Commit feaf1ebe authored by Julien Muchembled's avatar Julien Muchembled

CertificateAuthorityTool: fix cleanup and exception handling when generating or revoking certs

parent 9016d309
...@@ -27,6 +27,8 @@ ...@@ -27,6 +27,8 @@
# #
############################################################################## ##############################################################################
import glob, os, subprocess, sys
from AccessControl import ClassSecurityInfo from AccessControl import ClassSecurityInfo
from Products.ERP5Type.Globals import InitializeClass from Products.ERP5Type.Globals import InitializeClass
from Products.ERP5Type.Tool.BaseTool import BaseTool from Products.ERP5Type.Tool.BaseTool import BaseTool
...@@ -34,9 +36,6 @@ from Products.ERP5Type import Permissions ...@@ -34,9 +36,6 @@ from Products.ERP5Type import Permissions
from Products.PageTemplates.PageTemplateFile import PageTemplateFile from Products.PageTemplates.PageTemplateFile import PageTemplateFile
from zLOG import LOG, INFO from zLOG import LOG, INFO
import os
import subprocess
def popenCommunicate(command_list, input=None, **kwargs): def popenCommunicate(command_list, input=None, **kwargs):
kwargs.update(stdout=subprocess.PIPE, stderr=subprocess.STDOUT) kwargs.update(stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
popen = subprocess.Popen(command_list, **kwargs) popen = subprocess.Popen(command_list, **kwargs)
...@@ -216,14 +215,15 @@ class CertificateAuthorityTool(BaseTool): ...@@ -216,14 +215,15 @@ class CertificateAuthorityTool(BaseTool):
id=new_id, id=new_id,
common_name=common_name) common_name=common_name)
except: except:
e = sys.exc_info()
try: try:
for p in [key, csr, cert]: for p in key, csr, cert:
if os.path.exists(p): if os.path.exists(p):
os.unlink(p) os.unlink(p)
except: except:
# do not raise during cleanup # do not raise during cleanup
pass pass
raise raise e[0], e[1], e[2]
finally: finally:
self._unlockCertificateAuthority() self._unlockCertificateAuthority()
...@@ -241,26 +241,32 @@ class CertificateAuthorityTool(BaseTool): ...@@ -241,26 +241,32 @@ class CertificateAuthorityTool(BaseTool):
cert = os.path.join(self.certificate_authority_path, 'certs', cert = os.path.join(self.certificate_authority_path, 'certs',
serial.lower() + '.crt') serial.lower() + '.crt')
if not os.path.exists(cert): if not os.path.exists(cert):
raise ValueError('Certificate with serial %r does not exists' % serial) raise ValueError('Certificate with serial %r does not exist' % serial)
try: created = [crl]
popenCommunicate([self.openssl_binary, 'ca', '-config', popenCommunicate([self.openssl_binary, 'ca', '-config',
self.openssl_config, '-revoke', cert]) self.openssl_config, '-revoke', cert])
try:
popenCommunicate([self.openssl_binary, 'ca', '-config', popenCommunicate([self.openssl_binary, 'ca', '-config',
self.openssl_config, '-gencrl', '-out', crl]) self.openssl_config, '-gencrl', '-out', crl])
hash = popenCommunicate([self.openssl_binary, 'crl', '-noout', alias = os.path.join(crl_path, popenCommunicate([self.openssl_binary,
'-hash', '-in', crl]).strip() 'crl', '-noout', '-hash', '-in', crl]).strip() + '.')
previous_id = int(len([q for q in os.listdir(crl_path) if hash in q])) alias += str(len(glob.glob(alias + '*')))
os.symlink(crl, os.path.join(crl_path, '%s.%s' % (hash, previous_id))) created.append(alias)
os.symlink(crl, alias)
return dict(crl=open(crl).read()) return dict(crl=open(crl).read())
except: except:
e = sys.exc_info()
try: try:
for p in [crl]: for p in 'index.txt', 'crlnumber':
p = os.path.join(self.certificate_authority_path, p)
os.rename(p + '.old', p)
for p in created:
if os.path.exists(p): if os.path.exists(p):
os.unlink(p) os.unlink(p)
except: except:
# do not raise during cleanup # do not raise during cleanup
pass pass
raise raise e[0], e[1], e[2]
finally: finally:
self._unlockCertificateAuthority() self._unlockCertificateAuthority()
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment