From: godog Date: Tue, 7 Oct 2014 22:25:39 +0000 (+0100) Subject: add 'verify' subcommand X-Git-Url: https://v.licheni.net/stack/cam.git/commitdiff_plain/d439174a02ec4273560f621f1e003d23c8e05b9d add 'verify' subcommand --- diff --git a/cam/ca.py b/cam/ca.py index 043cc7e..f906819 100644 --- a/cam/ca.py +++ b/cam/ca.py @@ -156,6 +156,15 @@ class CA(object): '-key', self._getpw()) self.gencrl() + def verify(self, path): + log.info('verifying certificate %s', path) + args = ['verify', '-CAfile', self.files.public_key, path] + try: + openssl_wrap.run(*args, CAROOT=os.path.abspath(self.basedir)) + except openssl_wrap.CommandError: + return False + return True + def generate(self, cert): self._update_config() diff --git a/cam/main.py b/cam/main.py index 22b9758..4158e42 100755 --- a/cam/main.py +++ b/cam/main.py @@ -2,14 +2,13 @@ import logging import optparse -import os import sys import time from cam import config USAGE = '''cam [] [...] -CAM v%(version)s - (c)2012-2014 by +CAM v%(version)s - (c)2012-2014 by Minimal X509 Certification Authority management tool. Known commands: @@ -28,13 +27,16 @@ Known commands: list List all known certificates + verify FILES... + Verify the certificates found in FILES against the CA + fp [...] Print SHA1/MD5 fingerprints of certificates files ... Dump all the certificate-related files of this TAG - check + check Should be run weekly from a cron job to warn you if some certificates are about to expire (controlled by the 'warning_days' parameter in the 'global' section of the configuration) @@ -95,6 +97,19 @@ def cmd_list(global_config, ca, certs, args): print cert.name, cert.cn, state, expiry_str +def cmd_verify(global_config, ca, certs, args): + if len(args) < 1: + print 'Nothing to do.' + failed = False + for path in args: + if not ca.verify(path): + print '%s: FAIL' % path + failed = True + else: + print '%s: OK' % path + return failed + + def cmd_fingerprint(global_config, ca, certs, args): if len(args) > 0: certs = [find_cert(certs, x) for x in args] @@ -122,6 +137,7 @@ cmd_table = { 'gencrl': cmd_gencrl, 'files': cmd_files, 'list': cmd_list, + 'verify': cmd_verify, 'fp': cmd_fingerprint, 'fingerprint': cmd_fingerprint, 'check': cmd_check, @@ -168,7 +184,7 @@ def main(): def main_wrapper(): try: return main() - except Exception, e: + except Exception: logging.exception('uncaught exception') return 1