subject=L = OMERO, O = OMERO.server, CN = localhost", - "issuer=L = OMERO, O = OMERO.server, CN = localhost", + "subject=CN = localhost, O = OMERO.server, L = OMERO", + "issuer=CN = localhost, O = OMERO.server, L = OMERO", "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----", "-----BEGIN ENCRYPTED PRIVATE KEY-----", From 6ec9f057b4f2c6c0b09fb40b921d7b03a430c812 Mon Sep 17 00:00:00 2001 From: Chris Allan Date: Wed, 12 Oct 2022 13:59:34 +0000 Subject: [PATCH 04/12] Port `openssl pkcs12` to use cryptography --- omero_certificates/certificates.py | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/omero_certificates/certificates.py b/omero_certificates/certificates.py index 3b2e7e6..73cd462 100644 --- a/omero_certificates/certificates.py +++ b/omero_certificates/certificates.py @@ -13,9 +13,11 @@ from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.hashes import SHA256 from cryptography.hazmat.primitives.serialization import ( + BestAvailableEncryption, Encoding, NoEncryption, PrivateFormat, + pkcs12, ) from omero.config import ConfigXml @@ -126,22 +128,17 @@ def create_certificates(omerodir): # PKCS12 format log.info("Creating PKCS12 bundle: %s", pkcs12path) - run_openssl( - [ - "pkcs12", - "-export", - "-out", - pkcs12path, - "-inkey", - keypath, - "-in", - certpath, - "-name", - "server", - "-password", - "pass:{}".format(password), - ] - ) + # Do what `openssl pkcs12 ...` would do + with open(pkcs12path, "wb") as p12: + p12.write( + pkcs12.serialize_key_and_certificates( + b"server", + rsa_private_key, + cert, + None, + BestAvailableEncryption(password.encode("utf-8")), + ) + ) created_files.append(pkcs12path) return "certificates created: " + " ".join(created_files) From 0a40d93e5127622c22348adb050d3978aa94c97f Mon Sep 17 00:00:00 2001 From: Chris Allan Date: Wed, 12 Oct 2022 12:52:48 +0000 Subject: [PATCH 05/12] Remove use of OpenSSL command line tools from the plugin --- omero_certificates/certificates.py | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/omero_certificates/certificates.py b/omero_certificates/certificates.py index 73cd462..2d328d1 100644 --- a/omero_certificates/certificates.py +++ b/omero_certificates/certificates.py @@ -1,12 +1,11 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- """ -Wrap openssl to manage self-signed certificates +Wrap cryptography to manage self-signed certificates """ import logging import os -import subprocess from datetime import datetime, timedelta from cryptography import x509 from cryptography.hazmat.primitives import serialization @@ -57,12 +56,6 @@ def set_if_empty(cfgkey, default): return cfgdict -def run_openssl(args): - command = ["openssl"] + args - log.info("Executing: %s", " ".join(command)) - subprocess.run(command) - - def create_certificates(omerodir): cfgmap = update_config(omerodir) certdir = cfgmap["omero.glacier2.IceSSL.DefaultDir"] @@ -75,13 +68,6 @@ def create_certificates(omerodir): certpath = os.path.join(certdir, cfgmap["omero.glacier2.IceSSL.CAs"]) password = cfgmap["omero.glacier2.IceSSL.Password"] - try: - run_openssl(["version"]) - except subprocess.CalledProcessError as e: - msg = "openssl version failed, is it installed?" - log.fatal("%s: %s", msg, e) - raise - os.makedirs(certdir, exist_ok=True) created_files = [] From 7eb1bda532ef00824aec51218839a317604ebb3c Mon Sep 17 00:00:00 2001 From: Chris Allan Date: Wed, 12 Oct 2022 15:30:49 +0000 Subject: [PATCH 06/12] Remove use of OpenSSL command line tools from test cases --- tests/unit/test_certificates.py | 49 +++++++++++++++++---------------- 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/tests/unit/test_certificates.py b/tests/unit/test_certificates.py index 8b45b60..c9568b4 