New patch submitted by Federico Simoncelli (fsimonce(a)redhat.com)
You can review this change at:
http://gerrit.usersys.redhat.com/851
commit 449cfc4f89403d2d348fbeed68e76bd7f63397c6
Author: Federico Simoncelli <fsimonce(a)redhat.com>
Date: Wed Aug 24 12:45:07 2011 +0000
Check certificate purpose in vdsClient
Change-Id: I3ad83ee57df1a3b3a52ea47c529ef3e4af57e2fb
diff --git a/vdsm_cli/vdscli.py.in b/vdsm_cli/vdscli.py.in
index 5644a50..dfb97cf 100644
--- a/vdsm_cli/vdscli.py.in
+++ b/vdsm_cli/vdscli.py.in
@@ -19,9 +19,10 @@
# Refer to the README and COPYING files for full details of the license
#
+import os
import xmlrpclib
import subprocess
-import os
+import M2Crypto
d_useSSL = False
d_tsPath = '@TRUSTSTORE@'
@@ -86,9 +87,6 @@ def connect(addrport=None, useSSL=None, tsPath=None):
if useSSL is None: useSSL = d_useSSL
if tsPath is None: tsPath = d_tsPath
if useSSL:
- from M2Crypto.m2xmlrpclib import SSL_Transport
- from M2Crypto import SSL
-
if os.name == 'nt':
KEYFILE = tsPath + '\\keys\\rhevm.pem'
CERTFILE = tsPath + '\\certs\\rhevm.cer'
@@ -98,14 +96,20 @@ def connect(addrport=None, useSSL=None, tsPath=None):
CERTFILE = tsPath + '/certs/vdsmcert.pem'
CACERT = tsPath + '/certs/cacert.pem'
- ctx = SSL.Context ('sslv3')
+ ctx = M2Crypto.SSL.Context ('sslv3')
+
+ crt = M2Crypto.X509.load_cert(CERTFILE)
+ if not crt.check_purpose(M2Crypto.m2.X509_PURPOSE_SSL_CLIENT, 0):
+ raise RuntimeError, \
+ "Certificate is not suitable to be used as client"
- ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 16)
+ ctx.set_verify(M2Crypto.SSL.verify_peer |
+ M2Crypto.SSL.verify_fail_if_no_peer_cert, 16)
ctx.load_verify_locations(CACERT)
ctx.load_cert(CERTFILE, KEYFILE, lambda v: "mypass")
server = xmlrpclib.Server('https://%s' % addrport,
- SSL_Transport(ctx))
+ M2Crypto.m2xmlrpclib.SSL_Transport(ctx))
else:
server = xmlrpclib.Server('http://%s' % addrport)
return server