def validate_cert(self, cert):
"""
Confirm that a `cert` is verifiably signed with CA from config.
"""
_log.debug("client.validate_cert")
try:
certificate.verify_certificate("truststore_for_transport", cert, domain=self.domain)
except (Exception), err:
_log.error("verification failed:%s" % err)
raise CertificateInvalid(err)
def validate_cert(self, cert):
"""
Confirm that a `cert` is verifiably signed with CA from config.
"""
_log.debug("client.validate_cert")
try:
certificate.verify_certificate("truststore_for_transport",
cert,
domain=self.domain)
except (Exception), err:
_log.error("verification failed:%s" % err)
raise CertificateInvalid(err)
def _check_authz_certificate_cb(self,
key,
value,
authz_list_key=None,
authz_list=None):
"""Register node attributes for external authorization"""
# FIXME: should this include certificate exchange?
_log.debug("_check_authz_certificate_cb"
"\n\tkey={}"
"\n\tvalue={}".format(key, value))
if value:
certstr = value[0]
try:
certx509 = certificate.verify_certificate(
certificate.TRUSTSTORE_TRANSPORT, certstr)
except Exception as err:
_log.error(
"Failed to verify the authorization servers certificate from storage, err={}"
.format(err))
raise
if not "authzserver" in certificate.cert_CN(certstr):
_log.error(
"The runtime IS NOT certified by the CA as an authorization server, let's try another one."
)
self._register_node_cb(key=authz_list_key, value=authz_list)
else:
_log.info(
"The runtime IS certified by the CA as an authorization server"
)
self.register_node_external()
def verify_certificate(self, cert_str, type):
# _log.debug("verify_certificate:\n\tcert_str={}\n\ttype={}".format(cert_str, type))
try:
cert = certificate.verify_certificate(
type, cert_str, security_dir=self.security_dir)
return cert
except Exception as err:
_log.error("Failed to verify certificate, err={}".format(err))
raise
def _check_auth_certificate_cb(self, key, value, auth_list_key=None, auth_list=None):
"""Check certificate of authentcation server"""
_log.debug("_check_auth_certificate_cb"
"\n\tkey={}"
"\n\tvalue={}".format(key, value))
if value:
certstr = value[0]
try:
certx509 = certificate.verify_certificate(certificate.TRUSTSTORE_TRANSPORT, certstr)
except Exception as err:
_log.error("Failed to verify the authentication servers certificate from storage, err={}".format(err))
raise
if not "authserver" in certificate.cert_CN(certstr):
_log.error("The runtime IS NOT certified by the CA as an authentication server, let's try another one.")
auth_list_key.remove(key)
auth_list.remove(value)
self._find_auth_server_cb(key=auth_list_key, value=auth_list)
else:
_log.info("The runtime IS certified by the CA as an authentication server")