From f99adfc3e26dc4e49da79399f97c1cd1765068c8 Mon Sep 17 00:00:00 2001 From: Alexander Sulfrian Date: Sun, 16 Jan 2022 03:34:12 +0100 Subject: SSLCA: Fix certificate validation We should favour "-trusted" over "-CAfile" because it will skip the system-wide CAs and ensure that the certificate is relay validated against the specified CA. For validation against an intermediate certificate, only an additional "-partial_chain" is required. With "-untrusted" we previously added an unstrusted intermediate certificate only and validated the cert against default system wide installed CAs. --- src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py index 92fcc4cd8..b9ced6682 100644 --- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py +++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py @@ -216,15 +216,12 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier): chaincert = ca.get('chaincert') cmd = ["openssl", "verify"] is_root = ca.get('root_ca', "false").lower() == 'true' - if is_root: - cmd.append("-CAfile") - else: - # verifying based on an intermediate cert - cmd.extend(["-purpose", "sslserver", "-untrusted"]) - cmd.extend([chaincert, filename]) + if not is_root: + cmd.append("-partial_chain") + cmd.extend(["-trusted", chaincert, filename]) self.debug_log("Cfg: Verifying %s against CA" % entry.get("name")) result = self.cmd.run(cmd) - if result.stdout == cert + ": OK\n": + if result.stdout == filename + ": OK\n": self.debug_log("Cfg: %s verified successfully against CA" % entry.get("name")) else: -- cgit v1.2.3-1-g7c22