Do not accept certificates that do not match our key.
authorJohn Eckersberg <jeckersb@redhat.com>
Tue, 14 Apr 2009 13:16:23 +0000 (09:16 -0400)
committerAdrian Likins <alikins@redhat.com>
Tue, 14 Apr 2009 15:29:06 +0000 (11:29 -0400)
Usually this happens when a host is re-provisioned and you forget to
run certmaster-ca --clean afterwards to remove the old cert on the
certmaster.

Instead of accepting the cert and throwing a key-mismatch exception,
we log a useful hint to the log and to stderr.

certmaster/certs.py
certmaster/utils.py

index 3d8d991..8a1db3a 100644 (file)
@@ -137,3 +137,18 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
         destfo.close()
     return cert
+
+def check_cert_key_match(cert, key):
+    if not isinstance(cert, crypto.X509Type):
+        cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
+    if not isinstance(key, crypto.PKeyType):
+        key = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
+
+    from OpenSSL import SSL
+    context = SSL.Context(SSL.SSLv3_METHOD)
+    try:
+        context.use_certificate(cert)
+        context.use_privatekey(key)
+        return True
+    except:
+        return False
index 76d5b4d..773b0eb 100644 (file)
@@ -179,6 +179,13 @@ def create_minion_keys():
     if result:
         # print "DEBUG: recieved certificate from certmaster"
         log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file))
+        if not keypair:
+            keypair = certs.retrieve_key_from_file(key_file)
+        valid = certs.check_cert_key_match(cert_string, keypair)
+        if not valid:
+            log.info("certificate does not match key (run certmaster-ca --clean first?)")
+            sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n")
+            return
         cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644)
         os.write(cert_fd, cert_string)
         os.close(cert_fd)