mgr/dashboard: Manager should complain about wrong dashboard certificate

Fixes: https://tracker.ceph.com/issues/24453 Signed-off-by: Volker Theile <vtheile@suse.com> (cherry picked from commit a9ba5ba)
ceph · Apr 24, 2019 · d623654 · d623654
1 parent 7f220e2
commit d623654
Showing 1 changed file with 34 additions and 1 deletion.
diff --git a/src/pybind/mgr/dashboard/module.py b/src/pybind/mgr/dashboard/module.py
@@ -13,7 +13,7 @@
 import threading
 import time
 from uuid import uuid4
-from OpenSSL import crypto
+from OpenSSL import crypto, SSL
 from mgr_module import MgrModule, MgrStandbyModule, Option
 
 try:
@@ -103,6 +103,7 @@ class CherryPyConfig(object):
     Class for common server configuration done by both active and
     standby module, especially setting up SSL.
     """
+
     def __init__(self):
         self._stopping = threading.Event()
         self._url_prefix = ""
@@ -117,6 +118,7 @@ def shutdown(self):
     def url_prefix(self):
         return self._url_prefix
 
+    # pylint: disable=too-many-branches
     def _configure(self):
         """
         Configure CherryPy and initialize self.url_prefix
@@ -195,6 +197,37 @@ def _configure(self):
             if not os.path.isfile(pkey_fname):
                 raise ServerConfigException('private key %s does not exist' % pkey_fname)
 
+            # Do some validations to the private key and certificate:
+            # - Check the type and format
+            # - Check the certificate expiration date
+            # - Check the consistency of the private key
+            # - Check that the private key and certificate match up
+            try:
+                with open(cert_fname) as f:
+                    x509 = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
+                    if x509.has_expired():
+                        self.log.warning(
+                            'Certificate {} has been expired'.format(cert_fname))
+            except (ValueError, crypto.Error) as e:
+                raise ServerConfigException(
+                    'Invalid certificate {}: {}'.format(cert_fname, str(e)))
+            try:
+                with open(pkey_fname) as f:
+                    pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
+                    pkey.check()
+            except (ValueError, crypto.Error) as e:
+                raise ServerConfigException(
+                    'Invalid private key {}: {}'.format(pkey_fname, str(e)))
+            try:
+                context = SSL.Context(SSL.TLSv1_METHOD)
+                context.use_certificate_file(cert_fname, crypto.FILETYPE_PEM)
+                context.use_privatekey_file(pkey_fname, crypto.FILETYPE_PEM)
+                context.check_privatekey()
+            except crypto.Error as e:
+                self.log.warning(
+                    'Private key {} and certificate {} do not match up: {}'.format(
+                        pkey_fname, cert_fname, str(e)))
+
             config['server.ssl_module'] = 'builtin'
             config['server.ssl_certificate'] = cert_fname
             config['server.ssl_private_key'] = pkey_fname