[Puppet-dev] SSL Certificate revocation and verification

Sat, 19 Apr 2008 17:44:36 -0700 

Hi all,

First, and most of you have probably noticed this, I've merged in my  
new SSL code.  It's currently supplemental to all of the existing SSL  
code, but it should be about 99% complete in replacing it.  I'll  
probably actually use it in the XMLRPC code at some point, but for  
now, they're going to operate in parallel.  I'll send a summary email  
about this in a few minutes.

This is generally directed at David Lutterkort, since he did all of  
the original CRL work, but I'd appreciate help from anyone who might  
be able to provide it.

I've added a 'verify' method to the new certificate authority, and the  
idea is that you could use puppetca to verify any cert.  This verify  
method works when the cert doesn't match the provided CA cert, but I  
can't get it to fail when I've revoked the certificate.

The code looks like this:

     # Verify a given host's certificate.
     def verify(name)
         unless cert = Puppet::SSL::Certificate.find(name)
             raise ArgumentError, "Could not find a certificate for  
%s" % name
         end
         store = OpenSSL::X509::Store.new
         store.add_file Puppet[:cacert]
         store.add_crl crl.content if self.crl
         store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT

         unless store.verify(cert.content)
             raise "Certificate for %s failed verification" % name
         end
     end

Basically, I create this X509::Store, add the CA file, add the CRL,  
and then set the purpose.

AFAIK, this 'verify' method should fail if the CRL says that this cert  
has been revoked, but that doesn't appear to be the case.

I've tried changing the purpose around, but to no avail.

This isn't required or anything, but it'd be nice to have.  Anyone  
have any ideas?

-- 
Do you realize if it weren't for Edison we'd be watching TV by
candlelight? -- Al Boliska
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to