Do not accept certificates that do not match our key.HEAD master

Usually this happens when a host is re-provisioned and you forget to run certmaster-ca --clean afterwards to remove the old cert on the certmaster. Instead of accepting the cert and throwing a key-mismatch exception, we log a useful hint to the log and to stderr.
author: John Eckersberg <jeckersb@redhat.com> 2009-04-14 09:16:23 -0400
committer: Adrian Likins <alikins@redhat.com> 2009-04-14 11:29:06 -0400
commit: 4575d4c9942579a235eb7b46a726ddcd557a2edd (patch)
tree: 45b80d4b7968da3935d4d2d9f5c07aa45e365914 /certmaster/certs.py
parent: fc94644e28f0af3ce765ec3f87138b264125dee0 (diff)
download: certmaster-master.tar.gz
certmaster-master.tar.xz
certmaster-master.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/certmaster/certs.py b/certmaster/certs.py
index 3d8d991..8a1db3a 100644
--- a/certmaster/certs.py
+++ b/certmaster/certs.py
@@ -137,3 +137,18 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
         destfo.close()
     return cert
+
+def check_cert_key_match(cert, key):
+    if not isinstance(cert, crypto.X509Type):
+        cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
+    if not isinstance(key, crypto.PKeyType):
+        key = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
+
+    from OpenSSL import SSL
+    context = SSL.Context(SSL.SSLv3_METHOD)
+    try:
+        context.use_certificate(cert)
+        context.use_privatekey(key)
+        return True
+    except:
+        return False
author	John Eckersberg <jeckersb@redhat.com>	2009-04-14 09:16:23 -0400
committer	Adrian Likins <alikins@redhat.com>	2009-04-14 11:29:06 -0400
commit	4575d4c9942579a235eb7b46a726ddcd557a2edd (patch)
tree	45b80d4b7968da3935d4d2d9f5c07aa45e365914 /certmaster/certs.py
parent	fc94644e28f0af3ce765ec3f87138b264125dee0 (diff)
download	certmaster-master.tar.gz certmaster-master.tar.xz certmaster-master.zip