Dan Kenigsberg has posted comments on this change. Change subject: BZ#856167 - Validate downloaded CA certificate ......................................................................
Patch Set 4: (4 inline comments) minor comments, and one annoying assertion about fingerprints. .................................................... Commit Message Line 3: AuthorDate: 2012-09-18 11:20:07 +0200 Line 4: Commit: Juan Hernandez <[email protected]> Line 5: CommitDate: 2012-09-18 13:47:58 +0200 Line 6: Line 7: BZ#856167 - Validate downloaded CA certificate please use the new Bug-Id: url format. Line 8: Line 9: During installation the CA certificate of the engine is downloaded, Line 10: but it is not verified in any way. In some situations we can be Line 11: getting garbage from the engine, for example when we connect to an .................................................... File vdsm_reg/deployUtil.py.in Line 1123: # Host PKI functions. Line 1124: ############################################################################################################# Line 1125: Line 1126: def validateX509Cert(strCert): Line 1127: """ http://www.python.org/dev/peps/pep-0008/#documentation-strings Line 1128: Validates that the given string is a valid PEM encoded X.509 Line 1129: digital certificate Line 1130: """ Line 1131: out, err, rc = _logExec([EX_OPENSSL, "x509", "-noout"], input=strCert) Line 1129: digital certificate Line 1130: """ Line 1131: out, err, rc = _logExec([EX_OPENSSL, "x509", "-noout"], input=strCert) Line 1132: if rc != 0: Line 1133: logging.debug("validateX509Cert: the string \"%s\" is not a valid X.509 certificate" % strCert) use coma instead of percent when it comes to formatting log string (so that rendering may be avoided). Line 1134: return False Line 1135: else: Line 1136: return True Line 1137: Line 1485: Line 1486: CACERT, VDSMCERT = certPaths('') Line 1487: RHEVM_CERT_FILE = "/ca.crt" Line 1488: rhevmCert = getRemoteFile(str(IP), str(port), RHEVM_CERT_FILE) Line 1489: if rhevmCert and validateX509Cert(rhevmCert): it would be even better if we can do fingerprint validation here. Line 1490: dirName = os.path.dirname(CACERT) Line 1491: if not os.path.exists(dirName): Line 1492: os.makedirs(dirName) Line 1493: crt = file(CACERT, "w+") -- To view, visit http://gerrit.ovirt.org/8021 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ib5d3b3aeca42e4bc4b621b1acb861bfb1ac383e6 Gerrit-PatchSet: 4 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <[email protected]> Gerrit-Reviewer: Alon Bar-Lev <[email protected]> Gerrit-Reviewer: Dan Kenigsberg <[email protected]> Gerrit-Reviewer: Douglas Schilling Landgraf <[email protected]> Gerrit-Reviewer: Juan Hernandez <[email protected]> Gerrit-Reviewer: Michael Burns <[email protected]> Gerrit-Reviewer: Ryan Harper <[email protected]> _______________________________________________ vdsm-patches mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
