Skip to content
This repository has been archived by the owner on Jan 4, 2021. It is now read-only.

Commit

Permalink
(#518) valid_certificate?: use OpenSSL::X509::Store for checking cert…
Browse files Browse the repository at this point in the history 
…ificates

Instead of OpenSSL::X509::Certificate, as Store allows for validation
against CA bundle, which is required when you roll new CA certificate.

Closes #518
  • Loading branch information
Mateusz Gozdek committed Jul 11, 2018
1 parent 5100cd4 commit 6b357d7
Showing 1 changed file with 5 additions and 5 deletions.
10 changes: 5 additions & 5 deletions lib/mcollective/util/choria.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -343,18 +343,18 @@ def valid_certificate?(pubcert, log=true)
return false unless incoming

begin
ca = OpenSSL::X509::Certificate.new(File.read(ca_path))
rescue OpenSSL::X509::CertificateError
ca = OpenSSL::X509::Store.new.add_file(ca_path)
rescue OpenSSL::X509::StoreError
Log.warn("Failed to load CA from %s: %s: %s" % [ca_path, $!.class, $!.to_s]) if log
raise
end

unless incoming.issuer.to_s == ca.subject.to_s && incoming.verify(ca.public_key)
Log.warn("Failed to verify certificate %s against CA %s in %s" % [incoming.subject.to_s, ca.subject.to_s, ca_path]) if log
unless ca.verify(incoming)
Log.warn("Failed to verify certificate %s against CA %s in %s" % [incoming.subject.to_s, incoming.issuer.to_s, ca_path]) if log
return false
end

Log.debug("Verified certificate %s against CA %s" % [incoming.subject.to_s, ca.subject.to_s]) if log
Log.debug("Verified certificate %s against CA %s" % [incoming.subject.to_s, incoming.issuer.to_s]) if log

cn_parts = incoming.subject.to_a.select {|c| c[0] == "CN"}.flatten

Expand Down

0 comments on commit 6b357d7

Please sign in to comment.