Do not accept certificates that do not match our key.

[certmaster.git] / certmaster / utils.py
diff --git a/certmaster/utils.py b/certmaster/utils.py

old mode 100755 (executable)

new mode 100644 (file)

index ecebad6..773b0eb
--- a/certmaster/utils.py
+++ b/certmaster/utils.py
@@ -107,45 +107,17 @@ def get_hostname(talk_to_certmaster=True):
      up the hostname for that. 
      """
      # FIXME: this code ignores http proxies (which granted, we don't
-    #      support elsewhere either. It also hardcodes the port number
-    #      for the certmaster for now
+    #      support elsewhere either. 
      hostname = None
      hostname = socket.gethostname()
      # print "DEBUG: HOSTNAME TRY1: %s" % hostname
      try:
          ip = socket.gethostbyname(hostname)
-        # print "DEBUG: IP TRY2: %s" % ip
      except:
-        # print "DEBUG: ERROR: returning"
          return hostname
      if ip != "127.0.0.1":
-        # print "DEBUG: ERROR: returning 2"
          return hostname
  
-    if talk_to_certmaster:
-        config_file = '/etc/certmaster/minion.conf'
-        config = read_config(config_file, MinionConfig)
-
-        server = config.certmaster
-        port = 51235
-
-        try:
-            s = socket.socket()
-            s.settimeout(5)
-            s.connect((server, port))
-            (intf, port) = s.getsockname()
-            remote_hostname = socket.gethostbyaddr(intf)[0]
-            if remote_hostname != "localhost":
-               hostname = remote_hostname
-               # print "DEBUG: HOSTNAME FROM CERTMASTER == %s" % hostname
-            s.close()
-        except:
-            s.close()
-            raise
-
-    # print "DEBUG: final hostname=%s" % hostname
-    return hostname
-    
  
  # FIXME: move to requestor module and also create a verbose mode
  # prints to the screen for usage by /usr/bin/certmaster-request
@@ -155,7 +127,7 @@ def create_minion_keys():
      config_file = '/etc/certmaster/minion.conf'
      config = read_config(config_file, MinionConfig)
      cert_dir = config.cert_dir
-    master_uri = 'http://%s:51235/' % config.certmaster
+    master_uri = 'http://%s:%s/' % (config.certmaster, config.certmaster_port)
      # print "DEBUG: acquiring hostname"
      hn = get_hostname()
      # print "DEBUG: hostname = %s\n" % hn
@@ -207,6 +179,13 @@ def create_minion_keys():
      if result:
          # print "DEBUG: recieved certificate from certmaster"
          log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file))
+        if not keypair:
+            keypair = certs.retrieve_key_from_file(key_file)
+        valid = certs.check_cert_key_match(cert_string, keypair)
+        if not valid:
+            log.info("certificate does not match key (run certmaster-ca --clean first?)")
+            sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n")
+            return
          cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644)
          os.write(cert_fd, cert_string)
          os.close(cert_fd)
@@ -235,7 +214,7 @@ def run_triggers(ref, globber):
                  # in the triggers directory
                  continue
              if ref:
-                rc = sub_process.call([file, ref.name], shell=False)
+                rc = sub_process.call([file, ref], shell=False)
              else:
                  rc = sub_process.call([file], shell=False)
          except: