Commit ad7c3f64 authored by Julien Muchembled's avatar Julien Muchembled

certificate_authority: fix temporary file leak when checking certificates

parent 6b51f873
......@@ -156,47 +156,15 @@ class Request(Recipe):
return path_list
def _checkCertificateKeyConsistency(self, key, certificate, ca=""):
def _checkCertificateKeyConsistency(self, key, certificate):
openssl_binary = self.options.get('openssl-binary', 'openssl')
tmpdir = tempfile.mkdtemp()
with open(tmpdir + "/ca", "w") as f:
f.write(ca)
with open(tmpdir + "/key", "w") as f:
f.write(key)
with open(tmpdir + "/cert", "w") as f:
f.write(certificate)
try:
# Simple test if the user/certificates are readable and don't raise
popenCommunicate([openssl_binary, 'x509', '-noout', '-text', '-in', tmpdir + "/cert"])
popenCommunicate([openssl_binary, 'rsa', '-noout', '-text', '-in', tmpdir + "/key"])
# Get md5 to check if the key and certificate matches
modulus_cert = popenCommunicate([openssl_binary, 'x509', '-noout', '-modulus', '-in', tmpdir + "/cert"])
modulus_key = popenCommunicate([openssl_binary, 'rsa', '-noout', '-modulus', '-in', tmpdir + "/key"])
md5sum_cert = popenCommunicate([openssl_binary, 'md5'], modulus_cert)
md5sum_key = popenCommunicate([openssl_binary, 'md5'], modulus_key)
if md5sum_cert != md5sum_key:
raise ValueError("The key and certificate provided don't patch each other. Please check your parameters")
except:
try:
file_list = [tmpdir + "/ca", tmpdir + "/key", tmpdir + "/cert"]
for f in file_list:
if os.path.exists(f):
os.unlink(f)
if os.path.exists(tmpdir):
os.rmdir(tmpdir)
except:
# do not raise during cleanup
pass
raise
else:
pass
# Simple test if the user/certificates are readable and don't raise
popenCommunicate((openssl_binary, 'x509', '-noout', '-text'), certificate)
popenCommunicate((openssl_binary, 'rsa', '-noout', '-text'), key)
# Check if the key and certificate match
modulus_cert = popenCommunicate((openssl_binary, 'x509', '-noout', '-modulus'), certificate)
modulus_key = popenCommunicate((openssl_binary, 'rsa', '-noout', '-modulus'), key)
if modulus_cert != modulus_key:
raise ValueError("The key and certificate provided don't patch each other. Please check your parameters")
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment