re6stnet: verify certificate with CA at startup

re6st/x509.py

@@ -77,8 +77,7 @@ class Cert(object):
             self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
         if cert:
             with open(cert) as f:
-                cert = f.read()
-            self.cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
+                self.cert = self.loadVerify(f.read())
 
     @property
     def prefix(self):
@@ -103,6 +102,21 @@ class Cert(object):
               "CA Certificate", registry.getCa)
         return min(next_renew, ca_renew)
 
+    def loadVerify(self, cert, strict=False):
+        try:
+            r = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
+        except crypto.Error:
+            raise VerifyError(None, None, 'unable to load certificate')
+        p = openssl('verify', '-CAfile', self.ca_path)
+        out, err = p.communicate(cert)
+        if p.returncode or strict:
+            for x in out.splitlines():
+                if x.startswith('error '):
+                    x, msg = x.split(':', 1)
+                    _, code, _, depth, _ = x.split(None, 4)
+                    raise VerifyError(int(code), int(depth), msg)
+        return r
+
     def verify(self, sign, data):
         crypto.verify(self.ca, sign, data, 'sha1')
 

re6stnet

@@ -129,7 +129,6 @@ def main():
     config = getConfig()
     cert = x509.Cert(config.ca, config.key, config.cert)
     config.openvpn_args += cert.openvpn_args
-    # TODO: verify certificates (should we moved to M2Crypto ?)
 
     if config.test:
         sys.exit(eval(config.test, None, config.__dict__))

[Julien Muchembled]

This broke certificate renewal during the grace period.