Commit d439174a authored by godog's avatar godog

add 'verify' subcommand

parent 99d387f6
...@@ -156,6 +156,15 @@ class CA(object): ...@@ -156,6 +156,15 @@ class CA(object):
'-key', self._getpw()) '-key', self._getpw())
self.gencrl() self.gencrl()
def verify(self, path):
log.info('verifying certificate %s', path)
args = ['verify', '-CAfile', self.files.public_key, path]
try:
openssl_wrap.run(*args, CAROOT=os.path.abspath(self.basedir))
except openssl_wrap.CommandError:
return False
return True
def generate(self, cert): def generate(self, cert):
self._update_config() self._update_config()
......
...@@ -2,14 +2,13 @@ ...@@ -2,14 +2,13 @@
import logging import logging
import optparse import optparse
import os
import sys import sys
import time import time
from cam import config from cam import config
USAGE = '''cam [<OPTIONS>] <COMMAND> [<ARG>...] USAGE = '''cam [<OPTIONS>] <COMMAND> [<ARG>...]
CAM v%(version)s - (c)2012-2014 by <ale@incal.net> CAM v%(version)s - (c)2012-2014 by <ale@incal.net>
Minimal X509 Certification Authority management tool. Minimal X509 Certification Authority management tool.
Known commands: Known commands:
...@@ -28,13 +27,16 @@ Known commands: ...@@ -28,13 +27,16 @@ Known commands:
list list
List all known certificates List all known certificates
verify FILES...
Verify the certificates found in FILES against the CA
fp [<TAG>...] fp [<TAG>...]
Print SHA1/MD5 fingerprints of certificates Print SHA1/MD5 fingerprints of certificates
files <TAG>... files <TAG>...
Dump all the certificate-related files of this TAG Dump all the certificate-related files of this TAG
check check
Should be run weekly from a cron job to warn you if some Should be run weekly from a cron job to warn you if some
certificates are about to expire (controlled by the 'warning_days' certificates are about to expire (controlled by the 'warning_days'
parameter in the 'global' section of the configuration) parameter in the 'global' section of the configuration)
...@@ -95,6 +97,19 @@ def cmd_list(global_config, ca, certs, args): ...@@ -95,6 +97,19 @@ def cmd_list(global_config, ca, certs, args):
print cert.name, cert.cn, state, expiry_str print cert.name, cert.cn, state, expiry_str
def cmd_verify(global_config, ca, certs, args):
if len(args) < 1:
print 'Nothing to do.'
failed = False
for path in args:
if not ca.verify(path):
print '%s: FAIL' % path
failed = True
else:
print '%s: OK' % path
return failed
def cmd_fingerprint(global_config, ca, certs, args): def cmd_fingerprint(global_config, ca, certs, args):
if len(args) > 0: if len(args) > 0:
certs = [find_cert(certs, x) for x in args] certs = [find_cert(certs, x) for x in args]
...@@ -122,6 +137,7 @@ cmd_table = { ...@@ -122,6 +137,7 @@ cmd_table = {
'gencrl': cmd_gencrl, 'gencrl': cmd_gencrl,
'files': cmd_files, 'files': cmd_files,
'list': cmd_list, 'list': cmd_list,
'verify': cmd_verify,
'fp': cmd_fingerprint, 'fp': cmd_fingerprint,
'fingerprint': cmd_fingerprint, 'fingerprint': cmd_fingerprint,
'check': cmd_check, 'check': cmd_check,
...@@ -168,7 +184,7 @@ def main(): ...@@ -168,7 +184,7 @@ def main():
def main_wrapper(): def main_wrapper():
try: try:
return main() return main()
except Exception, e: except Exception:
logging.exception('uncaught exception') logging.exception('uncaught exception')
return 1 return 1
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment