use unified interface for generating OCSP keys

Author: mathiasertl

ca/ca/settings.py

@@ -112,7 +112,7 @@
 
 # Make this unique, and don't share it with anybody.
 SECRET_KEY = ""
-SECRET_KEY_FILE = None
+SECRET_KEY_FILE = ""
 
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",

ca/ca/settings_utils.py

@@ -180,12 +180,13 @@ class ProjectSettingsModelMixin:
         "This setting has no effect if you define the ``LOGGING`` setting."
     )
     STORAGES: dict[str, dict[str, Any]] = Field(default_factory=dict)
-    SECRET_KEY_FILE: str | None = Field(
-        default=None,
+    SECRET_KEY_FILE: str = Field(
+        default="",
         description="A path to a file that stores Django's `SECRET_KEY "
         "<https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SECRET_KEY>`_. The setting is only "
         "used if no ``SECRET_KEY`` is defined.",
         examples=["/var/lib/django-ca/certs/ca/shared/secret_key"],
+        json_schema_extra={"default_explanation": "Not set."},
     )
     USE_TZ: bool
 

ca/django_ca/celery/messages.py

@@ -46,6 +46,7 @@ class UseCertificateAuthoritiesTaskArgs(CeleryMessageModel):
 
     @model_validator(mode="after")
     def validate_exclude(self) -> Self:
+        """Validator to make sure that not both `serials` and `exclude` is set."""
         if self.serials and self.exclude:
             raise ValueError("Message cannot contain both serials and excluded serials.")
         return self

ca/django_ca/management/base.py

@@ -14,11 +14,8 @@
 """Command subclasses and argparse helpers for django-ca."""
 
 import abc
-import argparse
-import typing
-from collections.abc import Callable
 from datetime import UTC, datetime, timedelta
-from typing import Any
+from typing import TYPE_CHECKING, Any, ClassVar
 
 from cryptography import x509
 from cryptography.x509.oid import AuthorityInformationAccessOID
@@ -44,7 +41,8 @@
     ConfigurableExtensionType,
 )
 
-if typing.TYPE_CHECKING:
+if TYPE_CHECKING:
+    from celery.local import Proxy  # celery.local is defined in our stubs
     from django_stubs_ext import StrOrPromise
 
 
@@ -381,7 +379,7 @@ class BaseSignCertCommand(UsePrivateKeyMixin, BaseSignCommand, metaclass=abc.ABC
     """Base class for commands signing certificates (sign_cert, resign_cert)."""
 
     add_extensions_help = ""  # concrete classes should set this
-    subject_help: typing.ClassVar[str]  # concrete classes should set this
+    subject_help: ClassVar[str]  # concrete classes should set this
 
     def add_base_args(self, parser: CommandParser, no_default_ca: bool = False) -> ArgumentGroup:
         """Add common arguments for signing certificates."""
@@ -584,10 +582,10 @@ class GenerateCommandBase(UsePrivateKeyMixin, BaseCommand):
     """Base class for commands to generate CRLs and OCSP keys."""
 
     what: str
-    single_task: Callable[..., Any]
-    multiple_task: Callable[..., Any]
+    single_task: "Proxy[[UseCertificateAuthorityTaskArgs], Any]"
+    multiple_task: "Proxy[[UseCertificateAuthoritiesTaskArgs], Any]"
 
-    def add_arguments(self, parser: argparse.ArgumentParser) -> None:
+    def add_arguments(self, parser: CommandParser) -> None:
         parser.add_argument(
             "serials",
             metavar="SERIAL",
@@ -614,14 +612,23 @@ def handle(self, serials: list[str], exclude: list[str], force: bool, **options:
             raise CommandError("Cannot name serials and exclude list at the same time.")
 
         if len(serials) == 1:
-            ca, key_backend_options = self.get_key_backend_options(serials[0], options)
-
-            data = UseCertificateAuthorityTaskArgs(
-                serial=ca.serial,
-                force=force,
-                key_backend_options=key_backend_options.model_dump(mode="json", exclude_unset=True),
-            )
-            run_task(self.single_task, data)
+            try:
+                ca, key_backend_options = self.get_key_backend_options(serials[0], options)
+
+                single_data = UseCertificateAuthorityTaskArgs(
+                    serial=ca.serial,
+                    force=force,
+                    key_backend_options=key_backend_options.model_dump(mode="json", exclude_unset=True),
+                )
+
+                run_task(self.single_task, single_data)
+            except Exception as ex:
+                # Exceptions only happen if Celery is not used or the connection to the broker fails
+                raise CommandError(ex) from ex
         else:
-            data = UseCertificateAuthoritiesTaskArgs(serials=serials, exclude=exclude, force=force)
-            run_task(self.multiple_task, data)
+            multiple_data = UseCertificateAuthoritiesTaskArgs(serials=serials, exclude=exclude, force=force)
+            try:
+                run_task(self.multiple_task, multiple_data)
+            except Exception as ex:  # pragma: no cover  # does not usually happen
+                # Exceptions only happen if Celery is not used or the connection to the broker fails
+                raise CommandError(ex) from ex

ca/django_ca/management/commands/cache_crls.py

@@ -26,11 +26,11 @@
 class Command(GenerateCrlsCommand):  # noqa: D101
     help = "(Deprecated) Cache CRLs. Use generate_crls instead."
 
-    def handle(self, serials: list[str], **options: Any) -> None:
+    def handle(self, serials: list[str], exclude: list[str], force: bool, **options: Any) -> None:
         self.stderr.write(
             self.style.WARNING(
                 "Warning: This command is deprecated. Please use generate_crls instead. "
                 "This alias will be removed in django_ca~=3.2.0."
             )
         )
-        super().handle(serials, **options)
+        super().handle(serials, exclude=exclude, force=force, **options)

ca/django_ca/management/commands/generate_ocsp_keys.py

@@ -16,81 +16,14 @@
 .. seealso:: https://docs.djangoproject.com/en/dev/howto/custom-management-commands/
 """
 
-from collections.abc import Iterable
-from typing import Any
+from django_ca.management.base import GenerateCommandBase
+from django_ca.tasks import generate_ocsp_key, generate_ocsp_keys
 
-from pydantic import ValidationError
 
-from django.core.management.base import CommandError, CommandParser
-
-from django_ca.celery import run_task
-from django_ca.celery.messages import UseCertificateAuthorityTaskArgs
-from django_ca.conf import model_settings
-from django_ca.management.base import BaseCommand
-from django_ca.management.mixins import UsePrivateKeyMixin
-from django_ca.models import CertificateAuthority
-from django_ca.tasks import generate_ocsp_key
-from django_ca.utils import add_colons
-
-
-class Command(UsePrivateKeyMixin, BaseCommand):
+class Command(GenerateCommandBase):
     """Implement the :command:`manage.py generate_ocsp_keys` command."""
 
     help = "Generate OCSP keys."
-
-    def add_arguments(self, parser: CommandParser) -> None:
-        parser.add_argument(
-            "serials",
-            metavar="SERIAL",
-            nargs="*",
-            help="Generate OCSP keys only for the given CA. If omitted, generate keys for all CAs.",
-        )
-
-        parser.add_argument(
-            "--force",
-            action="store_true",
-            default=False,
-            help="Force regeneration of OCSP responder certificates.",
-        )
-        parser.add_argument("--quiet", action="store_true", default=False, help="Do not output warnings.")
-        self.add_use_private_key_arguments(parser)
-
-    def handle(self, serials: Iterable[str], quiet: bool, force: bool, **options: Any) -> None:
-        if not serials:
-            serials = CertificateAuthority.objects.all().order_by("serial").values_list("serial", flat=True)
-
-        if "ocsp" not in model_settings.CA_PROFILES:
-            raise CommandError("ocsp: Undefined profile.")
-
-        errors = 0
-        for serial in serials:
-            serial = serial.replace(":", "").strip().upper()
-            hr_serial = add_colons(serial)
-            try:
-                ca: CertificateAuthority = CertificateAuthority.objects.get(serial=serial)
-            except CertificateAuthority.DoesNotExist:
-                self.stderr.write(self.style.ERROR(f"{hr_serial}: Unknown CA."))
-                continue
-
-            try:
-                key_backend_options = ca.key_backend.get_use_private_key_options(ca, options)
-            except ValidationError as ex:
-                self.validation_error_to_command_error(ex)
-            except Exception as ex:  # pragma: no cover  # pylint: disable=broad-exception-caught
-                if quiet is False:
-                    self.stderr.write(self.style.WARNING(f"{hr_serial}: {ex}"))
-                continue
-
-            try:
-                message = UseCertificateAuthorityTaskArgs(
-                    serial=serial,
-                    key_backend_options=key_backend_options.model_dump(mode="json", exclude_unset=True),
-                    force=force,
-                )
-                run_task(generate_ocsp_key, message)
-            except Exception as ex:  # pylint: disable=broad-exception-caught
-                self.stderr.write(f"{serial}: {ex}")
-                errors += 1
-
-        if errors:
-            raise CommandError(f"Generation of {errors} OCSP key(s) failed.")
+    what = "OCSP keys"
+    single_task = generate_ocsp_key
+    multiple_task = generate_ocsp_keys

