From 9717eb0e3fe29a68424a03d0ee4e8dc0fdd0d680 Mon Sep 17 00:00:00 2001 From: Julien Muchembled Date: Thu, 5 Feb 2015 15:37:56 +0100 Subject: [PATCH] re6stnet: verify certificate with CA at startup --- re6st/x509.py | 18 ++++++++++++++++-- re6stnet | 1 - 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/re6st/x509.py b/re6st/x509.py index cce03fa..aaccb01 100644 --- a/re6st/x509.py +++ b/re6st/x509.py @@ -77,8 +77,7 @@ class Cert(object): self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read()) if cert: with open(cert) as f: - cert = f.read() - self.cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert) + self.cert = self.loadVerify(f.read()) @property def prefix(self): @@ -103,6 +102,21 @@ class Cert(object): "CA Certificate", registry.getCa) return min(next_renew, ca_renew) + def loadVerify(self, cert, strict=False): + try: + r = crypto.load_certificate(crypto.FILETYPE_PEM, cert) + except crypto.Error: + raise VerifyError(None, None, 'unable to load certificate') + p = openssl('verify', '-CAfile', self.ca_path) + out, err = p.communicate(cert) + if p.returncode or strict: + for x in out.splitlines(): + if x.startswith('error '): + x, msg = x.split(':', 1) + _, code, _, depth, _ = x.split(None, 4) + raise VerifyError(int(code), int(depth), msg) + return r + def verify(self, sign, data): crypto.verify(self.ca, sign, data, 'sha1') diff --git a/re6stnet b/re6stnet index e1f2fdd..f3a2701 100755 --- a/re6stnet +++ b/re6stnet @@ -129,7 +129,6 @@ def main(): config = getConfig() cert = x509.Cert(config.ca, config.key, config.cert) config.openvpn_args += cert.openvpn_args - # TODO: verify certificates (should we moved to M2Crypto ?) if config.test: sys.exit(eval(config.test, None, config.__dict__)) -- 2.25.1