mirror of
https://github.com/xcat2/confluent.git
synced 2025-10-23 23:45:40 +00:00
Refresh getcsr and installcert to handle latest firmware. Also add ability to have pre-existing CSR, and trust the SAN on the way through. If this becomes more properly a feature, then would likely impose a SAN on certs, similar to the SSH principals, rather than deferring to the CSR to get it right.
77 lines
2.6 KiB
Python
77 lines
2.6 KiB
Python
import argparse
|
|
import io
|
|
import gzip
|
|
import pyghmi.redfish.command as cmd
|
|
import os
|
|
import sys
|
|
|
|
ap = argparse.ArgumentParser(description='Certificate Generate')
|
|
ap.add_argument('xcc', help='XCC address')
|
|
ap.add_argument('--country', help='Two Letter Country')
|
|
ap.add_argument('--state', help='State or Province')
|
|
ap.add_argument('--city', help='City or Locality')
|
|
ap.add_argument('--org', help='Organization name')
|
|
ap.add_argument('--name', help='Common/Host Name')
|
|
ap.add_argument('outcsr', help='CSR filename to save')
|
|
args = ap.parse_args()
|
|
|
|
c = cmd.Command(args.xcc, os.environ['XCCUSER'], os.environ['XCCPASS'],
|
|
verifycallback=lambda x: True)
|
|
|
|
overview = c._do_web_request('/redfish/v1/')
|
|
cs = overview.get('CertificateService', {}).get('@odata.id', None)
|
|
if cs:
|
|
csinfo = c._do_web_request(cs)
|
|
gcsr = csinfo.get('Actions', {}).get('#CertificateService.GenerateCSR', {}).get('target', None)
|
|
if gcsr:
|
|
#https://n241-bmc/redfish/v1/Managers/1/NetworkProtocol HTTPS
|
|
#/redfish/v1/Managers/1/NetworkProtocol/HTTPS/Certificates
|
|
#/redfish/v1/CertificateService/CertificateLocations
|
|
csrargs = {
|
|
'City': args.city,
|
|
'State': args.state,
|
|
'Organization': args.org,
|
|
'Country': args.country,
|
|
'CommonName': args.name,
|
|
'KeyPairAlgorithm': 'TPM_ALG_ECDH',
|
|
'KeyCurveId': 'TPM_ECC_NIST_P384',
|
|
'CertificateCollection': { '@odata.id': '/redfish/v1/Managers/1/NetworkProtocol/HTTPS/Certificates'}
|
|
}
|
|
|
|
csrinfo = c._do_web_request(gcsr, csrargs)
|
|
if 'CSRString' in csrinfo:
|
|
with open(args.outcsr, 'w') as csrout:
|
|
csrout.write(csrinfo['CSRString'])
|
|
sys.exit(0)
|
|
|
|
else:
|
|
params = [
|
|
'0', # 'serviceType'
|
|
args.country,
|
|
args.state,
|
|
args.city,
|
|
args.org,
|
|
args.name,
|
|
'',
|
|
'',
|
|
'',
|
|
'',
|
|
'',
|
|
'',
|
|
'',
|
|
'',
|
|
'',
|
|
]
|
|
|
|
wc = c.oem.wc
|
|
rsp, status = wc.grab_json_response_with_status('/api/function', {'Sec_GenKeyAndCSR': ','.join(params)})
|
|
rsp, status = wc.grab_json_response_with_status('/api/dataset', {'CSR_Format': '1'})
|
|
rsp, status = wc.grab_json_response_with_status('/api/function', {'Sec_DownloadCSRANDCert': '0,4,0'})
|
|
wc.request('GET', '/download/{0}'.format(rsp['FileName']))
|
|
rsp = wc.getresponse()
|
|
csr = rsp.read()
|
|
if rsp.getheader('Content-Encoding', None) == 'gzip':
|
|
csr = gzip.GzipFile(fileobj=io.BytesIO(csr)).read()
|
|
print(csr)
|
|
|