Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
R
re6stnet
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
2
Issues
2
List
Boards
Labels
Milestones
Merge Requests
4
Merge Requests
4
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
re6stnet
Commits
9717eb0e
Commit
9717eb0e
authored
Feb 05, 2015
by
Julien Muchembled
1
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
re6stnet: verify certificate with CA at startup
parent
7977404a
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
16 additions
and
3 deletions
+16
-3
re6st/x509.py
re6st/x509.py
+16
-2
re6stnet
re6stnet
+0
-1
No files found.
re6st/x509.py
View file @
9717eb0e
...
@@ -77,8 +77,7 @@ class Cert(object):
...
@@ -77,8 +77,7 @@ class Cert(object):
self
.
key
=
crypto
.
load_privatekey
(
crypto
.
FILETYPE_PEM
,
f
.
read
())
self
.
key
=
crypto
.
load_privatekey
(
crypto
.
FILETYPE_PEM
,
f
.
read
())
if
cert
:
if
cert
:
with
open
(
cert
)
as
f
:
with
open
(
cert
)
as
f
:
cert
=
f
.
read
()
self
.
cert
=
self
.
loadVerify
(
f
.
read
())
self
.
cert
=
crypto
.
load_certificate
(
crypto
.
FILETYPE_PEM
,
cert
)
@
property
@
property
def
prefix
(
self
):
def
prefix
(
self
):
...
@@ -103,6 +102,21 @@ class Cert(object):
...
@@ -103,6 +102,21 @@ class Cert(object):
"CA Certificate"
,
registry
.
getCa
)
"CA Certificate"
,
registry
.
getCa
)
return
min
(
next_renew
,
ca_renew
)
return
min
(
next_renew
,
ca_renew
)
def
loadVerify
(
self
,
cert
,
strict
=
False
):
try
:
r
=
crypto
.
load_certificate
(
crypto
.
FILETYPE_PEM
,
cert
)
except
crypto
.
Error
:
raise
VerifyError
(
None
,
None
,
'unable to load certificate'
)
p
=
openssl
(
'verify'
,
'-CAfile'
,
self
.
ca_path
)
out
,
err
=
p
.
communicate
(
cert
)
if
p
.
returncode
or
strict
:
for
x
in
out
.
splitlines
():
if
x
.
startswith
(
'error '
):
x
,
msg
=
x
.
split
(
':'
,
1
)
_
,
code
,
_
,
depth
,
_
=
x
.
split
(
None
,
4
)
raise
VerifyError
(
int
(
code
),
int
(
depth
),
msg
)
return
r
def
verify
(
self
,
sign
,
data
):
def
verify
(
self
,
sign
,
data
):
crypto
.
verify
(
self
.
ca
,
sign
,
data
,
'sha1'
)
crypto
.
verify
(
self
.
ca
,
sign
,
data
,
'sha1'
)
...
...
re6stnet
View file @
9717eb0e
...
@@ -129,7 +129,6 @@ def main():
...
@@ -129,7 +129,6 @@ def main():
config
=
getConfig
()
config
=
getConfig
()
cert
=
x509
.
Cert
(
config
.
ca
,
config
.
key
,
config
.
cert
)
cert
=
x509
.
Cert
(
config
.
ca
,
config
.
key
,
config
.
cert
)
config
.
openvpn_args
+=
cert
.
openvpn_args
config
.
openvpn_args
+=
cert
.
openvpn_args
# TODO: verify certificates (should we moved to M2Crypto ?)
if
config
.
test
:
if
config
.
test
:
sys
.
exit
(
eval
(
config
.
test
,
None
,
config
.
__dict__
))
sys
.
exit
(
eval
(
config
.
test
,
None
,
config
.
__dict__
))
...
...
Julien Muchembled
@jm
·
Jan 11, 2019
Owner
This broke certificate renewal during the grace period.
This broke certificate renewal during the grace period.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment