#!/usr/bin/env python3
import argparse
import os
import requests
try:
import redfish
except ModuleNotFoundError:
raise Exception("Please run pip install redfish to run this script.")
try:
from OpenSSL import crypto
except ImportError:
raise Exception("Please run pip install pyOpenSSL to run this script.")
# Script to generate a certificates for a CA, server, and client
# allowing for client authentication using mTLS certificates.
# This can then be used to test mTLS client authentication for Redfish
# and webUI. Note that this requires the pyOpenSSL library to function.
# TODO: Use EC keys rather than RSA keys.
def generateCACert(serial):
# CA key
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
# CA cert
cert = crypto.X509()
cert.set_serial_number(serial)
cert.set_version(2)
cert.set_pubkey(key)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
caCertSubject = cert.get_subject()
caCertSubject.countryName = "US"
caCertSubject.stateOrProvinceName = "California"
caCertSubject.localityName = "San Francisco"
caCertSubject.organizationName = "OpenBMC"
caCertSubject.organizationalUnitName = "bmcweb"
caCertSubject.commonName = "Test CA"
cert.set_issuer(caCertSubject)
cert.add_extensions(
[
crypto.X509Extension(
b"basicConstraints", True, b"CA:TRUE, pathlen:0"
),
crypto.X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"),
crypto.X509Extension(
b"subjectKeyIdentifier", False, b"hash", subject=cert
),
]
)
cert.add_extensions(
[
crypto.X509Extension(
b"authorityKeyIdentifier", False, b"keyid:always", issuer=cert
)
]
)
# sign CA cert with CA key
cert.sign(key, "sha256")
return key, cert
def generateCert(commonName, extensions, caKey, caCert, serial):
# key
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
# cert
cert = crypto.X509()
serial
cert.set_serial_number(serial)
cert.set_version(2)
cert.set_pubkey(key)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(365 * 24 * 60 * 60)
certSubject = cert.get_subject()
certSubject.countryName = "US"
certSubject.stateOrProvinceName = "California"
certSubject.localityName = "San Francisco"
certSubject.organizationName = "OpenBMC"
certSubject.organizationalUnitName = "bmcweb"
certSubject.commonName = commonName
cert.set_issuer(caCert.get_issuer())
cert.add_extensions(extensions)
cert.add_extensions(
[
crypto.X509Extension(
b"authorityKeyIdentifier", False, b"keyid", issuer=caCert
)
]
)
cert.sign(caKey, "sha256")
return key, cert
def main():
parser = argparse.ArgumentParser()
parser.add_argument("--host", help="Host to connect to", required=True)
parser.add_argument(
"--username", help="Username to connect with", default="root"
)
parser.add_argument(
"--password",
help="Password for user in order to install certs over Redfish.",
default="0penBmc",
)
args = parser.parse_args()
host = args.host
username = args.username
password = args.password
if username == "root" and password == "0penBMC":
print(
"""Note: Using default username 'root' and default password
'0penBmc'. Use --username and --password flags to change these,
respectively."""
)
serial = 1000
try:
print("Making certs directory.")
os.mkdir("certs")
except OSError as error:
if error.errno == 17:
print("certs directory already exists. Skipping...")
else:
print(error)
caKey, caCert = generateCACert(serial)
serial += 1
caKeyDump = crypto.dump_privatekey(crypto.FILETYPE_PEM, caKey)
caCertDump = crypto.dump_certificate(crypto.FILETYPE_PEM, caCert)
with open("certs/CA-cert.pem", "wb") as f:
f.write(caCertDump)
print("CA cert generated.")
with open("certs/CA-key.pem", "wb") as f:
f.write(caKeyDump)
print("CA key generated.")
clientExtensions = [
crypto.X509Extension(
b"keyUsage",
True,
b"""digitalSignature,
keyAgreement""",
),
crypto.X509Extension(b"extendedKeyUsage", True, b"clientAuth"),
]
clientKey, clientCert = generateCert(
username, clientExtensions, caKey, caCert, serial
)
serial += 1
clientKeyDump = crypto.dump_privatekey(crypto.FILETYPE_PEM, clientKey)
clientCertDump = crypto.dump_certificate(crypto.FILETYPE_PEM, clientCert)
with open("certs/client-key.pem", "wb") as f:
f.write(clientKeyDump)
print("Client key generated.")
