Commit a8b3b09d authored by Michael Hanselmann's avatar Michael Hanselmann
Browse files

Factorize SSL context setup for certificate check



This code will also be used by the node daemon setup utility.
Signed-off-by: default avatarMichael Hanselmann <hansmi@google.com>
Reviewed-by: default avatarHelga Velroyen <helgav@google.com>
parent e055a2ab
......@@ -130,11 +130,9 @@ def _VerifyCertificate(cert, _noded_cert_file=pathutils.NODED_CERT_FILE):
raise errors.X509CertError(_noded_cert_file,
"Unable to load private key: %s" % err)
ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
ctx.use_privatekey(key)
ctx.use_certificate(cert)
check_fn = utils.PrepareX509CertKeyCheck(cert, key)
try:
ctx.check_privatekey()
check_fn()
except OpenSSL.SSL.Error:
raise JoinError("Given cluster certificate does not match local key")
......
......@@ -319,3 +319,22 @@ def ExtractX509Certificate(pem):
return (cert,
OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert))
def PrepareX509CertKeyCheck(cert, key):
"""Get function for verifying certificate with a certain private key.
@type key: OpenSSL.crypto.PKey
@param key: Private key object
@type cert: OpenSSL.crypto.X509
@param cert: X509 certificate object
@rtype: callable
@return: Callable doing the actual check; will raise C{OpenSSL.SSL.Error} if
certificate is not signed by given private key
"""
ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
ctx.use_certificate(cert)
ctx.use_privatekey(key)
return ctx.check_privatekey
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment