Add validity check for the signing certificate in pkispawn

When either an existing CA or external CA installation is performed, use the pki-server cert validation tool to check the signing certiticate and chain. Ticket #2043
author: Ade Lee <alee@redhat.com> 2016-04-22 15:31:43 -0400
committer: Ade Lee <alee@redhat.com> 2016-05-02 14:45:51 -0400
commit: 29cee52cfeb4b6c1b10f6ef4b4bdf91bffe0de7c (patch)
tree: 5f9de9505347ae2de42f44bc1a3e3b93dd363beb /base/server/python/pki/server/deployment/pkihelper.py
parent: 5546024b33054181a60d91c6ec6f635c567c2ea8 (diff)
download: pki-29cee52cfeb4b6c1b10f6ef4b4bdf91bffe0de7c.tar.gz
pki-29cee52cfeb4b6c1b10f6ef4b4bdf91bffe0de7c.tar.xz
pki-29cee52cfeb4b6c1b10f6ef4b4bdf91bffe0de7c.zip
1 files changed, 32 insertions, 0 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index f01f6f69f..2898d7fe0 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -4592,6 +4592,34 @@ class ConfigClient:
         return cert
 
 
+class SystemCertificateVerifier:
+    """ Verifies system certificates for a subsystem"""
+
+    def __init__(self, instance=None, subsystem=None):
+        self.instance = instance
+        self.subsystem = subsystem
+
+    def verify_certificate(self, cert_id=None):
+        cmd = ['pki-server', 'subsystem-cert-validate',
+               '-i', self.instance.name,
+               self.subsystem]
+        if cert_id is not None:
+            cmd.append(cert_id)
+        try:
+            subprocess.check_output(
+                cmd,
+                stderr=subprocess.STDOUT)
+        except subprocess.CalledProcessError as e:
+            config.pki_log.error(
+                "pki subsystem-cert-validate return code: " + str(e.returncode),
+                extra=config.PKI_INDENTATION_LEVEL_2
+            )
+            config.pki_log.error(
+                e.output,
+                extra=config.PKI_INDENTATION_LEVEL_2)
+            raise
+
+
 class PKIDeployer:
     """Holds the global dictionaries and the utility objects"""
 
@@ -4660,3 +4688,7 @@ class PKIDeployer:
         os.chmod(
             new_descriptor,
             config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS)
+
+    @staticmethod
+    def create_system_cert_verifier(instance=None, subsystem=None):
+        return SystemCertificateVerifier(instance, subsystem)
author	Ade Lee <alee@redhat.com>	2016-04-22 15:31:43 -0400
committer	Ade Lee <alee@redhat.com>	2016-05-02 14:45:51 -0400
commit	29cee52cfeb4b6c1b10f6ef4b4bdf91bffe0de7c (patch)
tree	5f9de9505347ae2de42f44bc1a3e3b93dd363beb /base/server/python/pki/server/deployment/pkihelper.py
parent	5546024b33054181a60d91c6ec6f635c567c2ea8 (diff)
download	pki-29cee52cfeb4b6c1b10f6ef4b4bdf91bffe0de7c.tar.gz pki-29cee52cfeb4b6c1b10f6ef4b4bdf91bffe0de7c.tar.xz pki-29cee52cfeb4b6c1b10f6ef4b4bdf91bffe0de7c.zip