From: godog <godog@autistici.org>
Date: Tue, 7 Oct 2014 22:25:39 +0000 (+0100)
Subject: add 'verify' subcommand
X-Git-Url: https://v.licheni.net/stack/cam.git/commitdiff_plain/d439174a02ec4273560f621f1e003d23c8e05b9d

add 'verify' subcommand
---

diff --git a/cam/ca.py b/cam/ca.py
index 043cc7e..f906819 100644
--- a/cam/ca.py
+++ b/cam/ca.py
@@ -156,6 +156,15 @@ class CA(object):
             '-key', self._getpw())
         self.gencrl()
 
+    def verify(self, path):
+        log.info('verifying certificate %s', path)
+        args = ['verify', '-CAfile', self.files.public_key, path]
+        try:
+            openssl_wrap.run(*args, CAROOT=os.path.abspath(self.basedir))
+        except openssl_wrap.CommandError:
+            return False
+        return True
+
     def generate(self, cert):
         self._update_config()
 
diff --git a/cam/main.py b/cam/main.py
index 22b9758..4158e42 100755
--- a/cam/main.py
+++ b/cam/main.py
@@ -2,14 +2,13 @@
 
 import logging
 import optparse
-import os
 import sys
 import time
 from cam import config
 
 
 USAGE = '''cam [<OPTIONS>] <COMMAND> [<ARG>...]
-CAM v%(version)s - (c)2012-2014 by <ale@incal.net> 
+CAM v%(version)s - (c)2012-2014 by <ale@incal.net>
 Minimal X509 Certification Authority management tool.
 
 Known commands:
@@ -28,13 +27,16 @@ Known commands:
   list
     List all known certificates
 
+  verify FILES...
+    Verify the certificates found in FILES against the CA
+
   fp [<TAG>...]
     Print SHA1/MD5 fingerprints of certificates
 
   files <TAG>...
     Dump all the certificate-related files of this TAG
 
-  check 
+  check
     Should be run weekly from a cron job to warn you if some
     certificates are about to expire (controlled by the 'warning_days'
     parameter in the 'global' section of the configuration)
@@ -95,6 +97,19 @@ def cmd_list(global_config, ca, certs, args):
         print cert.name, cert.cn, state, expiry_str
 
 
+def cmd_verify(global_config, ca, certs, args):
+    if len(args) < 1:
+        print 'Nothing to do.'
+    failed = False
+    for path in args:
+        if not ca.verify(path):
+            print '%s: FAIL' % path
+            failed = True
+        else:
+            print '%s: OK' % path
+    return failed
+
+
 def cmd_fingerprint(global_config, ca, certs, args):
     if len(args) > 0:
         certs = [find_cert(certs, x) for x in args]
@@ -122,6 +137,7 @@ cmd_table = {
     'gencrl': cmd_gencrl,
     'files': cmd_files,
     'list': cmd_list,
+    'verify': cmd_verify,
     'fp': cmd_fingerprint,
     'fingerprint': cmd_fingerprint,
     'check': cmd_check,
@@ -168,7 +184,7 @@ def main():
 def main_wrapper():
     try:
         return main()
-    except Exception, e:
+    except Exception:
         logging.exception('uncaught exception')
         return 1