ca/django_ca/management/mixins.py

@@ -674,9 +674,10 @@ def get_signing_options(
 
         return key_backend_options, algorithm
 
-    def get_key_backend_options(
+    def get_key_backend_options(  # type: ignore[return]  # b/c of validation_error_to_command_error
         self, serial: str, options: dict[str, Any]
     ) -> tuple[CertificateAuthority, BaseModel]:
+        """Get CA and key backend options for the given input data."""
         serial = sanitize_serial(serial)
         hr_serial = add_colons(serial)
         try:
@@ -687,6 +688,6 @@ def get_key_backend_options(
         try:
             return ca, ca.key_backend.get_use_private_key_options(ca, options)
         except ValidationError as ex:
-            self.validation_error_to_command_error(ex)
-        except Exception as ex:  # pragma: no cover  # pylint: disable=broad-exception-caught
+            self.validation_error_to_command_error(ex)  # type: ignore[attr-defined]
+        except Exception as ex:  # pragma: no cover
             raise CommandError(str(ex)) from ex

ca/django_ca/tasks.py

@@ -126,7 +126,7 @@ def generate_crls(data: UseCertificateAuthoritiesTaskArgs | None = None) -> None
             # NOTE: When using Celery, an exception will only be raised here if task.delay() itself raises an
             # exception, e.g. if the connection to the broker fails. Without celery, exceptions in
             # `generate_crl()` are raised here directly.
-            log.exception("Error caching CRL for %s", serial)
+            log.exception("Error generating CRL for %s", serial)
 
 
 @shared_task(base=DjangoCaTask)

ca/django_ca/tests/commands/test_generate_crls.py

@@ -95,4 +95,4 @@ def test_deprecated_cmd_name(usable_root: CertificateAuthority) -> None:
 def test_with_serial_and_exclude() -> None:
     """Test passing both an explicit serial and an exclusion (makes no sense)."""
     with assert_command_error(r"^Cannot name serials and exclude list at the same time\.$"):
-        cmd("generate_crls", serials=["abc"], exclude=["def"])
+        cmd("generate_crls", ["abc"], exclude=["def"])

ca/django_ca/tests/commands/test_generate_ocsp_keys.py

@@ -13,7 +13,6 @@
 
 """Test the generate_ocsp_keys management command."""
 
-import io
 import typing
 from collections.abc import Iterable
 from datetime import UTC, datetime, timedelta
@@ -143,32 +142,28 @@ def test_with_celery(settings: SettingsWrapper, usable_root: CertificateAuthorit
     assert_no_key(usable_root.serial)
 
 
-def test_without_serial(
-    settings: SettingsWrapper, root: CertificateAuthority, ec: CertificateAuthority
-) -> None:
+def test_without_serial(settings: SettingsWrapper) -> None:
     """Test for all CAs."""
     settings.CA_USE_CELERY = True
-    kwargs = {"key_backend_options": {"password": None}, "force": False}
     with mock_celery_task(
-        "django_ca.tasks.generate_ocsp_key",
-        (mock.call(tuple(), {"data": {"serial": root.serial, **kwargs}})),
-        (mock.call(tuple(), {"data": {"serial": ec.serial, **kwargs}})),
+        "django_ca.tasks.generate_ocsp_keys",
+        (mock.call(tuple(), {"data": {"serials": [], "exclude": [], "force": False}})),
     ):
         cmd("generate_ocsp_keys")
 
 
 @pytest.mark.django_db
-def test_wrong_serial() -> None:
-    """Try passing an unknown CA."""
-    generate_ocsp_keys("ZZZZZ", stderr="0Z:ZZ:ZZ: Unknown CA.\n", no_color=True)
+def test_unknown_serial() -> None:
+    """Try passing an invalid CA."""
+    with assert_command_error(r"^0A:BC: Unknown CA\.$"):
+        generate_ocsp_keys("abc")
 
 
-def test_no_ocsp_profile(settings: SettingsWrapper, root: CertificateAuthority) -> None:
-    """Try when there is no OCSP profile."""
-    settings.CA_PROFILES = {"ocsp": None}
-    with assert_command_error(r"^ocsp: Undefined profile\.$"):
-        generate_ocsp_keys(root.serial)
-    assert_no_key(root.serial)
+@pytest.mark.django_db
+def test_invalid_serial() -> None:
+    """Try passing an invalid CA."""
+    with assert_command_error(r"^ZZZZZ: Serial has invalid characters$"):
+        generate_ocsp_keys("ZZZZZ")
 
 
 def test_deprecated_command_name(usable_root: CertificateAuthority) -> None:
@@ -185,10 +180,8 @@ def test_deprecated_command_name(usable_root: CertificateAuthority) -> None:
 @pytest.mark.usefixtures("tmpcadir")
 def test_without_private_key(root: CertificateAuthority) -> None:
     """Try regenerating the OCSP key when no CA private key is available."""
-    stderr_buffer = io.StringIO()
-    with assert_command_error(r"Generation of 1 OCSP key\(s\) failed\."):
-        cmd("generate_ocsp_keys", root.serial, stderr=stderr_buffer)
-    assert "No such file or directory" in stderr_buffer.getvalue()
+    with assert_command_error(r"No such file or directory"):
+        cmd("generate_ocsp_keys", root.serial)
 
 
 def test_model_validation_error(root: CertificateAuthority) -> None: