From bbc27db7def9b8b1243f54f59339cc83f57ccf0e Mon Sep 17 00:00:00 2001
From: Graham Hagger <ghagger@wgen.net>
Date: Wed, 26 Jan 2011 16:40:02 -0500
Subject: added verification of cert against key, and ensured plugins entries
 get updated correctly if cert is requested before key, thus key was getting
 genned, then cert, then key again because the plugin didnt know it already
 had the key - doh

---
 src/lib/Server/Plugins/SSLCA.py | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py
index 4125cd498..1c9e1b59d 100644
--- a/src/lib/Server/Plugins/SSLCA.py
+++ b/src/lib/Server/Plugins/SSLCA.py
@@ -104,6 +104,8 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
             key = self.build_key(filename, entry, metadata)
             open(self.data + filename, 'w').write(key)
             entry.text = key
+            self.entries[filename] = self.__child__("%s%s" % (self.data, filename))
+            self.entries[filename].HandleEvent()
         else:
             entry.text = self.entries[filename].data
 
@@ -144,14 +146,22 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
             self.core.Bind(e, metadata)
 
         # check if we have a valid hostfile
-        if filename in self.entries.keys() and self.verify_cert(filename, entry):
+        if filename in self.entries.keys() and self.verify_cert(filename, key_filename, entry):
             entry.text = self.entries[filename].data
         else:
             cert = self.build_cert(key_filename, entry, metadata)
             open(self.data + filename, 'w').write(cert)
+            self.entries[filename] = self.__child__("%s%s" % (self.data, filename))
+            self.entries[filename].HandleEvent()
             entry.text = cert
 
-    def verify_cert(self, filename, entry):
+    def verify_cert(self, filename, key_filename, entry):
+        if self.verify_cert_against_ca(filename, entry):
+            if self.verify_cert_against_key(filename, key_filename):
+                return True
+        return False
+
+    def verify_cert_against_ca(self, filename, entry):
         """
         check that a certificate validates against the ca cert,
         and that it has not expired.
@@ -164,6 +174,21 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
             return True
         return False
 
+    def verify_cert_against_key(self, filename, key_filename):
+        """
+        check that a certificate validates against its private key.
+        """
+        cert = self.data + filename
+        key = self.data + key_filename
+        cmd = "openssl x509 -noout -modulus -in %s | openssl md5" % cert
+        cert_md5 = Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT).stdout.read()
+        cmd = "openssl rsa -noout -modulus -in %s | openssl md5" % key
+        key_md5 = Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT).stdout.read()
+        if cert_md5 == key_md5:
+            return True
+        return False
+
+
     def build_cert(self, key_filename, entry, metadata):
         """
         creates a new certificate according to the specification
-- 
cgit v1.2.3-1-g7c22