Projektarbeit-MYP/backend/ssl/ssl_fix.py

#!/usr/bin/env python3
"""
SSL Fix Tool für MYP Platform - ERR_SSL_KEY_USAGE_INCOMPATIBLE Lösung
Behebt Browser-SSL-Kompatibilitätsprobleme durch Neugenerierung korrekter Zertifikate
"""

import os
import subprocess
import shutil
from pathlib import Path

def create_browser_compatible_ssl():
    """Erstellt browser-kompatible SSL-Zertifikate für MYP"""
    
    print("🔧 SSL BROWSER-KOMPATIBILITÄTS-FIX")
    print("=" * 50)
    
    # Basis-Verzeichnis
    app_dir = Path.cwd()
    ssl_dir = app_dir / "ssl"
    
    # Erstelle SSL-Verzeichnis
    ssl_dir.mkdir(exist_ok=True)
    
    cert_path = ssl_dir / "cert.pem"
    key_path = ssl_dir / "key.pem"
    config_path = ssl_dir / "openssl_fix.conf"
    
    print(f"📁 SSL-Verzeichnis: {ssl_dir}")
    
    # Browser-kompatible OpenSSL-Konfiguration
    openssl_config = """[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = DE
ST = Baden-Wuerttemberg
L = Stuttgart
O = Mercedes-Benz AG
OU = MYP Druckerverwaltung
CN = m040tbaraspi001

[v3_req]
# Basic Constraints - KRITISCH für Browser
basicConstraints = critical, CA:FALSE

# Key Usage - KRITISCH für Browser-Kompatibilität
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement

# Extended Key Usage - TLS Server Authentication
extendedKeyUsage = critical, serverAuth, clientAuth

# Subject Alternative Names - Alle Domains/IPs
subjectAltName = critical, @alt_names

# Netscape Legacy-Kompatibilität
nsCertType = server

# Identifikations-Kommentar
nsComment = "MYP SSL Fix - ERR_SSL_KEY_USAGE_INCOMPATIBLE Lösung"

[alt_names]
DNS.1 = localhost
DNS.2 = *.localhost
DNS.3 = m040tbaraspi001
DNS.4 = m040tbaraspi001.local
DNS.5 = m040tbaraspi001.de040.corpintra.net
DNS.6 = *.de040.corpintra.net
IP.1 = 127.0.0.1
IP.2 = ::1
IP.3 = 0.0.0.0
"""
    
    # Schreibe OpenSSL-Konfiguration
    with open(config_path, 'w') as f:
        f.write(openssl_config)
    
    print("📝 OpenSSL-Konfiguration erstellt")
    
    try:
        # Backup existierender Zertifikate
        if cert_path.exists():
            backup_cert = ssl_dir / f"cert_backup_{os.getpid()}.pem"
            backup_key = ssl_dir / f"key_backup_{os.getpid()}.pem"
            shutil.copy2(cert_path, backup_cert)
            shutil.copy2(key_path, backup_key)
            print(f"💾 Backup erstellt: {backup_cert}")
        
        # Private Key generieren
        print("🔑 Generiere Private Key...")
        key_cmd = [
            "openssl", "genrsa",
            "-out", str(key_path),
            "2048"
        ]
        
        result = subprocess.run(key_cmd, capture_output=True, text=True)
        if result.returncode != 0:
            raise Exception(f"Private Key Generierung fehlgeschlagen: {result.stderr}")
        
        print("✅ Private Key generiert")
        
        # Browser-kompatibles Zertifikat erstellen
        print("📜 Generiere browser-kompatibles Zertifikat...")
        cert_cmd = [
            "openssl", "req",
            "-new", "-x509",
            "-key", str(key_path),
            "-out", str(cert_path),
            "-days", "365",
            "-config", str(config_path),
            "-extensions", "v3_req",
            "-sha256"
        ]
        
        result = subprocess.run(cert_cmd, capture_output=True, text=True)
        if result.returncode != 0:
            raise Exception(f"Zertifikat-Generierung fehlgeschlagen: {result.stderr}")
        
        print("✅ Browser-kompatibles Zertifikat generiert")
        
