summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSol Jerome <sol.jerome@gmail.com>2010-11-07 13:45:24 -0600
committerSol Jerome <sol.jerome@gmail.com>2010-11-07 13:45:24 -0600
commit6f022514f774c1f85050a4e7ea6cdf9e2f0fed1c (patch)
tree30150b707908e6e1e3e6b026e70f551cdbec6a9a
parent6c0dea0a84ac71bdd4692b86bc1e62ec44223f5e (diff)
parenta1a0321602585314375d0577516fb012e27f2c59 (diff)
downloadbcfg2-6f022514f774c1f85050a4e7ea6cdf9e2f0fed1c.tar.gz
bcfg2-6f022514f774c1f85050a4e7ea6cdf9e2f0fed1c.tar.bz2
bcfg2-6f022514f774c1f85050a4e7ea6cdf9e2f0fed1c.zip
Merge branch 'master' of http://github.com/gdhagger/bcfg2 into gdhagger-master
-rw-r--r--src/lib/Server/Plugins/SSLCA.py40
1 files changed, 15 insertions, 25 deletions
diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py
index a961e744a..0dc448e69 100644
--- a/src/lib/Server/Plugins/SSLCA.py
+++ b/src/lib/Server/Plugins/SSLCA.py
@@ -1,23 +1,12 @@
-"""
-Notes:
-
-1. Put these notes in real docs!!!
-2. dir structure for CA's must be correct
-3. for subjectAltNames to work, openssl.conf must have copy_extensions on
-"""
-
-
import Bcfg2.Server.Plugin
import Bcfg2.Options
import lxml.etree
import posixpath
import tempfile
import os
-from subprocess import Popen, PIPE
+from subprocess import Popen, PIPE, STDOUT
from ConfigParser import ConfigParser
-import pdb
-
class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
"""
The SSLCA generator handles the creation and
@@ -157,7 +146,7 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
if filename in self.entries.keys() and self.verify_cert(filename, entry):
entry.text = self.entries[filename].data
else:
- cert = self.build_cert(entry, metadata)
+ cert = self.build_cert(key_filename, entry, metadata)
open(self.data + filename, 'w').write(cert)
entry.text = cert
@@ -167,20 +156,19 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
and that it has not expired.
"""
chaincert = self.CAs[self.cert_specs[entry.get('name')]['ca']].get('chaincert')
- cert = "".join([self.data, '/', filename])
+ cert = self.data + filename
cmd = "openssl verify -CAfile %s %s" % (chaincert, cert)
- proc = Popen(cmd, shell=True)
- proc.communicate()
- if proc.returncode != 0:
- return False
- return True
+ res = Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT).stdout.read()
+ if res == cert + ": OK\n":
+ return True
+ return False
- def build_cert(self, entry, metadata):
+ def build_cert(self, key_filename, entry, metadata):
"""
creates a new certificate according to the specification
"""
req_config = self.build_req_config(entry, metadata)
- req = self.build_request(req_config, entry)
+ req = self.build_request(key_filename, req_config, entry)
ca = self.cert_specs[entry.get('name')]['ca']
ca_config = self.CAs[ca]['config']
days = self.cert_specs[entry.get('name')]['days']
@@ -225,8 +213,10 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
for key in defaults[section]:
cp.set(section, key, defaults[section][key])
x = 1
- for alias in metadata.aliases:
- cp.set('alt_names', 'DNS.'+str(x), alias)
+ altnames = list(metadata.aliases)
+ altnames.append(metadata.hostname)
+ for altname in altnames:
+ cp.set('alt_names', 'DNS.'+str(x), altname)
x += 1
for item in ['C', 'L', 'ST', 'O', 'OU', 'emailAddress']:
if self.cert_specs[entry.get('name')][item]:
@@ -236,13 +226,13 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
conffile.close()
return conffile.name
- def build_request(self, req_config, entry):
+ def build_request(self, key_filename, req_config, entry):
"""
creates the certificate request
"""
req = tempfile.mkstemp()[1]
- key = self.cert_specs[entry.get('name')]['key']
days = self.cert_specs[entry.get('name')]['days']
+ key = self.data + key_filename
cmd = "openssl req -new -config %s -days %s -key %s -text -out %s" % (req_config, days, key, req)
res = Popen(cmd, shell=True, stdout=PIPE).stdout.read()
return req