Add SSL certificate utility and tests

util/config/validator.py

@@ -3,10 +3,8 @@ import subprocess
 import time
 
 from StringIO import StringIO
-from fnmatch import fnmatch
 from hashlib import sha1
 
-import OpenSSL
 import ldap
 import peewee
 import redis
@@ -28,6 +26,7 @@ from util.config.oauth import GoogleOAuthConfig, GithubOAuthConfig, GitLabOAuthC
 from util.secscan.api import SecurityScannerAPI
 from util.registry.torrent import torrent_jwt
 from util.security.signing import SIGNING_ENGINES
+from util.security.ssl import load_certificate, CertInvalidException, KeyInvalidException
 
 logger = logging.getLogger(__name__)
 
@@ -257,22 +256,32 @@ def _validate_ssl(config, user_obj, _):
   if config.get('EXTERNAL_TLS_TERMINATION', False) is True:
     return
 
+  # Verify that we have all the required SSL files.
   for filename in SSL_FILENAMES:
     if not config_provider.volume_file_exists(filename):
       raise ConfigValidationException('Missing required SSL file: %s' % filename)
 
+  # Read the contents of the SSL certificate.
   with config_provider.get_volume_file(SSL_FILENAMES[0]) as f:
     cert_contents = f.read()
 
   # Validate the certificate.
   try:
-    cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_contents)
-  except:
-    raise ConfigValidationException('Could not parse certificate file. Is it a valid PEM certificate?')
+    certificate = load_certificate(cert_contents)
+  except CertInvalidException as cie:
+    raise ConfigValidationException('Could not load SSL certificate: %s' % cie.message)
 
-  if cert.has_expired():
+  # Verify the certificate has not expired.
+  if certificate.expired:
     raise ConfigValidationException('The specified SSL certificate has expired.')
 
+  # Verify the hostname matches the name in the certificate.
+  if not certificate.matches_name(config['SERVER_HOSTNAME']):
+    msg = ('Supported names "%s" in SSL cert do not match server hostname "%s"' %
+           (', '.join(list(certificate.names)), config['SERVER_HOSTNAME']))
+    raise ConfigValidationException(msg)
+
+  # Verify the private key against the certificate.
   private_key_path = None
   with config_provider.get_volume_file(SSL_FILENAMES[1]) as f:
     private_key_path = f.name
@@ -281,44 +290,10 @@ def _validate_ssl(config, user_obj, _):
     # Only in testing.
     return
 
-  # Validate the private key with the certificate.
-  context = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
-  context.use_certificate(cert)
-
   try:
-    context.use_privatekey_file(private_key_path)
-  except:
-    raise ConfigValidationException('Could not parse key file. Is it a valid PEM private key?')
-
-  try:
-    context.check_privatekey()
-  except OpenSSL.SSL.Error as e:
-    raise ConfigValidationException('SSL key failed to validate: %s' % str(e))
-
-  # Verify the hostname matches the name in the certificate.
-  common_name = cert.get_subject().commonName
-  if common_name is None:
-    raise ConfigValidationException('Missing CommonName (CN) from SSL certificate')
-
-  # Build the list of allowed host patterns.
-  hosts = set([common_name])
-
-  # Find the DNS extension, if any.
-  for i in range(0, cert.get_extension_count()):
-    ext = cert.get_extension(i)
-    if ext.get_short_name() == 'subjectAltName':
-      value = str(ext)
-      hosts.update([host.strip()[4:] for host in value.split(',')])
-
-  # Check each host.
-  for host in hosts:
-    if fnmatch(config['SERVER_HOSTNAME'], host):
-      return
-
-  msg = ('Supported names "%s" in SSL cert do not match server hostname "%s"' %
-         (', '.join(list(hosts)), config['SERVER_HOSTNAME']))
-  raise ConfigValidationException(msg)
-
+    certificate.validate_private_key(private_key_path)
+  except KeyInvalidException as kie:
+    raise ConfigValidationException('SSL private key failed to validate: %s' % kie.message)
 
 
 def _validate_ldap(config, user_obj, password):