check_ssl_config: verify pubkey

2015-08-05 20:59:51 +02:00 · 2015-08-05 20:59:51 +02:00 · aadffa0c8f
parent a9e74da11c
commit aadffa0c8f
1 changed files with 11 additions and 4 deletions
--- a/lib/paymentrequest.py
+++ b/lib/paymentrequest.py
@ -337,14 +337,21 @@ def check_ssl_config(config):
    cert_path = config.get('ssl_chain')
    with open(key_path, 'r') as f:
        params = pem.parse_private_key(f.read())
-        privkey = rsakey.RSAKey(*params)
    with open(cert_path, 'r') as f:
        s = f.read()
-        bList = pem.dePemList(s, "CERTIFICATE")
+    bList = pem.dePemList(s, "CERTIFICATE")
    # verify chain
    x, ca = verify_cert_chain(bList)
-    # verify pubkey
-    return x.get_common_name()
+    # verify that privkey and pubkey match
+    privkey = rsakey.RSAKey(*params)
+    pubkey = rsakey.RSAKey(x.modulus, x.exponent)
+    assert x.modulus == params[0]
+    assert x.exponent == params[1]
+    # return requestor
+    requestor = x.get_common_name()
+    if requestor.startswith('*.'):
+        requestor = requestor[2:]
+    return requestor

 def sign_request_with_x509(pr, key_path, cert_path):
    import pem