SSLCA: Fix certificate validation

We should favour "-trusted" over "-CAfile" because it will skip the system-wide CAs and ensure that the certificate is relay validated against the specified CA. For validation against an intermediate certificate, only an additional "-partial_chain" is required. With "-untrusted" we previously added an unstrusted intermediate certificate only and validated the cert against default system wide installed CAs.
author: Alexander Sulfrian <asulfrian@zedat.fu-berlin.de> 2022-01-16 03:34:12 +0100
committer: Alexander Sulfrian <asulfrian@zedat.fu-berlin.de> 2022-01-16 03:34:12 +0100
commit: f99adfc3e26dc4e49da79399f97c1cd1765068c8 (patch)
tree: 33e961787b39115657b3bd5e0f401f19c4fdf131
parent: 8605cd3d0cb4d549cb8b43de945d447f6d82892a (diff)
download: bcfg2-f99adfc3e26dc4e49da79399f97c1cd1765068c8.tar.gz
bcfg2-f99adfc3e26dc4e49da79399f97c1cd1765068c8.tar.bz2
bcfg2-f99adfc3e26dc4e49da79399f97c1cd1765068c8.zip
1 files changed, 4 insertions, 7 deletions
diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
index 92fcc4cd8..b9ced6682 100644
--- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
+++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py
@@ -216,15 +216,12 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier):
         chaincert = ca.get('chaincert')
         cmd = ["openssl", "verify"]
         is_root = ca.get('root_ca', "false").lower() == 'true'
-        if is_root:
-            cmd.append("-CAfile")
-        else:
-            # verifying based on an intermediate cert
-            cmd.extend(["-purpose", "sslserver", "-untrusted"])
-        cmd.extend([chaincert, filename])
+        if not is_root:
+            cmd.append("-partial_chain")
+        cmd.extend(["-trusted", chaincert, filename])
         self.debug_log("Cfg: Verifying %s against CA" % entry.get("name"))
         result = self.cmd.run(cmd)
-        if result.stdout == cert + ": OK\n":
+        if result.stdout == filename + ": OK\n":
             self.debug_log("Cfg: %s verified successfully against CA" %
                            entry.get("name"))
         else:
author	Alexander Sulfrian <asulfrian@zedat.fu-berlin.de>	2022-01-16 03:34:12 +0100
committer	Alexander Sulfrian <asulfrian@zedat.fu-berlin.de>	2022-01-16 03:34:12 +0100
commit	f99adfc3e26dc4e49da79399f97c1cd1765068c8 (patch)
tree	33e961787b39115657b3bd5e0f401f19c4fdf131
parent	8605cd3d0cb4d549cb8b43de945d447f6d82892a (diff)
download	bcfg2-f99adfc3e26dc4e49da79399f97c1cd1765068c8.tar.gz bcfg2-f99adfc3e26dc4e49da79399f97c1cd1765068c8.tar.bz2 bcfg2-f99adfc3e26dc4e49da79399f97c1cd1765068c8.zip