with open("certs/client-cert.pem", "wb") as f:
f.write(clientCertDump)
print("Client cert generated.")
serverExtensions = [
crypto.X509Extension(
b"keyUsage",
True,
b"""digitalSignature,
keyAgreement""",
),
crypto.X509Extension(b"extendedKeyUsage", True, b"serverAuth"),
]
serverKey, serverCert = generateCert(
host, serverExtensions, caKey, caCert, serial
)
serial += 1
serverKeyDump = crypto.dump_privatekey(crypto.FILETYPE_PEM, serverKey)
serverCertDump = crypto.dump_certificate(crypto.FILETYPE_PEM, serverCert)
with open("certs/server-key.pem", "wb") as f:
f.write(serverKeyDump)
print("Server key generated.")
with open("certs/server-cert.pem", "wb") as f:
f.write(serverCertDump)
print("Server cert generated.")
caCertJSON = {}
caCertJSON["CertificateString"] = caCertDump.decode()
caCertJSON["CertificateType"] = "PEM"
caCertPath = "/redfish/v1/Managers/bmc/Truststore/Certificates"
replaceCertPath = "/redfish/v1/CertificateService/Actions/"
replaceCertPath += "CertificateService.ReplaceCertificate"
print("Attempting to install CA certificate to BMC.")
redfishObject = redfish.redfish_client(
base_url="https://" + host,
username=username,
password=password,
default_prefix="/redfish/v1",
)
redfishObject.login(auth="session")
response = redfishObject.post(caCertPath, body=caCertJSON)
if response.status == 500:
print(
"An existing CA certificate is likely already installed."
" Replacing..."
)
caCertificateUri = {}
caCertificateUri["@odata.id"] = caCertPath + "/1"
caCertJSON["CertificateUri"] = caCertificateUri
response = redfishObject.post(replaceCertPath, body=caCertJSON)
if response.status == 200:
print("Successfully replaced existing CA certificate.")
else:
raise Exception(
"Could not install or replace CA certificate."
"Please check if a certificate is already installed. If a"
"certificate is already installed, try performing a factory"
"restore to clear such settings."
)
elif response.status == 200:
print("Successfully installed CA certificate.")
else:
raise Exception("Could not install certificate: " + response.read)
serverCertJSON = {}
serverCertJSON["CertificateString"] = (
serverKeyDump.decode() + serverCertDump.decode()
)
serverCertificateUri = {}
serverCertificateUri[
"@odata.id"
] = "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
serverCertJSON["CertificateUri"] = serverCertificateUri
serverCertJSON["CertificateType"] = "PEM"
print("Replacing server certificate...")
response = redfishObject.post(replaceCertPath, body=serverCertJSON)
if response.status == 200:
print("Successfully replaced server certificate.")
else:
raise Exception("Could not replace certificate: " + response.read)
tlsPatchJSON = {"Oem": {"OpenBMC": {"AuthMethods": {"TLS": True}}}}
print("Ensuring TLS authentication is enabled.")
response = redfishObject.patch(
"/redfish/v1/AccountService", body=tlsPatchJSON
)
if response.status == 200:
print("Successfully enabled TLS authentication.")
else:
raise Exception("Could not enable TLS auth: " + response.read)
redfishObject.logout()
print("Testing redfish TLS authentication with generated certs.")
response = requests.get(
"https://" + host + "/redfish/v1/SessionService/Sessions",
verify=False,
cert=("certs/client-cert.pem", "certs/client-key.pem"),
)
response.raise_for_status()
print("Redfish TLS authentication success!")
print("Generating p12 cert file for browser authentication.")
pkcs12Cert = crypto.PKCS12()
pkcs12Cert.set_certificate(clientCert)
pkcs12Cert.set_privatekey(clientKey)
pkcs12Cert.set_ca_certificates([caCert])
pkcs12Cert.set_friendlyname(bytes(username, encoding="utf-8"))
with open("certs/client.p12", "wb") as f:
f.write(pkcs12Cert.export())
print(
"Client p12 cert file generated and stored in"
"./certs/client.p12."
)
print(
"Copy this file to a system with a browser and install the"
"cert into the browser."
)
print(
"You will then be able to test redfish and webui"
"authentication using this certificate."
)
print(
"Note: this p12 file was generated without a password, so it"
"can be imported easily."
)
main()