-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Attached is a patch which prevents a minion from accepting a certificate from it's certmaster which lacks the key for. The most likely scenario for this is re-provisioning a host and forgetting to run certmaster-ca --clean before re-registering it. Previously the host would accept its old certificate and then throw a key-mismatch exception when trying to unlock it with the wrong key. Also the host would be stuck in this state until the administrator manually removed the old certificate from the minion. Now, if an unlockable certificate is presented, we will log a recommendation to run `certmaster-ca --clean` to stderr and to the log file and bail. The patch is also available here: git://fedorapeople.org/~jeckersb/certmaster.git branch: master hash: a7ef6a80e8299dbbadb1d08a816b5a2b6110b739 - -- John Eckersberg Software Applications Engineer IT Engineering Support Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknkkIwACgkQdxt4pd4ztYuwIgCgnHVDRMMjSELzBTHW2MZpEO52 PLsAnRQx0SyX8lB2hQwMlb8T7IGuxkj5 =4BOL -----END PGP SIGNATURE-----
>From a7ef6a80e8299dbbadb1d08a816b5a2b6110b739 Mon Sep 17 00:00:00 2001 From: John Eckersberg <jeckersb@xxxxxxxxxx> Date: Tue, 14 Apr 2009 09:16:23 -0400 Subject: [PATCH] Do not accept certificates that do not match our key. Usually this happens when a host is re-provisioned and you forget to run certmaster-ca --clean afterwards to remove the old cert on the certmaster. Instead of accepting the cert and throwing a key-mismatch exception, we log a useful hint to the log and to stderr. --- certmaster/certs.py | 15 +++++++++++++++ certmaster/utils.py | 7 +++++++ 2 files changed, 22 insertions(+), 0 deletions(-) diff --git a/certmaster/certs.py b/certmaster/certs.py index 3d8d991..8a1db3a 100644 --- a/certmaster/certs.py +++ b/certmaster/certs.py @@ -137,3 +137,18 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None): destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) destfo.close() return cert + +def check_cert_key_match(cert, key): + if not isinstance(cert, crypto.X509Type): + cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert) + if not isinstance(key, crypto.PKeyType): + key = crypto.load_privatekey(crypto.FILETYPE_PEM, key) + + from OpenSSL import SSL + context = SSL.Context(SSL.SSLv3_METHOD) + try: + context.use_certificate(cert) + context.use_privatekey(key) + return True + except: + return False diff --git a/certmaster/utils.py b/certmaster/utils.py index 76d5b4d..773b0eb 100644 --- a/certmaster/utils.py +++ b/certmaster/utils.py @@ -179,6 +179,13 @@ def create_minion_keys(): if result: # print "DEBUG: recieved certificate from certmaster" log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file)) + if not keypair: + keypair = certs.retrieve_key_from_file(key_file) + valid = certs.check_cert_key_match(cert_string, keypair) + if not valid: + log.info("certificate does not match key (run certmaster-ca --clean first?)") + sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n") + return cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644) os.write(cert_fd, cert_string) os.close(cert_fd) -- 1.6.0.6
_______________________________________________ Func-list mailing list Func-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/func-list