summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/Server/Plugins/SSLCA.py18
1 files changed, 13 insertions, 5 deletions
diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py
index dc0aea6d3..fc2579e09 100644
--- a/src/lib/Server/Plugins/SSLCA.py
+++ b/src/lib/Server/Plugins/SSLCA.py
@@ -186,12 +186,20 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
check that a certificate validates against the ca cert,
and that it has not expired.
"""
- chaincert = \
- self.CAs[self.cert_specs[entry.get('name')]['ca']].get('chaincert')
+ ca = self.CAs[self.cert_specs[entry.get('name')]['ca']]
+ chaincert = ca.get('chaincert')
cert = self.data + filename
- res = Popen(["openssl", "verify", "-untrusted", chaincert, "-purpose",
- "sslserver", cert],
- stdout=PIPE, stderr=STDOUT).stdout.read()
+ cmd = ["openssl", "verify"]
+ is_root = ca.get('root_ca', "false").lower() == 'true'
+ if is_root:
+ cmd.append("-CAfile")
+ else:
+ # verifying based on an intermediate cert
+ cmd.extend(["-purpose", "sslserver", "-untrusted"])
+ cmd.extend([chaincert, cert])
+ self.debug_log("SSLCA: Verifying %s against CA: %s" %
+ (entry.get("name"), " ".join(cmd)))
+ res = Popen(cmd, stdout=PIPE, stderr=STDOUT).stdout.read()
if res == cert + ": OK\n":
self.debug_log("SSLCA: %s verified successfully against CA" %
entry.get("name"))
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-06-02 05:08:56 +0000