        # Berechtigungen setzen
        os.chmod(key_path, 0o600)  # Nur Owner kann lesen
        os.chmod(cert_path, 0o644)  # Alle können lesen
        
        print("🔒 Berechtigungen gesetzt")
        
        # Validierung
        print("🔍 Validiere Zertifikat...")
        
        # Prüfe Key Usage Extensions
        check_cmd = ["openssl", "x509", "-in", str(cert_path), "-noout", "-text"]
        result = subprocess.run(check_cmd, capture_output=True, text=True)
        
        if result.returncode == 0:
            cert_text = result.stdout
            
            # Browser-Kompatibilitäts-Checks
            checks = {
                "Digital Signature": "Digital Signature" in cert_text,
                "Key Encipherment": "Key Encipherment" in cert_text,
                "TLS Web Server Authentication": "TLS Web Server Authentication" in cert_text,
                "Subject Alternative Name": "Subject Alternative Name" in cert_text,
                "CA:FALSE": "CA:FALSE" in cert_text,
                "SHA-256": "sha256WithRSAEncryption" in cert_text
            }
            
            print("\n📋 BROWSER-KOMPATIBILITÄTS-PRÜFUNG:")
            all_passed = True
            for check_name, passed in checks.items():
                status = "✅" if passed else "❌"
                print(f"  {status} {check_name}")
                if not passed:
                    all_passed = False
            
            if all_passed:
                print("\n🎉 ALLE BROWSER-KOMPATIBILITÄTS-CHECKS BESTANDEN!")
            else:
                print("\n⚠️ Einige Checks fehlgeschlagen - Zertifikat kann trotzdem funktionieren")
        
        # Aufräumen
        config_path.unlink(missing_ok=True)
        
        print(f"\n📊 ERGEBNIS:")
        print(f"  📄 Zertifikat: {cert_path}")
        print(f"  🔑 Private Key: {key_path}")
        print(f"  📅 Gültig bis: {365} Tage")
        
        print(f"\n🌐 NÄCHSTE SCHRITTE:")
        print(f"  1. Browser-Cache leeren (Strg+Shift+Del)")
        print(f"  2. MYP-Anwendung neu starten")
        print(f"  3. https://localhost:5000 aufrufen")
        print(f"  4. Bei SSL-Warnung: 'Erweitert' → 'Weiter zu localhost (unsicher)'")
        
        return True
        
    except Exception as e:
        print(f"❌ FEHLER: {e}")
        return False

def check_openssl():
    """Prüft ob OpenSSL verfügbar ist"""
    try:
        result = subprocess.run(["openssl", "version"], capture_output=True, text=True)
        if result.returncode == 0:
            print(f"✅ OpenSSL verfügbar: {result.stdout.strip()}")
            return True
        else:
            print("❌ OpenSSL nicht verfügbar")
            return False
    except FileNotFoundError:
        print("❌ OpenSSL nicht installiert")
        print("💡 Installiere mit: sudo apt install openssl")
        return False

def main():
    """Hauptfunktion"""
    print("🔧 MYP SSL BROWSER-KOMPATIBILITÄTS-FIX")
    print("Löst ERR_SSL_KEY_USAGE_INCOMPATIBLE Fehler")
    print("=" * 60)
    
    # Prüfe OpenSSL
    if not check_openssl():
        return False
    
    # Erstelle browser-kompatible Zertifikate
    success = create_browser_compatible_ssl()
    
    if success:
        print("\n✅ SSL-Fix erfolgreich abgeschlossen!")
        print("🌐 Browser-Fehler ERR_SSL_KEY_USAGE_INCOMPATIBLE sollte behoben sein.")
    else:
        print("\n❌ SSL-Fix fehlgeschlagen!")
        print("📞 Prüfe COMMON_ERRORS.md für weitere Hilfe.")
    
    return success

if __name__ == "__main__":
    main()