summaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorGraham Hagger <ghagger@dmc259.mc.wgenhq.net>2010-11-05 14:17:30 -0400
committerGraham Hagger <ghagger@dmc259.mc.wgenhq.net>2010-11-05 14:17:30 -0400
commit3d10ec2113ab4df5e93419a83129f5820cfa2644 (patch)
treeaf503e29c8b6fd75fd57a33e14d7db1a2d3aaaaf /src/lib
parente2b894cc01bb3a10fa950112f49a12ba1b09a63d (diff)
downloadbcfg2-3d10ec2113ab4df5e93419a83129f5820cfa2644.tar.gz
bcfg2-3d10ec2113ab4df5e93419a83129f5820cfa2644.tar.bz2
bcfg2-3d10ec2113ab4df5e93419a83129f5820cfa2644.zip
Fixed verification of preexisting certificates
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/Server/Plugins/SSLCA.py34
1 files changed, 11 insertions, 23 deletions
diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py
index a961e744a..a9986d284 100644
--- a/src/lib/Server/Plugins/SSLCA.py
+++ b/src/lib/Server/Plugins/SSLCA.py
@@ -1,23 +1,12 @@
-"""
-Notes:
-
-1. Put these notes in real docs!!!
-2. dir structure for CA's must be correct
-3. for subjectAltNames to work, openssl.conf must have copy_extensions on
-"""
-
-
import Bcfg2.Server.Plugin
import Bcfg2.Options
import lxml.etree
import posixpath
import tempfile
import os
-from subprocess import Popen, PIPE
+from subprocess import Popen, PIPE, STDOUT
from ConfigParser import ConfigParser
-import pdb
-
class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
"""
The SSLCA generator handles the creation and
@@ -157,7 +146,7 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
if filename in self.entries.keys() and self.verify_cert(filename, entry):
entry.text = self.entries[filename].data
else:
- cert = self.build_cert(entry, metadata)
+ cert = self.build_cert(key_filename, entry, metadata)
open(self.data + filename, 'w').write(cert)
entry.text = cert
@@ -167,20 +156,19 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
and that it has not expired.
"""
chaincert = self.CAs[self.cert_specs[entry.get('name')]['ca']].get('chaincert')
- cert = "".join([self.data, '/', filename])
+ cert = self.data + filename
cmd = "openssl verify -CAfile %s %s" % (chaincert, cert)
- proc = Popen(cmd, shell=True)
- proc.communicate()
- if proc.returncode != 0:
- return False
- return True
+ res = Popen(cmd, shell=True, stdout=PIPE, stderr=STDOUT).stdout.read()
+ if res == cert + ": OK\n"
+ return True
+ return False
- def build_cert(self, entry, metadata):
+ def build_cert(self, key_filename, entry, metadata):
"""
creates a new certificate according to the specification
"""
req_config = self.build_req_config(entry, metadata)
- req = self.build_request(req_config, entry)
+ req = self.build_request(key_filename, req_config, entry)
ca = self.cert_specs[entry.get('name')]['ca']
ca_config = self.CAs[ca]['config']
days = self.cert_specs[entry.get('name')]['days']
@@ -236,13 +224,13 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
conffile.close()
return conffile.name
- def build_request(self, req_config, entry):
+ def build_request(self, key_filename, req_config, entry):
"""
creates the certificate request
"""
req = tempfile.mkstemp()[1]
- key = self.cert_specs[entry.get('name')]['key']
days = self.cert_specs[entry.get('name')]['days']
+ key = self.data + key_filename
cmd = "openssl req -new -config %s -days %s -key %s -text -out %s" % (req_config, days, key, req)
res = Popen(cmd, shell=True, stdout=PIPE).stdout.read()
return req