summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChris St. Pierre <chris.a.st.pierre@gmail.com>2012-08-27 13:42:25 -0400
committerChris St. Pierre <chris.a.st.pierre@gmail.com>2012-08-27 13:46:10 -0400
commitf0a75666bfe2d101ac5b99534680047b47ec1224 (patch)
tree016b38b7392efafb27917cc78d70178fce30a86d
parent1a2a418564caa38ab662f9468f180e688009ab8a (diff)
downloadbcfg2-f0a75666bfe2d101ac5b99534680047b47ec1224.tar.gz
bcfg2-f0a75666bfe2d101ac5b99534680047b47ec1224.tar.bz2
bcfg2-f0a75666bfe2d101ac5b99534680047b47ec1224.zip
SSLCA: added root_ca option to verify certs against either intermediate or root CA
Diffstat
-rw-r--r--src/lib/Server/Plugins/SSLCA.py18
1 files changed, 13 insertions, 5 deletions
diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py
index dc0aea6d3..fc2579e09 100644
--- a/src/lib/Server/Plugins/SSLCA.py
+++ b/src/lib/Server/Plugins/SSLCA.py
@@ -186,12 +186,20 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
check that a certificate validates against the ca cert,
and that it has not expired.
"""
- chaincert = \
- self.CAs[self.cert_specs[entry.get('name')]['ca']].get('chaincert')
+ ca = self.CAs[self.cert_specs[entry.get('name')]['ca']]
+ chaincert = ca.get('chaincert')
cert = self.data + filename
- res = Popen(["openssl", "verify", "-untrusted", chaincert, "-purpose",
- "sslserver", cert],
- stdout=PIPE, stderr=STDOUT).stdout.read()
+ cmd = ["openssl", "verify"]
+ is_root = ca.get('root_ca', "false").lower() == 'true'
+ if is_root:
+ cmd.append("-CAfile")
+ else:
+ # verifying based on an intermediate cert
+ cmd.extend(["-purpose", "sslserver", "-untrusted"])
+ cmd.extend([chaincert, cert])
+ self.debug_log("SSLCA: Verifying %s against CA: %s" %
+ (entry.get("name"), " ".join(cmd)))
+ res = Popen(cmd, stdout=PIPE, stderr=STDOUT).stdout.read()
if res == cert + ": OK\n":
self.debug_log("SSLCA: %s verified successfully against CA" %
entry.get("name"))
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-05-18 22:08:52 +0000