Jan Dittberner
6a8997e950
This commit adds an initial Vagrant and Saltstack setup that reuses the same configuration as that of the gva repository. The LDAP server itself is not configured yet.
62 lines
1.6 KiB
Python
62 lines
1.6 KiB
Python
# -*- coding: utf8 -*-
|
|
'''
|
|
Manage X.509 certificate life cycle
|
|
===================================
|
|
|
|
This state is useful for managing X.509 certificates' life cycles.
|
|
|
|
Copyright (c) 2014 Jan Dittberner <jan@dittberner.info>
|
|
'''
|
|
|
|
from M2Crypto import X509
|
|
from datetime import datetime
|
|
import os
|
|
|
|
|
|
def _error(ret, err_msg):
|
|
ret['result'] = False
|
|
ret['comment'] = err_msg
|
|
return ret
|
|
|
|
|
|
def valid_certificate(
|
|
name, mindays=14, keyfile=None,
|
|
checkchain=False, trustedcerts=None):
|
|
'''
|
|
Checks whether the given certificate file is valid.
|
|
|
|
name
|
|
The name of the certificate file to check
|
|
mindays
|
|
Mark the certificate as invalid if it is valid for less then this many
|
|
days
|
|
'''
|
|
ret = {
|
|
'name': name,
|
|
'changes': {},
|
|
'result': None,
|
|
'comment': ''}
|
|
if not os.path.isfile(name):
|
|
return _error(
|
|
ret, 'certificate file {0} does not exist'.format(name))
|
|
try:
|
|
cert = X509.load_cert(name)
|
|
except Exception as e:
|
|
return _error(
|
|
ret,
|
|
'error loading certificate {0}: {1}'.format(name, e))
|
|
notafter = cert.get_not_after().get_datetime()
|
|
delta = notafter - datetime.now(notafter.tzinfo)
|
|
if delta.days < mindays:
|
|
return _error(
|
|
ret,
|
|
'certificate {0} is only valid for {1} more day(s)'.format(
|
|
name, delta.days))
|
|
# TODO: check keyfile match
|
|
# TODO: check trust chain
|
|
ret['comment'] = (
|
|
'certificate {0} is ok and still valid for {1} days'.format(
|
|
name, delta.days))
|
|
ret['result'] = True
|
|
return ret
|