commit aadffa0c8f438ace747489e77978c247c9cb2602
parent a9e74da11c8db7e19f69128fde0d15de426c7696
Author: ThomasV <thomasv@gitorious>
Date: Wed, 5 Aug 2015 20:59:51 +0200
check_ssl_config: verify pubkey
Diffstat:
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/lib/paymentrequest.py b/lib/paymentrequest.py
@@ -337,14 +337,21 @@ def check_ssl_config(config):
cert_path = config.get('ssl_chain')
with open(key_path, 'r') as f:
params = pem.parse_private_key(f.read())
- privkey = rsakey.RSAKey(*params)
with open(cert_path, 'r') as f:
s = f.read()
- bList = pem.dePemList(s, "CERTIFICATE")
+ bList = pem.dePemList(s, "CERTIFICATE")
# verify chain
x, ca = verify_cert_chain(bList)
- # verify pubkey
- return x.get_common_name()
+ # verify that privkey and pubkey match
+ privkey = rsakey.RSAKey(*params)
+ pubkey = rsakey.RSAKey(x.modulus, x.exponent)
+ assert x.modulus == params[0]
+ assert x.exponent == params[1]
+ # return requestor
+ requestor = x.get_common_name()
+ if requestor.startswith('*.'):
+ requestor = requestor[2:]
+ return requestor
def sign_request_with_x509(pr, key_path, cert_path):
import pem
