diff options
author | Alexander Sulfrian <asulfrian@zedat.fu-berlin.de> | 2022-01-16 03:34:12 +0100 |
---|---|---|
committer | Alexander Sulfrian <asulfrian@zedat.fu-berlin.de> | 2022-01-16 03:34:12 +0100 |
commit | f99adfc3e26dc4e49da79399f97c1cd1765068c8 (patch) | |
tree | 33e961787b39115657b3bd5e0f401f19c4fdf131 /src | |
parent | 8605cd3d0cb4d549cb8b43de945d447f6d82892a (diff) | |
download | bcfg2-f99adfc3e26dc4e49da79399f97c1cd1765068c8.tar.gz bcfg2-f99adfc3e26dc4e49da79399f97c1cd1765068c8.tar.bz2 bcfg2-f99adfc3e26dc4e49da79399f97c1cd1765068c8.zip |
SSLCA: Fix certificate validation
We should favour "-trusted" over "-CAfile" because it will skip the system-wide
CAs and ensure that the certificate is relay validated against the specified
CA.
For validation against an intermediate certificate, only an additional
"-partial_chain" is required. With "-untrusted" we previously added an
unstrusted intermediate certificate only and validated the cert against default
system wide installed CAs.
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py index 92fcc4cd8..b9ced6682 100644 --- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py +++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgSSLCACertCreator.py @@ -216,15 +216,12 @@ class CfgSSLCACertCreator(XMLCfgCreator, CfgVerifier): chaincert = ca.get('chaincert') cmd = ["openssl", "verify"] is_root = ca.get('root_ca', "false").lower() == 'true' - if is_root: - cmd.append("-CAfile") - else: - # verifying based on an intermediate cert - cmd.extend(["-purpose", "sslserver", "-untrusted"]) - cmd.extend([chaincert, filename]) + if not is_root: + cmd.append("-partial_chain") + cmd.extend(["-trusted", chaincert, filename]) self.debug_log("Cfg: Verifying %s against CA" % entry.get("name")) result = self.cmd.run(cmd) - if result.stdout == cert + ": OK\n": + if result.stdout == filename + ": OK\n": self.debug_log("Cfg: %s verified successfully against CA" % entry.get("name")) else: |