summaryrefslogtreecommitdiffstats
path: root/src/lib/Server
diff options
context:
space:
mode:
authorGraham Hagger <ghagger@wgen.net>2011-01-26 16:40:02 -0500
committerGraham Hagger <ghagger@ghagger-lnx.wgenhq.net>2011-01-26 16:40:38 -0500
commitbbc27db7def9b8b1243f54f59339cc83f57ccf0e (patch)
treebabf7c259f5f040dc81af4406e999a3fb582893e /src/lib/Server
parent1419c2fd37a418974290351533748253ca38fbf2 (diff)
downloadbcfg2-bbc27db7def9b8b1243f54f59339cc83f57ccf0e.tar.gz
bcfg2-bbc27db7def9b8b1243f54f59339cc83f57ccf0e.tar.bz2
bcfg2-bbc27db7def9b8b1243f54f59339cc83f57ccf0e.zip
added verification of cert against key, and ensured plugins entries get updated correctly if cert is requested before key, thus key was getting genned, then cert, then key again because the plugin didnt know it already had the key - doh
Diffstat (limited to 'src/lib/Server')
-rw-r--r--src/lib/Server/Plugins/SSLCA.py29
1 files changed, 27 insertions, 2 deletions
diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py
index 4125cd498..1c9e1b59d 100644
--- a/src/lib/Server/Plugins/SSLCA.py
+++ b/src/lib/Server/Plugins/SSLCA.py
@@ -104,6 +104,8 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
key = self.build_key(filename, entry, metadata)
open(self.data + filename, 'w').write(key)
entry.text = key
+ self.entries[filename] = self.__child__("%s%s" % (self.data, filename))
+ self.entries[filename].HandleEvent()
else:
entry.text = self.entries[filename].data
@@ -144,14 +146,22 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
self.core.Bind(e, metadata)
# check if we have a valid hostfile
- if filename in self.entries.keys() and self.verify_cert(filename, entry):
+ if filename in self.entries.keys() and self.verify_cert(filename, key_filename, entry):
entry.text = self.entries[filename].data
else:
cert = self.build_cert(key_filename, entry, metadata)
open(self.data + filename, 'w').write(cert)
+ self.entries[filename] = self.__child__("%s%s" % (self.data, filename))
+ self.entries[filename].HandleEvent()
entry.text = cert
- def verify_cert(self, filename, entry):
+ def verify_cert(self, filename, key_filename, entry):
+ if self.verify_cert_against_ca(filename, entry):
+ if self.verify_cert_against_key(filename, key_filename):
+ return True
+ return False
+
+ def verify_cert_against_ca(self, filename, entry):
"""
check that a certificate validates against the ca cert,
and that it has not expired.
@@ -164,6 +174,21 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
return True
return False
+ def verify_cert_against_key(self, filename, key_filename):
+ """
+ check that a certificate validates against its private key.
+ """
+ cert = self.data + filename
+ key = self.data + key_filename
+ cmd = "openssl x509 -noout -modulus -in %s | openssl md5" % cert
+ cert_md5 = Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT).stdout.read()
+ cmd = "openssl rsa -noout -modulus -in %s | openssl md5" % key
+ key_md5 = Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT).stdout.read()
+ if cert_md5 == key_md5:
+ return True
+ return False
+
+
def build_cert(self, key_filename, entry, metadata):
"""
creates a new certificate according to the specification