snapshot

mtik_cert_pusher/cert_pusher.py

@@ -0,0 +1,57 @@
+#!python3
+# dlitz 2025-2026
+
+import tempfile
+import os
+
+from cryptography import x509
+from cryptography.hazmat.primitives.hashes import SHA256
+from cryptography.hazmat.primitives.serialization import (
+    BestAvailableEncryption,
+    KeySerializationEncryption,
+    PrivateFormat,
+    load_pem_private_key,
+    load_pem_public_key,
+    pkcs12,
+)
+
+from .cert_util import split_certs
+from .routeros_ssh import RouterOS_SSH
+from .ssl_util import SSLUtil
+
+
+class MTCertPusher:
+
+    temporary_directory = "/dev/shm"
+
+    def __init__(self, ssl_util: SSLUtil, ros_ssh: RouterOS_SSH):
+        self.ssl_util = ssl_util
+        self.ros = ros_ssh
+        self.tempdir = tempfile.TemporaryDirectory(dir=self.temporary_directory)
+
+    def __del__(self):
+        self.close()
+
+    def close(self):
+        try:
+            tempdir = self.tempdir
+        except AttributeError:
+            pass
+        else:
+            self.tempdir.cleanup()
+            del self.tempdir
+
+    def generate_random_pkcs12_passphrase(self):
+        return os.urandom(64).hex()
+
+    def install_key_and_certificates(
+        self, key: str, cert: str, chain: str | None = None
+    ):
+        private_key_obj = load_pem_private_key(key.encode())
+        cert_obj = x509.load_pem_x509_certificate(cert.encode())
+        if cert_obj.public_key() != private_key_obj.public_key():
+            raise ValueError("certificate does not match private key")
+
+        passphrase = self.generate_random_pkcs12_passphrase()
+        p12 = self.ssl_util.create_pkcs12_from_key_and_certificates(key=key, cert=cert, passphrase=passphrase)
+