Commit 1387ff31 authored by Rafael Monnerat's avatar Rafael Monnerat

certificate_authority: Check user inputs certicate

  Ensure the certificates provided by the user actually valid and match, otherwise prevent it write bad certificates.
parent bc83e859
...@@ -27,8 +27,10 @@ ...@@ -27,8 +27,10 @@
import os import os
import hashlib import hashlib
import ConfigParser import ConfigParser
import tempfile
from slapos.recipe.librecipe import GenericBaseRecipe from slapos.recipe.librecipe import GenericBaseRecipe
from certificate_authority import popenCommunicate
class Recipe(GenericBaseRecipe): class Recipe(GenericBaseRecipe):
...@@ -114,6 +116,7 @@ class Request(Recipe): ...@@ -114,6 +116,7 @@ class Request(Recipe):
# XXX Ugly hack to quickly provide custom certificate/key to everyone using the recipe # XXX Ugly hack to quickly provide custom certificate/key to everyone using the recipe
if key_content and cert_content: if key_content and cert_content:
self._checkCertificateKeyConsistency(key_content, cert_content)
open(key, 'w').write(key_content) open(key, 'w').write(key_content)
open(certificate, 'w').write(cert_content) open(certificate, 'w').write(cert_content)
request_needed = False request_needed = False
...@@ -145,3 +148,48 @@ class Request(Recipe): ...@@ -145,3 +148,48 @@ class Request(Recipe):
path_list.append(wrapper) path_list.append(wrapper)
return path_list return path_list
def _checkCertificateKeyConsistency(self, key, certificate, ca=""):
openssl_binary = self.options.get('openssl-binary', 'openssl')
tmpdir = tempfile.mkdtemp()
with open(tmpdir + "/ca", "w") as f:
f.write(ca)
with open(tmpdir + "/key", "w") as f:
f.write(key)
with open(tmpdir + "/cert", "w") as f:
f.write(certificate)
try:
# Simple test if the user/certificates are readable and don't raise
popenCommunicate([openssl_binary, 'x509', '-noout', '-text', '-in', tmpdir + "/cert"])
popenCommunicate([openssl_binary, 'rsa', '-noout', '-text', '-in', tmpdir + "/key"])
# Get md5 to check if the key and certificate matches
modulus_cert = popenCommunicate([openssl_binary, 'x509', '-noout', '-modulus', '-in', tmpdir + "/cert"])
modulus_key = popenCommunicate([openssl_binary, 'rsa', '-noout', '-modulus', '-in', tmpdir + "/key"])
md5sum_cert = popenCommunicate([openssl_binary, 'md5'], modulus_cert)
md5sum_key = popenCommunicate([openssl_binary, 'md5'], modulus_key)
if md5sum_cert != md5sum_key:
raise ValueError("The key and certificate provided don't patch each other. Please check your parameters")
except:
try:
file_list = [tmpdir + "/ca", tmpdir + "/key", tmpdir + "/cert"]
for f in file_list:
if os.path.exists(f):
os.unlink(f)
if os.path.exists(tmpdir):
os.rmdir(tmpdir)
except:
# do not raise during cleanup
pass
raise
else:
pass
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment