projects / certmaster.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Do not accept certificates that do not match our key.
[certmaster.git] / certmaster / utils.py
diff --git a/certmaster/utils.py b/certmaster/utils.py
index 76d5b4d..773b0eb 100644 (file)
--- a/certmaster/utils.py
+++ b/certmaster/utils.py
@@ -179,6 +179,13 @@ def create_minion_keys():
     if result:
         # print "DEBUG: recieved certificate from certmaster"
         log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file))
+        if not keypair:
+            keypair = certs.retrieve_key_from_file(key_file)
+        valid = certs.check_cert_key_match(cert_string, keypair)
+        if not valid:
+            log.info("certificate does not match key (run certmaster-ca --clean first?)")
+            sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n")
+            return
         cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644)
         os.write(cert_fd, cert_string)
         os.close(cert_fd)
Fedora's certmaster (https://fedorahosted.org/certmaster/) with multiple CA support