X-Git-Url: https://pwan.org/git/?p=certmaster.git;a=blobdiff_plain;f=certmaster%2Fcertmaster.py;h=7f62a5297be1820f69cac76d14f516da115c51e5;hp=36f2bc49da2e091d69244d844f76def05b91c3f3;hb=8c1e7ce1f1b146ba794779ccad8816baea16d64a;hpb=240ba9b7e2ee00a8f6014c7d597a5afd1f96249c

diff --git a/certmaster/certmaster.py b/certmaster/certmaster.py
index 36f2bc4..7f62a52 100644
--- a/certmaster/certmaster.py
+++ b/certmaster/certmaster.py
@@ -21,6 +21,8 @@ import sys
 import traceback
 import os
 import os.path
+import warnings
+import xmlrpclib
 from OpenSSL import crypto
 
 try:
@@ -32,6 +34,8 @@ except ImportError:
         @staticmethod
         def new(algo):
             if algo == 'sha1':
+                # TODO: jude: was warnings even available in 2.4 ?
+                warnings.warn("sha1 is deprecated", DeprecationWarning)
                 return sha.new()
             raise ValueError, "Bad checksum type"
 
@@ -82,7 +86,7 @@ class CertMaster(object):
                 if not os.path.exists(s_cadir):
                     os.makedirs(s_cadir)
                 if not os.path.exists(s_ca_key_file) and not os.path.exists(s_ca_cert_file):
-                    certs.create_ca(CN=mycn, ca_key_file=s_ca_key_file, ca_cert_file=s_ca_cert_file)
+                    certs.create_ca(CN=mycn, ca_key_file=s_ca_key_file, ca_cert_file=s_ca_cert_file, hash_function=a_ca.hash_function)
             except (IOError, OSError), e:
                 print 'Cannot make certmaster certificate authority keys/certs for CA %s, aborting: %s' % (s_caname, e)
                 sys.exit(1)
@@ -120,20 +124,33 @@ class CertMaster(object):
     def wait_for_cert(self, csrbuf, ca_name, with_triggers=True):
         """
            takes csr as a string
-           returns True, caller_cert, ca_cert
-           returns False, '', ''
+           returns True, caller_cert, ca_cert, warning
+           returns False, '', '', ''
         """
 
         try:
             certauth = self.cfg.ca[ca_name]
         except:
+            self.logger.info("Unknown cert authority: %s " % (ca_name))
             raise codes.CMException("Unknown cert authority: %s" % ca_name)
 
         try:
             csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csrbuf)
         except crypto.Error, e:
+            self.logger.info("crypto error: %s " % (e))
             #XXX need to raise a fault here and document it - but false is just as good
-            return False, '', ''
+            return False, '', '', ''
+
+        ret_warning = ''
+        if certauth.hash_function == "md5":
+            ca_suffix = ''
+            if ca_name != '':
+               ca_suffix = ': ' + ca_name
+            fault = "md5 hash function is unsupported%s" % ca_suffix
+            self.logger.error(fault)
+            raise xmlrpclib.Fault(1001,fault)
+        elif certauth.hash_function == "sha1":
+            ret_warning = "Deprecated hash function of sha1: %s\n" % ca_name
 
         requesting_host = self._sanitize_cn(csrreq.get_subject().CN)
 
@@ -153,16 +170,16 @@ class CertMaster(object):
         if os.path.exists(csrfile):
             oldfo = open(csrfile)
             oldcsrbuf = oldfo.read()
-            oldsha = hashlib.new('sha1')
+            oldsha = hashlib.new(certauth.hash_function)
             oldsha.update(oldcsrbuf)
             olddig = oldsha.hexdigest()
-            newsha = hashlib.new('sha1')
+            newsha = hashlib.new(certauth.hash_function)
             newsha.update(csrbuf)
             newdig = newsha.hexdigest()
             if not newdig == olddig:
                 self.logger.info("A cert for %s already exists and does not match the requesting cert" % (requesting_host))
                 # XXX raise a proper fault
-            return False, '', ''
+            return False, '', '', ret_warning
 
 
         # look for a cert:
@@ -173,7 +190,7 @@ class CertMaster(object):
             cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, certauth.cacert)
             if with_triggers:
                 self._run_triggers(requesting_host,'/var/lib/certmaster/triggers/request/post/*')
-            return True, cert_buf, cacert_buf
+            return True, cert_buf, cacert_buf, ret_warning
 
         # if we don't have a cert then:
         # if we're autosign then sign it, write out the cert and return True, etc, etc
@@ -187,7 +204,7 @@ class CertMaster(object):
             self.logger.info("cert for %s for ca %s was autosigned" % (requesting_host,ca_name))
             if with_triggers:
                 self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*')
-            return True, cert_buf, cacert_buf
+            return True, cert_buf, cacert_buf, ret_warning
 
         else:
             # write the csr out to a file to be dealt with by the admin
@@ -198,9 +215,9 @@ class CertMaster(object):
             self.logger.info("cert for %s for CA %s created and ready to be signed" % (requesting_host, ca_name))
             if with_triggers:
                 self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*')
-            return False, '', ''
+            return False, '', '', ret_warning
 
-        return False, '', ''
+        return False, '', '', ret_warning
 
     def get_csrs_waiting(self, certauth):
         hosts = []
@@ -268,7 +285,7 @@ class CertMaster(object):
 
         certfile = '%s/%s.cert' % (certauth.certroot, requesting_host)
         self.logger.info("Signing for csr %s requested" % certfile)
-        thiscert = certs.create_slave_certificate(csrreq, certauth.cakey, certauth.cacert, certauth.cadir)
+        thiscert = certs.create_slave_certificate(csrreq, certauth.cakey, certauth.cacert, certauth.cadir, hash_function=certauth.hash_function)
 
         destfo = open(certfile, 'w')
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, thiscert))