Commit 9717eb0e authored by Julien Muchembled's avatar Julien Muchembled

re6stnet: verify certificate with CA at startup

parent 7977404a
......@@ -77,8 +77,7 @@ class Cert(object):
self.key = crypto.load_privatekey(crypto.FILETYPE_PEM,
if cert:
with open(cert) as f:
cert =
self.cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
self.cert = self.loadVerify(
def prefix(self):
......@@ -103,6 +102,21 @@ class Cert(object):
"CA Certificate", registry.getCa)
return min(next_renew, ca_renew)
def loadVerify(self, cert, strict=False):
r = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
except crypto.Error:
raise VerifyError(None, None, 'unable to load certificate')
p = openssl('verify', '-CAfile', self.ca_path)
out, err = p.communicate(cert)
if p.returncode or strict:
for x in out.splitlines():
if x.startswith('error '):
x, msg = x.split(':', 1)
_, code, _, depth, _ = x.split(None, 4)
raise VerifyError(int(code), int(depth), msg)
return r
def verify(self, sign, data):
crypto.verify(, sign, data, 'sha1')
......@@ -129,7 +129,6 @@ def main():
config = getConfig()
cert = x509.Cert(, config.key, config.cert)
config.openvpn_args += cert.openvpn_args
# TODO: verify certificates (should we moved to M2Crypto ?)
if config.test:
sys.exit(eval(config.test, None, config.__dict__))
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment