add 'verify' subcommand

diff --git a/cam/ca.py b/cam/ca.py
index 043cc7e..f906819 100644 (file)
--- a/cam/ca.py
+++ b/cam/ca.py
@@ -156,6 +156,15 @@ class CA(object):
             '-key', self._getpw())
         self.gencrl()
 
             '-key', self._getpw())
         self.gencrl()
 

+    def verify(self, path):
+        log.info('verifying certificate %s', path)
+        args = ['verify', '-CAfile', self.files.public_key, path]
+        try:
+            openssl_wrap.run(*args, CAROOT=os.path.abspath(self.basedir))
+        except openssl_wrap.CommandError:
+            return False
+        return True
+

     def generate(self, cert):
         self._update_config()
 
     def generate(self, cert):
         self._update_config()
 

diff --git a/cam/main.py b/cam/main.py
index 22b9758..4158e42 100755 (executable)
--- a/cam/main.py
+++ b/cam/main.py
@@ -2,14 +2,13 @@
 
 import logging
 import optparse
 
 import logging
 import optparse

-import os

 import sys
 import time
 from cam import config
 
 
 USAGE = '''cam [<OPTIONS>] <COMMAND> [<ARG>...]
 import sys
 import time
 from cam import config
 
 
 USAGE = '''cam [<OPTIONS>] <COMMAND> [<ARG>...]

-CAM v%(version)s - (c)2012-2014 by <ale@incal.net> 
+CAM v%(version)s - (c)2012-2014 by <ale@incal.net>

 Minimal X509 Certification Authority management tool.
 
 Known commands:
 Minimal X509 Certification Authority management tool.
 
 Known commands:


@@ -28,13 +27,16 @@ Known commands:
   list
     List all known certificates
 
   list
     List all known certificates
 

+  verify FILES...
+    Verify the certificates found in FILES against the CA
+

   fp [<TAG>...]
     Print SHA1/MD5 fingerprints of certificates
 
   files <TAG>...
     Dump all the certificate-related files of this TAG
 
   fp [<TAG>...]
     Print SHA1/MD5 fingerprints of certificates
 
   files <TAG>...
     Dump all the certificate-related files of this TAG
 

-  check 
+  check

     Should be run weekly from a cron job to warn you if some
     certificates are about to expire (controlled by the 'warning_days'
     parameter in the 'global' section of the configuration)
     Should be run weekly from a cron job to warn you if some
     certificates are about to expire (controlled by the 'warning_days'
     parameter in the 'global' section of the configuration)


@@ -95,6 +97,19 @@ def cmd_list(global_config, ca, certs, args):
         print cert.name, cert.cn, state, expiry_str
 
 
         print cert.name, cert.cn, state, expiry_str
 
 

+def cmd_verify(global_config, ca, certs, args):
+    if len(args) < 1:
+        print 'Nothing to do.'
+    failed = False
+    for path in args:
+        if not ca.verify(path):
+            print '%s: FAIL' % path
+            failed = True
+        else:
+            print '%s: OK' % path
+    return failed
+
+

 def cmd_fingerprint(global_config, ca, certs, args):
     if len(args) > 0:
         certs = [find_cert(certs, x) for x in args]
 def cmd_fingerprint(global_config, ca, certs, args):
     if len(args) > 0:
         certs = [find_cert(certs, x) for x in args]


@@ -122,6 +137,7 @@ cmd_table = {
     'gencrl': cmd_gencrl,
     'files': cmd_files,
     'list': cmd_list,
     'gencrl': cmd_gencrl,
     'files': cmd_files,
     'list': cmd_list,

+    'verify': cmd_verify,

     'fp': cmd_fingerprint,
     'fingerprint': cmd_fingerprint,
     'check': cmd_check,
     'fp': cmd_fingerprint,
     'fingerprint': cmd_fingerprint,
     'check': cmd_check,


@@ -168,7 +184,7 @@ def main():
 def main_wrapper():
     try:
         return main()
 def main_wrapper():
     try:
         return main()

-    except Exception, e:
+    except Exception:

         logging.exception('uncaught exception')
         return 1
 
         logging.exception('uncaught exception')
         return 1