diff options
author | Graham Hagger <ghagger@dmc259.mc.wgenhq.net> | 2010-11-03 11:00:53 -0400 |
---|---|---|
committer | Graham Hagger <ghagger@dmc259.mc.wgenhq.net> | 2010-11-03 11:00:53 -0400 |
commit | e0208c832fa922cf3958f58f023bd13d053ff879 (patch) | |
tree | 1a248726367967dae7c5133d2a5473c2a89da7bc /src/lib | |
parent | 6bbd4d6797d763777188d3984808f1ff692b2376 (diff) | |
download | bcfg2-e0208c832fa922cf3958f58f023bd13d053ff879.tar.gz bcfg2-e0208c832fa922cf3958f58f023bd13d053ff879.tar.bz2 bcfg2-e0208c832fa922cf3958f58f023bd13d053ff879.zip |
added verification of existing certs
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/Server/Plugins/SSLCA.py | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py index 823bf7fa0..a961e744a 100644 --- a/src/lib/Server/Plugins/SSLCA.py +++ b/src/lib/Server/Plugins/SSLCA.py @@ -154,20 +154,25 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): self.core.Bind(e, metadata) # check if we have a valid hostfile - if filename in self.entries.keys() and self.verify_cert(): + if filename in self.entries.keys() and self.verify_cert(filename, entry): entry.text = self.entries[filename].data else: cert = self.build_cert(entry, metadata) open(self.data + filename, 'w').write(cert) entry.text = cert - def verify_cert(self): + def verify_cert(self, filename, entry): """ check that a certificate validates against the ca cert, and that it has not expired. """ - # TODO: verify key validates and has not expired - # possibly also ensure no less than x days until expiry + chaincert = self.CAs[self.cert_specs[entry.get('name')]['ca']].get('chaincert') + cert = "".join([self.data, '/', filename]) + cmd = "openssl verify -CAfile %s %s" % (chaincert, cert) + proc = Popen(cmd, shell=True) + proc.communicate() + if proc.returncode != 0: + return False return True def build_cert(self, entry, metadata): |