diff options
author | Ade Lee <alee@redhat.com> | 2016-04-22 15:31:43 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2016-05-02 14:45:51 -0400 |
commit | 29cee52cfeb4b6c1b10f6ef4b4bdf91bffe0de7c (patch) | |
tree | 5f9de9505347ae2de42f44bc1a3e3b93dd363beb /base/server/python/pki/server/deployment/pkihelper.py | |
parent | 5546024b33054181a60d91c6ec6f635c567c2ea8 (diff) | |
download | pki-29cee52cfeb4b6c1b10f6ef4b4bdf91bffe0de7c.tar.gz pki-29cee52cfeb4b6c1b10f6ef4b4bdf91bffe0de7c.tar.xz pki-29cee52cfeb4b6c1b10f6ef4b4bdf91bffe0de7c.zip |
Add validity check for the signing certificate in pkispawn
When either an existing CA or external CA installation is
performed, use the pki-server cert validation tool to check
the signing certiticate and chain.
Ticket #2043
Diffstat (limited to 'base/server/python/pki/server/deployment/pkihelper.py')
-rw-r--r-- | base/server/python/pki/server/deployment/pkihelper.py | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index f01f6f69f..2898d7fe0 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -4592,6 +4592,34 @@ class ConfigClient: return cert +class SystemCertificateVerifier: + """ Verifies system certificates for a subsystem""" + + def __init__(self, instance=None, subsystem=None): + self.instance = instance + self.subsystem = subsystem + + def verify_certificate(self, cert_id=None): + cmd = ['pki-server', 'subsystem-cert-validate', + '-i', self.instance.name, + self.subsystem] + if cert_id is not None: + cmd.append(cert_id) + try: + subprocess.check_output( + cmd, + stderr=subprocess.STDOUT) + except subprocess.CalledProcessError as e: + config.pki_log.error( + "pki subsystem-cert-validate return code: " + str(e.returncode), + extra=config.PKI_INDENTATION_LEVEL_2 + ) + config.pki_log.error( + e.output, + extra=config.PKI_INDENTATION_LEVEL_2) + raise + + class PKIDeployer: """Holds the global dictionaries and the utility objects""" @@ -4660,3 +4688,7 @@ class PKIDeployer: os.chmod( new_descriptor, config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) + + @staticmethod + def create_system_cert_verifier(instance=None, subsystem=None): + return SystemCertificateVerifier(instance, subsystem) |