From 2b76cffe73889c33c4770f6ca821bb226d5ff3ac Mon Sep 17 00:00:00 2001 From: Alexander Sulfrian Date: Mon, 14 Feb 2022 18:54:34 +0100 Subject: SSLCA: Verify all certs Even verify self signed certificates to recreate the certificate if it is expired. --- .../Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py index 698203a87..288c86d74 100644 --- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py +++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py @@ -171,10 +171,7 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier): os.fdopen(fd, 'w').write(data) cert = self.XMLMatch(metadata).find("Cert") try: - if cert.get('self_sign', 'false') != 'true': - ca = self.get_ca(cert.get('ca', 'default')) - if ca.get('chaincert'): - self.verify_cert_against_ca(fname, entry, metadata) + self.verify_cert_against_ca(fname, entry, metadata) self.verify_cert_against_key(fname, self._get_keyfile(cert, metadata)) finally: @@ -218,12 +215,17 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier): and that it has not expired. """ cert = self.XMLMatch(metadata).find("Cert") - ca = self.get_ca(cert.get("ca", "default")) - chaincert = ca.get('chaincert') cmd = ["openssl", "verify"] - if not ca.get('root_ca', False): - cmd.append("-partial_chain") - cmd.extend(["-trusted", chaincert, filename]) + trusted = filename + if cert.get('self_sign', 'false') != 'true': + ca = self.get_ca(cert.get("ca", "default")) + chaincert = ca.get('chaincert') + if chaincert is not None: + trusted = chaincert + if not ca.get('root_ca', False): + cmd.append("-partial_chain") + cmd.extend(["-trusted", trusted, filename]) + self.debug_log("Cfg: Verifying %s against CA" % entry.get("name")) result = self.cmd.run(cmd) if result.stdout == filename + ": OK\n": -- cgit v1.2.3-1-g7c22