summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn Eckersberg <jeckersb@redhat.com>2009-04-14 09:16:23 -0400
committerAdrian Likins <alikins@redhat.com>2009-04-14 11:29:06 -0400
commit4575d4c9942579a235eb7b46a726ddcd557a2edd (patch)
tree45b80d4b7968da3935d4d2d9f5c07aa45e365914
parentfc94644e28f0af3ce765ec3f87138b264125dee0 (diff)
downloadcertmaster-master.zip
certmaster-master.tar.gz
certmaster-master.tar.xz
Do not accept certificates that do not match our key.HEADmaster
Usually this happens when a host is re-provisioned and you forget to run certmaster-ca --clean afterwards to remove the old cert on the certmaster. Instead of accepting the cert and throwing a key-mismatch exception, we log a useful hint to the log and to stderr.
-rw-r--r--certmaster/certs.py15
-rw-r--r--certmaster/utils.py7
2 files changed, 22 insertions, 0 deletions
diff --git a/certmaster/certs.py b/certmaster/certs.py
index 3d8d991..8a1db3a 100644
--- a/certmaster/certs.py
+++ b/certmaster/certs.py
@@ -137,3 +137,18 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
destfo.close()
return cert
+
+def check_cert_key_match(cert, key):
+ if not isinstance(cert, crypto.X509Type):
+ cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
+ if not isinstance(key, crypto.PKeyType):
+ key = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
+
+ from OpenSSL import SSL
+ context = SSL.Context(SSL.SSLv3_METHOD)
+ try:
+ context.use_certificate(cert)
+ context.use_privatekey(key)
+ return True
+ except:
+ return False
diff --git a/certmaster/utils.py b/certmaster/utils.py
index 76d5b4d..773b0eb 100644
--- a/certmaster/utils.py
+++ b/certmaster/utils.py
@@ -179,6 +179,13 @@ def create_minion_keys():
if result:
# print "DEBUG: recieved certificate from certmaster"
log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file))
+ if not keypair:
+ keypair = certs.retrieve_key_from_file(key_file)
+ valid = certs.check_cert_key_match(cert_string, keypair)
+ if not valid:
+ log.info("certificate does not match key (run certmaster-ca --clean first?)")
+ sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n")
+ return
cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644)
os.write(cert_fd, cert_string)
os.close(cert_fd)