From 3d10ec2113ab4df5e93419a83129f5820cfa2644 Mon Sep 17 00:00:00 2001
From: Graham Hagger <ghagger@dmc259.mc.wgenhq.net>
Date: Fri, 5 Nov 2010 14:17:30 -0400
Subject: Fixed verification of preexisting certificates

---
 src/lib/Server/Plugins/SSLCA.py | 34 +++++++++++-----------------------
 1 file changed, 11 insertions(+), 23 deletions(-)

diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py
index a961e744a..a9986d284 100644
--- a/src/lib/Server/Plugins/SSLCA.py
+++ b/src/lib/Server/Plugins/SSLCA.py
@@ -1,23 +1,12 @@
-"""
-Notes:
-
-1. Put these notes in real docs!!!
-2. dir structure for CA's must be correct
-3. for subjectAltNames to work, openssl.conf must have copy_extensions on
-"""
-
-
 import Bcfg2.Server.Plugin
 import Bcfg2.Options
 import lxml.etree
 import posixpath
 import tempfile
 import os
-from subprocess import Popen, PIPE
+from subprocess import Popen, PIPE, STDOUT
 from ConfigParser import ConfigParser
 
-import pdb
-
 class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
     """
     The SSLCA generator handles the creation and
@@ -157,7 +146,7 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
         if filename in self.entries.keys() and self.verify_cert(filename, entry):
             entry.text = self.entries[filename].data
         else:
-            cert = self.build_cert(entry, metadata)
+            cert = self.build_cert(key_filename, entry, metadata)
             open(self.data + filename, 'w').write(cert)
             entry.text = cert
 
@@ -167,20 +156,19 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
         and that it has not expired.
         """
         chaincert = self.CAs[self.cert_specs[entry.get('name')]['ca']].get('chaincert')
-        cert = "".join([self.data, '/', filename])
+        cert = self.data + filename
         cmd = "openssl verify -CAfile %s %s" % (chaincert, cert) 
-        proc = Popen(cmd, shell=True)
-        proc.communicate()
-        if proc.returncode != 0:
-            return False
-        return True
+        res = Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT).stdout.read()
+        if res == cert + ": OK\n"
+            return True
+        return False
 
-    def build_cert(self, entry, metadata):
+    def build_cert(self, key_filename, entry, metadata):
         """
         creates a new certificate according to the specification
         """
         req_config = self.build_req_config(entry, metadata)
-        req = self.build_request(req_config, entry)
+        req = self.build_request(key_filename, req_config, entry)
         ca = self.cert_specs[entry.get('name')]['ca']
         ca_config = self.CAs[ca]['config']
         days = self.cert_specs[entry.get('name')]['days']
@@ -236,13 +224,13 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
         conffile.close()
         return conffile.name
         
-    def build_request(self, req_config, entry):
+    def build_request(self, key_filename, req_config, entry):
         """
         creates the certificate request
         """
         req = tempfile.mkstemp()[1]
-        key = self.cert_specs[entry.get('name')]['key']
         days = self.cert_specs[entry.get('name')]['days']
+        key = self.data + key_filename
         cmd = "openssl req -new -config %s -days %s -key %s -text -out %s" % (req_config, days, key, req)
         res = Popen(cmd, shell=True, stdout=PIPE).stdout.read()
         return req
-- 
cgit v1.2.3-1-g7c22


From a1a0321602585314375d0577516fb012e27f2c59 Mon Sep 17 00:00:00 2001
From: root <root@dmc259.mc.wgenhq.net>
Date: Fri, 5 Nov 2010 17:25:10 -0400
Subject: fixed needless syntax error bug i checked int ealier.  Also ensured
 that the hostname gets added to any subjectAltNames so that the cert will
 work for the hostname as well as aliases

---
 src/lib/Server/Plugins/SSLCA.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py
index a9986d284..0dc448e69 100644
--- a/src/lib/Server/Plugins/SSLCA.py
+++ b/src/lib/Server/Plugins/SSLCA.py
@@ -159,7 +159,7 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
         cert = self.data + filename
         cmd = "openssl verify -CAfile %s %s" % (chaincert, cert) 
         res = Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT).stdout.read()
-        if res == cert + ": OK\n"
+        if res == cert + ": OK\n":
             return True
         return False
 
@@ -213,8 +213,10 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
             for key in defaults[section]:
                 cp.set(section, key, defaults[section][key])
         x = 1
-        for alias in metadata.aliases:
-            cp.set('alt_names', 'DNS.'+str(x), alias)
+        altnames = list(metadata.aliases)
+        altnames.append(metadata.hostname)
+        for altname in altnames:
+            cp.set('alt_names', 'DNS.'+str(x), altname)
             x += 1
         for item in ['C', 'L', 'ST', 'O', 'OU', 'emailAddress']:
             if self.cert_specs[entry.get('name')][item]:
-- 
cgit v1.2.3-1-g7c22