summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGraham Hagger <ghagger@dmc259.mc.wgenhq.net>2010-11-03 11:00:53 -0400
committerGraham Hagger <ghagger@dmc259.mc.wgenhq.net>2010-11-03 11:00:53 -0400
commite0208c832fa922cf3958f58f023bd13d053ff879 (patch)
tree1a248726367967dae7c5133d2a5473c2a89da7bc
parent6bbd4d6797d763777188d3984808f1ff692b2376 (diff)
downloadbcfg2-e0208c832fa922cf3958f58f023bd13d053ff879.tar.gz
bcfg2-e0208c832fa922cf3958f58f023bd13d053ff879.tar.bz2
bcfg2-e0208c832fa922cf3958f58f023bd13d053ff879.zip
added verification of existing certs
-rw-r--r--src/lib/Server/Plugins/SSLCA.py13
1 files changed, 9 insertions, 4 deletions
diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py
index 823bf7fa0..a961e744a 100644
--- a/src/lib/Server/Plugins/SSLCA.py
+++ b/src/lib/Server/Plugins/SSLCA.py
@@ -154,20 +154,25 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
self.core.Bind(e, metadata)
# check if we have a valid hostfile
- if filename in self.entries.keys() and self.verify_cert():
+ if filename in self.entries.keys() and self.verify_cert(filename, entry):
entry.text = self.entries[filename].data
else:
cert = self.build_cert(entry, metadata)
open(self.data + filename, 'w').write(cert)
entry.text = cert
- def verify_cert(self):
+ def verify_cert(self, filename, entry):
"""
check that a certificate validates against the ca cert,
and that it has not expired.
"""
- # TODO: verify key validates and has not expired
- # possibly also ensure no less than x days until expiry
+ chaincert = self.CAs[self.cert_specs[entry.get('name')]['ca']].get('chaincert')
+ cert = "".join([self.data, '/', filename])
+ cmd = "openssl verify -CAfile %s %s" % (chaincert, cert)
+ proc = Popen(cmd, shell=True)
+ proc.communicate()
+ if proc.returncode != 0:
+ return False
return True
def build_cert(self, entry, metadata):