def verify_entry(self, entry, metadata, data):
try:
result = self.exc.run(self.cmd, inputdata=data)
if not result.success:
raise CfgVerificationError(result.error)
except OSError:
raise CfgVerificationError(sys.exc_info()[1])
def verify_entry(self, entry, metadata, data):
try:
proc = Popen(self.cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
err = proc.communicate(input=data)[1]
rv = proc.wait()
if rv != 0:
raise CfgVerificationError(err)
except:
err = sys.exc_info()[1]
raise CfgVerificationError("Error running external command "
"verifier: %s" % err)
def _get_modulus(self, fname, ftype="x509"):
""" get the modulus from the given file """
cmd = ["openssl", ftype, "-noout", "-modulus", "-in", fname]
self.debug_log("Cfg: Getting modulus of %s for verification: %s" %
(fname, " ".join(cmd)))
result = self.cmd.run(cmd)
if not result.success:
raise CfgVerificationError("Failed to get modulus of %s: %s" %
(fname, result.error))
return result.stdout.strip()
def verify_cert_against_key(self, filename, keyfile):
""" check that a certificate validates against its private
key. """
cert = self._get_modulus(filename)
key = self._get_modulus(keyfile, ftype="rsa")
if cert == key:
self.debug_log("Cfg: %s verified successfully against key %s" %
(filename, keyfile))
else:
raise CfgVerificationError("%s failed verification against key %s"
% (filename, keyfile))
def verify_cert_against_ca(self, filename, entry, metadata):
"""
check that a certificate validates against the ca cert,
and that it has not expired.
"""
cert = self.XMLMatch(metadata).find("Cert")
ca = self.get_ca(cert.get("ca", "default"))
chaincert = ca.get('chaincert')
cmd = ["openssl", "verify"]
is_root = ca.get('root_ca', "false").lower() == 'true'
if is_root:
cmd.append("-CAfile")
else:
# verifying based on an intermediate cert
cmd.extend(["-purpose", "sslserver", "-untrusted"])
cmd.extend([chaincert, filename])
self.debug_log("Cfg: Verifying %s against CA" % entry.get("name"))
result = self.cmd.run(cmd)
if result.stdout == cert + ": OK\n":
self.debug_log("Cfg: %s verified successfully against CA" %
entry.get("name"))
else:
raise CfgVerificationError("%s failed verification against CA: %s"
% (entry.get("name"), result.error))
def verify_entry(self, entry, metadata, data):
proc = Popen(self.cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
err = proc.communicate(input=data)[1]
rv = proc.wait()
if rv != 0:
raise CfgVerificationError(err)