SSLCA: Verify all certs

Even verify self signed certificates to recreate the certificate if it is expired.
author: Alexander Sulfrian <asulfrian@zedat.fu-berlin.de> 2022-02-14 18:54:34 +0100
committer: Alexander Sulfrian <asulfrian@zedat.fu-berlin.de> 2022-02-14 18:54:34 +0100
commit: 2b76cffe73889c33c4770f6ca821bb226d5ff3ac (patch)
tree: e867cf054f4f729dbd01c1893a614928334ac610
parent: a675ab70d1444c13a8c39eab977fdea8e9d6cd94 (diff)
download: bcfg2-2b76cffe73889c33c4770f6ca821bb226d5ff3ac.tar.gz
bcfg2-2b76cffe73889c33c4770f6ca821bb226d5ff3ac.tar.bz2
bcfg2-2b76cffe73889c33c4770f6ca821bb226d5ff3ac.zip
1 files changed, 11 insertions, 9 deletions
diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
index 698203a87..288c86d74 100644
--- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
+++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
@@ -171,10 +171,7 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier):
         os.fdopen(fd, 'w').write(data)
         cert = self.XMLMatch(metadata).find("Cert")
         try:
-            if cert.get('self_sign', 'false') != 'true':
-                ca = self.get_ca(cert.get('ca', 'default'))
-                if ca.get('chaincert'):
-                    self.verify_cert_against_ca(fname, entry, metadata)
+            self.verify_cert_against_ca(fname, entry, metadata)
             self.verify_cert_against_key(fname,
                                          self._get_keyfile(cert, metadata))
         finally:
@@ -218,12 +215,17 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier):
         and that it has not expired.
         """
         cert = self.XMLMatch(metadata).find("Cert")
-        ca = self.get_ca(cert.get("ca", "default"))
-        chaincert = ca.get('chaincert')
         cmd = ["openssl", "verify"]
-        if not ca.get('root_ca', False):
-            cmd.append("-partial_chain")
-        cmd.extend(["-trusted", chaincert, filename])
+        trusted = filename
+        if cert.get('self_sign', 'false') != 'true':
+            ca = self.get_ca(cert.get("ca", "default"))
+            chaincert = ca.get('chaincert')
+            if chaincert is not None:
+                trusted = chaincert
+            if not ca.get('root_ca', False):
+                cmd.append("-partial_chain")
+        cmd.extend(["-trusted", trusted, filename])
+
         self.debug_log("Cfg: Verifying %s against CA" % entry.get("name"))
         result = self.cmd.run(cmd)
         if result.stdout == filename + ": OK\n":
author	Alexander Sulfrian <asulfrian@zedat.fu-berlin.de>	2022-02-14 18:54:34 +0100
committer	Alexander Sulfrian <asulfrian@zedat.fu-berlin.de>	2022-02-14 18:54:34 +0100
commit	2b76cffe73889c33c4770f6ca821bb226d5ff3ac (patch)
tree	e867cf054f4f729dbd01c1893a614928334ac610
parent	a675ab70d1444c13a8c39eab977fdea8e9d6cd94 (diff)
download	bcfg2-2b76cffe73889c33c4770f6ca821bb226d5ff3ac.tar.gz bcfg2-2b76cffe73889c33c4770f6ca821bb226d5ff3ac.tar.bz2 bcfg2-2b76cffe73889c33c4770f6ca821bb226d5ff3ac.zip