diff options
| author | Graham Hagger <ghagger@wgen.net> | 2011-01-26 16:40:02 -0500 |
|---|---|---|
| committer | Graham Hagger <ghagger@ghagger-lnx.wgenhq.net> | 2011-01-26 16:40:38 -0500 |
| commit | bbc27db7def9b8b1243f54f59339cc83f57ccf0e (patch) | |
| tree | babf7c259f5f040dc81af4406e999a3fb582893e | |
| parent | 1419c2fd37a418974290351533748253ca38fbf2 (diff) | |
| download | bcfg2-bbc27db7def9b8b1243f54f59339cc83f57ccf0e.tar.gz bcfg2-bbc27db7def9b8b1243f54f59339cc83f57ccf0e.tar.bz2 bcfg2-bbc27db7def9b8b1243f54f59339cc83f57ccf0e.zip | |
added verification of cert against key, and ensured plugins entries get updated correctly if cert is requested before key, thus key was getting genned, then cert, then key again because the plugin didnt know it already had the key - doh
| -rw-r--r-- | src/lib/Server/Plugins/SSLCA.py | 29 |
1 files changed, 27 insertions, 2 deletions
diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py index 4125cd498..1c9e1b59d 100644 --- a/src/lib/Server/Plugins/SSLCA.py +++ b/src/lib/Server/Plugins/SSLCA.py @@ -104,6 +104,8 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): key = self.build_key(filename, entry, metadata) open(self.data + filename, 'w').write(key) entry.text = key + self.entries[filename] = self.__child__("%s%s" % (self.data, filename)) + self.entries[filename].HandleEvent() else: entry.text = self.entries[filename].data @@ -144,14 +146,22 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): self.core.Bind(e, metadata) # check if we have a valid hostfile - if filename in self.entries.keys() and self.verify_cert(filename, entry): + if filename in self.entries.keys() and self.verify_cert(filename, key_filename, entry): entry.text = self.entries[filename].data else: cert = self.build_cert(key_filename, entry, metadata) open(self.data + filename, 'w').write(cert) + self.entries[filename] = self.__child__("%s%s" % (self.data, filename)) + self.entries[filename].HandleEvent() entry.text = cert - def verify_cert(self, filename, entry): + def verify_cert(self, filename, key_filename, entry): + if self.verify_cert_against_ca(filename, entry): + if self.verify_cert_against_key(filename, key_filename): + return True + return False + + def verify_cert_against_ca(self, filename, entry): """ check that a certificate validates against the ca cert, and that it has not expired. @@ -164,6 +174,21 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): return True return False + def verify_cert_against_key(self, filename, key_filename): + """ + check that a certificate validates against its private key. + """ + cert = self.data + filename + key = self.data + key_filename + cmd = "openssl x509 -noout -modulus -in %s | openssl md5" % cert + cert_md5 = Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT).stdout.read() + cmd = "openssl rsa -noout -modulus -in %s | openssl md5" % key + key_md5 = Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT).stdout.read() + if cert_md5 == key_md5: + return True + return False + + def build_cert(self, key_filename, entry, metadata): """ creates a new certificate according to the specification |