From 4575d4c9942579a235eb7b46a726ddcd557a2edd Mon Sep 17 00:00:00 2001 From: John Eckersberg Date: Tue, 14 Apr 2009 09:16:23 -0400 Subject: [PATCH] Do not accept certificates that do not match our key. Usually this happens when a host is re-provisioned and you forget to run certmaster-ca --clean afterwards to remove the old cert on the certmaster. Instead of accepting the cert and throwing a key-mismatch exception, we log a useful hint to the log and to stderr. --- certmaster/certs.py | 15 +++++++++++++++ certmaster/utils.py | 7 +++++++ 2 files changed, 22 insertions(+) diff --git a/certmaster/certs.py b/certmaster/certs.py index 3d8d991..8a1db3a 100644 --- a/certmaster/certs.py +++ b/certmaster/certs.py @@ -137,3 +137,18 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None): destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) destfo.close() return cert + +def check_cert_key_match(cert, key): + if not isinstance(cert, crypto.X509Type): + cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert) + if not isinstance(key, crypto.PKeyType): + key = crypto.load_privatekey(crypto.FILETYPE_PEM, key) + + from OpenSSL import SSL + context = SSL.Context(SSL.SSLv3_METHOD) + try: + context.use_certificate(cert) + context.use_privatekey(key) + return True + except: + return False diff --git a/certmaster/utils.py b/certmaster/utils.py index 76d5b4d..773b0eb 100644 --- a/certmaster/utils.py +++ b/certmaster/utils.py @@ -179,6 +179,13 @@ def create_minion_keys(): if result: # print "DEBUG: recieved certificate from certmaster" log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file)) + if not keypair: + keypair = certs.retrieve_key_from_file(key_file) + valid = certs.check_cert_key_match(cert_string, keypair) + if not valid: + log.info("certificate does not match key (run certmaster-ca --clean first?)") + sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n") + return cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644) os.write(cert_fd, cert_string) os.close(cert_fd) -- 2.39.5