summaryrefslogtreecommitdiffstats
path: root/src/lib/Server/Plugins/SSLCA.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/Server/Plugins/SSLCA.py')
-rw-r--r--src/lib/Server/Plugins/SSLCA.py13
1 files changed, 9 insertions, 4 deletions
diff --git a/src/lib/Server/Plugins/SSLCA.py b/src/lib/Server/Plugins/SSLCA.py
index 823bf7fa0..a961e744a 100644
--- a/src/lib/Server/Plugins/SSLCA.py
+++ b/src/lib/Server/Plugins/SSLCA.py
@@ -154,20 +154,25 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
self.core.Bind(e, metadata)
# check if we have a valid hostfile
- if filename in self.entries.keys() and self.verify_cert():
+ if filename in self.entries.keys() and self.verify_cert(filename, entry):
entry.text = self.entries[filename].data
else:
cert = self.build_cert(entry, metadata)
open(self.data + filename, 'w').write(cert)
entry.text = cert
- def verify_cert(self):
+ def verify_cert(self, filename, entry):
"""
check that a certificate validates against the ca cert,
and that it has not expired.
"""
- # TODO: verify key validates and has not expired
- # possibly also ensure no less than x days until expiry
+ chaincert = self.CAs[self.cert_specs[entry.get('name')]['ca']].get('chaincert')
+ cert = "".join([self.data, '/', filename])
+ cmd = "openssl verify -CAfile %s %s" % (chaincert, cert)
+ proc = Popen(cmd, shell=True)
+ proc.communicate()
+ if proc.returncode != 0:
+ return False
return True
def build_cert(self, entry, metadata):