On Apr 25, 2008, at 6:44 PM, David Lutterkort wrote:
>
>
> On Sat, 2008-04-19 at 19:44 -0500, Luke Kanies wrote:
>> The code looks like this:
>>
>> # Verify a given host's certificate.
>> def verify(name)
>> unless cert = Puppet::SSL::Certificate.find(name)
>> raise ArgumentError, "Could not find a certificate for
>> %s" % name
>> end
>> store = OpenSSL::X509::Store.new
>> store.add_file Puppet[:cacert]
>> store.add_crl crl.content if self.crl
>> store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
>>
>> unless store.verify(cert.content)
>> raise "Certificate for %s failed verification" % name
>> end
>> end
>
> IIRC, the secret sauce is
> store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK
>
> Have a look at test_crl in test/certmgr/certmgr.rb
>
> My recollection of that code is hazy at best, but I found the ssl test
> suite that ruby uses pretty instructive in deciphering the inscrutable
> OpenSSL API's
Yeah, I ended up finding that, but it still doesn't seem to work.
If you can get the integration check in spec/integration/ssl/
certificate_authority.rb to work, I'd be much obliged -- just search
for 'revoke', and comment out the 'pending' bit.
--
All power corrupts, but we need the electricity.
-- Unknown
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