100644 --- a/tests/unit/test_certificates.py +++ b/tests/unit/test_certificates.py @@ -1,6 +1,12 @@ import os -import subprocess +from cryptography import x509 +from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey +from cryptography.hazmat.primitives.serialization.pkcs12 import ( + PKCS12Certificate, + load_pkcs12, +) +from cryptography.x509.oid import NameOID from omero.config import ConfigXml from omero_certificates.certificates import create_certificates, update_config @@ -75,25 +81,22 @@ def test_create_certificates(self, tmpdir): for filename in ("server.key", "server.p12", "server.pem"): assert os.path.isfile(os.path.join(datadir, "certs", filename)) - out = subprocess.check_output( - [ - "openssl", - "pkcs12", - "-in", - os.path.join(datadir, "certs", "server.p12"), - "-passin", - "pass:secret", - "-passout", - "pass:secret", - ] - ) - out = out.decode().splitlines() - for line in ( - "subject=CN = localhost, O = OMERO.server, L = OMERO", - "issuer=CN = localhost, O = OMERO.server, L = OMERO", - "-----BEGIN CERTIFICATE-----", - "-----END CERTIFICATE-----", - "-----BEGIN ENCRYPTED PRIVATE KEY-----", - "-----END ENCRYPTED PRIVATE KEY-----", - ): - assert line in out + with open(os.path.join(datadir, "certs", "server.p12"), "rb") as f: + p12 = load_pkcs12(f.read(), b"secret") + assert p12.key + assert isinstance(p12.key, RSAPrivateKey) + assert p12.key.key_size == 2048 + + assert p12.cert + assert isinstance(p12.cert, PKCS12Certificate) + certificate = p12.cert.certificate + assert certificate + assert isinstance(certificate, x509.Certificate) + subject = certificate.subject + assert len(subject) == 3 + (cn,) = subject.get_attributes_for_oid(NameOID.COMMON_NAME) + assert cn.value == "localhost" + (l,) = subject.get_attributes_for_oid(NameOID.LOCALITY_NAME) + assert l.value == "OMERO" + (o,) = subject.get_attributes_for_oid(NameOID.ORGANIZATION_NAME) + assert o.value == "OMERO.server" From 9ef9399a21119909e5cc15c031d91bfee8c8eaac Mon Sep 17 00:00:00 2001 From: Chris Allan Date: Wed, 12 Oct 2022 15:34:28 +0000 Subject: [PATCH 07/12] Remove references to OpenSSL command line tools from README --- README.md | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/README.md b/README.md index c1f3794..c6146b4 100644 --- a/README.md +++ b/README.md @@ -10,13 +10,11 @@ If you prefer to configure OMERO manually see the examples in these documents: ## Installation -Install `openssl` if it's not already on your system. -Then activate your OMERO.server virtualenv and run: +Activate your OMERO.server virtualenv and run: ``` pip install omero-certificates ``` - ## Usage Set the `OMERODIR` environment variable to the location of OMERO.server. @@ -26,11 +24,6 @@ Run: omero certificates ``` ``` -OpenSSL 1.1.1d 10 Sep 2019 -Generating RSA private key, 2048 bit long modulus (2 primes) -.+++++ -.............................+++++ -e is 65537 (0x010001) certificates created: /OMERO/certs/server.key /OMERO/certs/server.pem /OMERO/certs/server.p12 ``` to update your OMERO.server configuration and to generate or update your self-signed certificates. @@ -47,12 +40,6 @@ The original values can be found on https://docs.openmicroscopy.org/omero/5.6.0/ Certificates will be stored under `{omero.data.dir}/certs` by default. Set `omero.glacier2.IceSSL.DefaultDir` to change this. -If you see a warning message such as -``` -Can't load ./.rnd into RNG -``` -it should be safe to ignore. - For full information see the output of: ``` omero certificates --help From 284619a998270a487c747f6a6724cb3d058f9a0b Mon Sep 17 00:00:00 2001 From: Chris Allan Date: Wed, 12 Oct 2022 16:07:34 +0000 Subject: [PATCH 08/12] Better UX for OpenSSL command line DN strings --- README.md | 12 ++++++++++++ omero_certificates/certificates.py | 9 ++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c6146b4..f0c10ca 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,18 @@ For full information see the output of: omero certificates --help ``` +## Upgrading + +Since version 0.3.0 this plugin uses portable RFC 4514 (supercedes RFC 2253) formatted strings for the `omero.certificates.owner` configuration option. If you have ran `omero certificates` before you may have OpenSSL command line formatted strings in your configuration that need to be updated before you can run `omero certificates` again. In most cases this means taking a string such as `/L=OMERO/O=OMERO.server` and reformatting it to `L=OMERO,O=OMERO.server`; remove the leading `/` and replace separator `/`'s with `,`'s. + +You can see the RFC 4514 compatible string for the `Issuer` and `Subject` of your existing certificate by running: +``` +openssl x509 -in /path/to/cert.pem -text -nameopt rfc2253 +``` + +You can review the RFC in full for more specific details: +- https://tools.ietf.org/html/rfc4514.html + ## Developer notes This project uses [setuptools-scm](https://pypi.org/project/setuptools-scm/). diff --git a/omero_certificates/certificates.py b/omero_certificates/certificates.py index 2d328d1..35a9950 100644 --- a/omero_certificates/certificates.py +++ b/omero_certificates/certificates.py @@ -97,7 +97,14 @@ def create_certificates(omerodir): log.info("Creating self-signed certificate: %s", certpath) # Do what `openssl req -x509 ...` would do utcnow = datetime.utcnow() - subject = issuer = x509.Name.from_rfc4514_string("{},CN={}".format(owner, cn)) + try: + subject = issuer = x509.Name.from_rfc4514_string("{},CN={}".format(owner, cn)) + except ValueError: + return ( + f"'omero.certificates.owner' configuration setting '{owner}' not a " + "valid RFC 4514 string! Are you upgrading? See " + "https://pypi.org/project/omero-certificates/ for help." + ) cert = ( x509.CertificateBuilder() .subject_name(subject) From 050c3c98c32ea3d9d4cc805dc9e0494c1770d554 Mon Sep 17 00:00:00 2001 From: Chris Allan Date: Fri, 14 Oct 2022 09:12:13 +0000 Subject: [PATCH 09/12] OpenSSL < 3.0.0, macOS security framework and Windows compat --- omero_certificates/certificates.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/omero_certificates/certificates.py b/omero_certificates/certificates.py index 35a9950..5cc1319 100644 --- a/omero_certificates/certificates.py +++ b/omero_certificates/certificates.py @@ -10,9 +10,8 @@ from cryptography import x509 from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa -from cryptography.hazmat.primitives.hashes import SHA256 +from cryptography.hazmat.primitives.hashes import SHA256, SHA1 from cryptography.hazmat.primitives.serialization import ( - BestAvailableEncryption, Encoding, NoEncryption, PrivateFormat, @@ -123,13 +122,22 @@ def create_certificates(omerodir): log.info("Creating PKCS12 bundle: %s", pkcs12path) # Do what `openssl pkcs12 ...` would do with open(pkcs12path, "wb") as p12: + # Maintain compatibility with OpenSSL < 3.0.0, the macOS security + # framework and Windows. + encryption = ( + PrivateFormat.PKCS12.encryption_builder() + .kdf_rounds(50000) + .key_cert_algorithm(pkcs12.PBES.PBESv1SHA1And3KeyTripleDESCBC) + .hmac_hash(SHA1()) + .build(password.encode("utf-8")) + ) p12.write( pkcs12.serialize_key_and_certificates( b"server", rsa_private_key, cert, None, - BestAvailableEncryption(password.encode("utf-8")), + encryption, ) ) created_files.append(pkcs12path) From 019bbe9c290830b197b619e38d7621ac9b17fea6 Mon Sep 17 00:00:00 2001 From: Chris Allan Date: Fri, 14 Oct 2022 12:10:41 +0000 Subject: [PATCH 10/12] Add compatibility mode --- README.md | 2 +- omero_certificates/certificates.py | 7 ++++ tests/unit/test_certificates.py | 60 +++++++++++++++++++++--------- 3 files changed, 50 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index f0c10ca..e6b1b8b 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ omero certificates --help ## Upgrading -Since version 0.3.0 this plugin uses portable RFC 4514 (supercedes RFC 2253) formatted strings for the `omero.certificates.owner` configuration option. If you have ran `omero certificates` before you may have OpenSSL command line formatted strings in your configuration that need to be updated before you can run `omero certificates` again. In most cases this means taking a string such as `/L=OMERO/O=OMERO.server` and reformatting it to `L=OMERO,O=OMERO.server`; remove the leading `/` and replace separator `/`'s with `,`'s. +Since version 0.3.0 this plugin uses portable RFC 4514 (supercedes RFC 2253) formatted strings for the `omero.certificates.owner` configuration option. If you have ran `omero certificates` before you may have OpenSSL command line formatted strings in your configuration that should be updated before you can run `omero certificates` again. In most cases this means taking a string such as `/L=OMERO/O=OMERO.server` and reformatting it to `L=OMERO,O=OMERO.server`; remove the leading `/` and replace separator `/`'s with `,`'s. You can see the RFC 4514 compatible string for the `Issuer` and `Subject` of your existing certificate by running: ``` diff --git a/omero_certificates/certificates.py b/omero_certificates/certificates.py index 5cc1319..bdeb66a 100644 --- a/omero_certificates/certificates.py +++ b/omero_certificates/certificates.py @@ -6,6 +6,7 @@ import logging import os +import re from datetime import datetime, timedelta from cryptography import x509 from cryptography.hazmat.primitives import serialization @@ -97,6 +98,12 @@ def create_certificates(omerodir): # Do what `openssl req -x509 ...` would do utcnow = datetime.utcnow() try: + if owner.startswith("/"): + log.warn( + f"'omero.certificates.owner' configuration setting '{owner}' not a " + "valid RFC 4514 string! Attempting to convert." + ) + owner = re.sub(r"\s*/\s*", r",", owner.lstrip("/")) subject = issuer = x509.Name.from_rfc4514_string("{},CN={}".format(owner, cn)) except ValueError: return ( diff --git a/tests/unit/test_certificates.py b/tests/unit/test_certificates.py index c9568b4..15e203b 100644 --- a/tests/unit/test_certificates.py +++ b/tests/unit/test_certificates.py @@ -64,6 +64,26 @@ def test_config_keep_existing(self, tmpdir): "omero.certificates.owner": "/L=universe/O=42", } + def assert_pkcs12(self, f): + p12 = load_pkcs12(f.read(), b"secret") + assert p12.key + assert isinstance(p12.key, RSAPrivateKey) + assert p12.key.key_size == 2048 + + assert p12.cert + assert isinstance(p12.cert, PKCS12Certificate) + certificate = p12.cert.certificate + assert certificate + assert isinstance(certificate, x509.Certificate) + subject = certificate.subject + assert len(subject) == 3 + (cn,) = subject.get_attributes_for_oid(NameOID.COMMON_NAME) + assert cn.value == "localhost" + (l,) = subject.get_attributes_for_oid(NameOID.LOCALITY_NAME) + assert l.value == "OMERO" + (o,) = subject.get_attributes_for_oid(NameOID.ORGANIZATION_NAME) + assert o.value == "OMERO.server" + def test_create_certificates(self, tmpdir): (tmpdir / "etc" / "grid").ensure(dir=True) omerodir = str(tmpdir) @@ -82,21 +102,25 @@ def test_create_certificates(self, tmpdir): assert os.path.isfile(os.path.join(datadir, "certs", filename)) with open(os.path.join(datadir, "certs", "server.p12"), "rb") as f: - p12 = load_pkcs12(f.read(), b"secret") - assert p12.key - assert isinstance(p12.key, RSAPrivateKey) - assert p12.key.key_size == 2048 - - assert p12.cert - assert isinstance(p12.cert, PKCS12Certificate) - certificate = p12.cert.certificate - assert certificate - assert isinstance(certificate, x509.Certificate) - subject = certificate.subject - assert len(subject) == 3 - (cn,) = subject.get_attributes_for_oid(NameOID.COMMON_NAME) - assert cn.value == "localhost" - (l,) = subject.get_attributes_for_oid(NameOID.LOCALITY_NAME) - assert l.value == "OMERO" - (o,) = subject.get_attributes_for_oid(NameOID.ORGANIZATION_NAME) - assert o.value == "OMERO.server" + self.assert_pkcs12(f) + + def test_create_certificates_from_existing_0_2_0(self, tmpdir): + (tmpdir / "etc" / "grid").ensure(dir=True) + omerodir = str(tmpdir) + datadir = str(tmpdir / "OMERO") + configxml = ConfigXml(os.path.join(omerodir, "etc", "grid", "config.xml")) + configxml["omero.data.dir"] = datadir + configxml["omero.certificates.owner"] = "/L=OMERO/O=OMERO.server" + configxml.close() + + m = create_certificates(omerodir) + assert m.startswith("certificates created: ") + + cfg = get_config(omerodir) + assert cfg["omero.glacier2.IceSSL.DefaultDir"] == os.path.join(datadir, "certs") + + for filename in ("server.key", "server.p12", "server.pem"): + assert os.path.isfile(os.path.join(datadir, "certs", filename)) + + with open(os.path.join(datadir, "certs", "server.p12"), "rb") as f: + self.assert_pkcs12(f) From 1825d9957a60f4068eac2111296def63cb7b9a86 Mon Sep 17 00:00:00 2001 From: Chris Allan Date: Fri, 16 Dec 2022 09:28:22 +0000 Subject: [PATCH 11/12] Formatting --- README.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e6b1b8b..2e37816 100644 --- a/README.md +++ b/README.md @@ -47,9 +47,17 @@ omero certificates --help ## Upgrading -Since version 0.3.0 this plugin uses portable RFC 4514 (supercedes RFC 2253) formatted strings for the `omero.certificates.owner` configuration option. If you have ran `omero certificates` before you may have OpenSSL command line formatted strings in your configuration that should be updated before you can run `omero certificates` again. In most cases this means taking a string such as `/L=OMERO/O=OMERO.server` and reformatting it to `L=OMERO,O=OMERO.server`; remove the leading `/` and replace separator `/`'s with `,`'s. - -You can see the RFC 4514 compatible string for the `Issuer` and `Subject` of your existing certificate by running: +Since version 0.3.0 this plugin uses portable RFC 4514 (supercedes RFC 2253) +formatted strings for the `omero.certificates.owner` configuration option. If +you have ran `omero certificates` before you may have OpenSSL command line +formatted strings in your configuration that should be updated before you can +run `omero certificates` again. In most cases this means taking a string such +as `/L=OMERO/O=OMERO.server` and reformatting it to +`L=OMERO,O=OMERO.server`; remove the leading `/` and replace separator `/`'s +with `,`'s. + +You can see the RFC 4514 compatible string for the `Issuer` and `Subject` +of your existing certificate by running: ``` openssl x509 -in /path/to/cert.pem -text -nameopt rfc2253 ``` From afd2a8efbaca995b397db3313f90752da0e75b4e Mon Sep 17 00:00:00 2001 From: Chris Allan Date: Fri, 16 Dec 2022 09:29:12 +0000 Subject: [PATCH 12/12] Update to cryptography>=38.0.0 as suggested --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 96259bd..7b7859b 100755 --- a/setup.py +++ b/setup.py @@ -20,7 +20,7 @@ setup_requires=["setuptools_scm"], install_requires=[ "omero-py>=5.6.0", - "cryptography>=36.0.0", + "cryptography>=38.0.0", ], use_scm_version={"write_to": "omero_certificates/_version.py"}, classifiers=[