Commit 9717eb0e authored by Julien Muchembled's avatar Julien Muchembled

re6stnet: verify certificate with CA at startup

parent 7977404a
......@@ -77,8 +77,7 @@ class Cert(object):
self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
if cert:
with open(cert) as f:
cert = f.read()
self.cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
self.cert = self.loadVerify(f.read())
@property
def prefix(self):
......@@ -103,6 +102,21 @@ class Cert(object):
"CA Certificate", registry.getCa)
return min(next_renew, ca_renew)
def loadVerify(self, cert, strict=False):
try:
r = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
except crypto.Error:
raise VerifyError(None, None, 'unable to load certificate')
p = openssl('verify', '-CAfile', self.ca_path)
out, err = p.communicate(cert)
if p.returncode or strict:
for x in out.splitlines():
if x.startswith('error '):
x, msg = x.split(':', 1)
_, code, _, depth, _ = x.split(None, 4)
raise VerifyError(int(code), int(depth), msg)
return r
def verify(self, sign, data):
crypto.verify(self.ca, sign, data, 'sha1')
......
......@@ -129,7 +129,6 @@ def main():
config = getConfig()
cert = x509.Cert(config.ca, config.key, config.cert)
config.openvpn_args += cert.openvpn_args
# TODO: verify certificates (should we moved to M2Crypto ?)
if config.test:
sys.exit(eval(config.test, None, config.__dict__))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment