diff options
author | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2012-08-27 13:42:25 -0400 |
---|---|---|
committer | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2012-08-27 13:42:25 -0400 |
commit | fde8bdfdfbe77e1bcd714b45dc443dcd9eb7cb7c (patch) | |
tree | fa591a12d046d60b2f0e6d9c7d092f360c529143 /src/lib/Bcfg2/Server | |
parent | 63567693a838316e1323eb96c8e6f698fdf63418 (diff) | |
download | bcfg2-fde8bdfdfbe77e1bcd714b45dc443dcd9eb7cb7c.tar.gz bcfg2-fde8bdfdfbe77e1bcd714b45dc443dcd9eb7cb7c.tar.bz2 bcfg2-fde8bdfdfbe77e1bcd714b45dc443dcd9eb7cb7c.zip |
SSLCA: added root_ca option to verify certs against either intermediate or root CA
Diffstat (limited to 'src/lib/Bcfg2/Server')
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/SSLCA.py | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/src/lib/Bcfg2/Server/Plugins/SSLCA.py b/src/lib/Bcfg2/Server/Plugins/SSLCA.py index 9d1c51a08..a1a278da0 100644 --- a/src/lib/Bcfg2/Server/Plugins/SSLCA.py +++ b/src/lib/Bcfg2/Server/Plugins/SSLCA.py @@ -184,12 +184,20 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): check that a certificate validates against the ca cert, and that it has not expired. """ - chaincert = \ - self.CAs[self.cert_specs[entry.get('name')]['ca']].get('chaincert') + ca = self.CAs[self.cert_specs[entry.get('name')]['ca']] + chaincert = ca.get('chaincert') cert = self.data + filename - res = Popen(["openssl", "verify", "-untrusted", chaincert, "-purpose", - "sslserver", cert], - stdout=PIPE, stderr=STDOUT).stdout.read() + cmd = ["openssl", "verify"] + is_root = ca.get('root_ca', "false").lower() == 'true' + if is_root: + cmd.append("-CAfile") + else: + # verifying based on an intermediate cert + cmd.extend(["-purpose", "sslserver", "-untrusted"]) + cmd.extend([chaincert, cert]) + self.debug_log("SSLCA: Verifying %s against CA: %s" % + (entry.get("name"), " ".join(cmd))) + res = Popen(cmd, stdout=PIPE, stderr=STDOUT).stdout.read() if res == cert + ": OK\n": self.debug_log("SSLCA: %s verified successfully against CA" % entry.get("name")) |