Juan Hernandez has uploaded a new change for review. Change subject: BZ#856167 - Verify downloaded CA certificate ......................................................................
BZ#856167 - Verify downloaded CA certificate During installation the CA certificate of the engine is downloaded, but it is not verified in any way. In some situations we can be getting garbage from the engine, for example when we connect to an HTTPS server using the HTTP protocol. That garbage can corrupt a previously downloaded CA certificate. This patch changes deployUtils.py so that it verifies that what we get is a valid X.509 certificate before saving it to the file. Change-Id: Ib5d3b3aeca42e4bc4b621b1acb861bfb1ac383e6 Signed-off-by: Juan Hernandez <[email protected]> --- M vdsm_reg/deployUtil.py.in 1 file changed, 35 insertions(+), 12 deletions(-) git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/21/8021/1 diff --git a/vdsm_reg/deployUtil.py.in b/vdsm_reg/deployUtil.py.in index 3943171..124c11c 100644 --- a/vdsm_reg/deployUtil.py.in +++ b/vdsm_reg/deployUtil.py.in @@ -39,6 +39,7 @@ import imp from optparse import OptionParser import platform +from tempfile import mkstemp try: from ovirtnode import ovirtfunctions @@ -776,7 +777,6 @@ The function returns success is replacment took place. """ import stat - from tempfile import mkstemp fReplaced = False logging.debug( "_updateFileLine: entry. File: " + str(fileName) + @@ -1491,19 +1491,42 @@ CACERT, VDSMCERT = certPaths('') RHEVM_CERT_FILE = "/ca.crt" rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE) - if rhevmCert: - dirName = os.path.dirname(CACERT) - if not os.path.exists(dirName): - os.makedirs(dirName) - crt = file(CACERT, "w+") - try: - crt.write(rhevmCert) - finally: - crt.close() - return True - else: + + # Nothing to do if we don't get a response from the engine: + if not rhevmCert: + logging.debug("getRhevmCert: can't download CA certificate") return False + # Save the downloaded text to a temporary file in order to verify that it is + # a valid X.509 certificate, this way if it isn't we don't leave garbage + # behind: + tmpPath = None + try: + tmpHandle, tmpPath = mkstemp() + with os.fdopen(tmpHandle, "w") as tmpFile: + tmpFile.write(rhevmCert) + x509Out, x509Err, x509Rc = _logExec([EX_OPENSSL, "x509", "-in", tmpPath]) + if x509Rc != 0: + logging.debug("getRhevmCert: the string \"%s\" is not a valid X.509 certificate" % rhevmCert) + return False + finally: + if tmpPath: + os.remove(tmpPath) + + # Now that we know that it is a valid certificate save it to its definitive + # location: + dirName = os.path.dirname(CACERT) + if not os.path.exists(dirName): + os.makedirs(dirName) + crt = file(CACERT, "w+") + try: + crt.write(rhevmCert) + finally: + crt.close() + + # If we are here everything went fine: + return True + def generateFingerPrint(path): fp = '' cmd = [EX_OPENSSL, 'x509', '-fingerprint', '-in', path] -- To view, visit http://gerrit.ovirt.org/8021 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ib5d3b3aeca42e4bc4b621b1acb861bfb1ac383e6 Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <[email protected]> _______________________________________________ vdsm-patches mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
