From f0a75666bfe2d101ac5b99534680047b47ec1224 Mon Sep 17 00:00:00 2001 From: "Chris St. Pierre" Date: Mon, 27 Aug 2012 13:42:25 -0400 Subject: SSLCA: added root_ca option to verify certs against either intermediate or root CA --- src/lib/Server/Plugins/SSLCA.py | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py index dc0aea6d3..fc2579e09 100644 --- a/src/lib/Server/Plugins/SSLCA.py +++ b/src/lib/Server/Plugins/SSLCA.py @@ -186,12 +186,20 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): check that a certificate validates against the ca cert, and that it has not expired. """ - chaincert = \ - self.CAs[self.cert_specs[entry.get('name')]['ca']].get('chaincert') + ca = self.CAs[self.cert_specs[entry.get('name')]['ca']] + chaincert = ca.get('chaincert') cert = self.data + filename - res = Popen(["openssl", "verify", "-untrusted", chaincert, "-purpose", - "sslserver", cert], - stdout=PIPE, stderr=STDOUT).stdout.read() + cmd = ["openssl", "verify"] + is_root = ca.get('root_ca', "false").lower() == 'true' + if is_root: + cmd.append("-CAfile") + else: + # verifying based on an intermediate cert + cmd.extend(["-purpose", "sslserver", "-untrusted"]) + cmd.extend([chaincert, cert]) + self.debug_log("SSLCA: Verifying %s against CA: %s" % + (entry.get("name"), " ".join(cmd))) + res = Popen(cmd, stdout=PIPE, stderr=STDOUT).stdout.read() if res == cert + ": OK\n": self.debug_log("SSLCA: %s verified successfully against CA" % entry.get("name")) -- cgit v1.2.3-1-g7c22