[PATCH] [certmaster] Do not accept certificates that do not match our key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Attached is a patch which prevents a minion from accepting a certificate
from it's certmaster which lacks the key for.

The most likely scenario for this is re-provisioning a host and
forgetting to run certmaster-ca --clean before re-registering it.

Previously the host would accept its old certificate and then throw a
key-mismatch exception when trying to unlock it with the wrong key.
Also the host would be stuck in this state until the administrator
manually removed the old certificate from the minion.

Now, if an unlockable certificate is presented, we will log a
recommendation to run `certmaster-ca --clean` to stderr and to the log
file and bail.

The patch is also available here:

git://fedorapeople.org/~jeckersb/certmaster.git
branch: master
hash: a7ef6a80e8299dbbadb1d08a816b5a2b6110b739

- --
John Eckersberg
Software Applications Engineer
IT Engineering Support
Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknkkIwACgkQdxt4pd4ztYuwIgCgnHVDRMMjSELzBTHW2MZpEO52
PLsAnRQx0SyX8lB2hQwMlb8T7IGuxkj5
=4BOL
-----END PGP SIGNATURE-----
>From a7ef6a80e8299dbbadb1d08a816b5a2b6110b739 Mon Sep 17 00:00:00 2001
From: John Eckersberg <jeckersb@xxxxxxxxxx>
Date: Tue, 14 Apr 2009 09:16:23 -0400
Subject: [PATCH] Do not accept certificates that do not match our key.

Usually this happens when a host is re-provisioned and you forget to
run certmaster-ca --clean afterwards to remove the old cert on the
certmaster.

Instead of accepting the cert and throwing a key-mismatch exception,
we log a useful hint to the log and to stderr.
---
 certmaster/certs.py |   15 +++++++++++++++
 certmaster/utils.py |    7 +++++++
 2 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/certmaster/certs.py b/certmaster/certs.py
index 3d8d991..8a1db3a 100644
--- a/certmaster/certs.py
+++ b/certmaster/certs.py
@@ -137,3 +137,18 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
         destfo.close()
     return cert
+
+def check_cert_key_match(cert, key):
+    if not isinstance(cert, crypto.X509Type):
+        cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
+    if not isinstance(key, crypto.PKeyType):
+        key = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
+
+    from OpenSSL import SSL
+    context = SSL.Context(SSL.SSLv3_METHOD)
+    try:
+        context.use_certificate(cert)
+        context.use_privatekey(key)
+        return True
+    except:
+        return False
diff --git a/certmaster/utils.py b/certmaster/utils.py
index 76d5b4d..773b0eb 100644
--- a/certmaster/utils.py
+++ b/certmaster/utils.py
@@ -179,6 +179,13 @@ def create_minion_keys():
     if result:
         # print "DEBUG: recieved certificate from certmaster"
         log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file))
+        if not keypair:
+            keypair = certs.retrieve_key_from_file(key_file)
+        valid = certs.check_cert_key_match(cert_string, keypair)
+        if not valid:
+            log.info("certificate does not match key (run certmaster-ca --clean first?)")
+            sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n")
+            return
         cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644)
         os.write(cert_fd, cert_string)
         os.close(cert_fd)
-- 
1.6.0.6

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list

[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux