Check keys if revoke certificate by private key

2026-06-04 14:26:10 -04:00 · 2017-07-08 16:20:12 +02:00 · 2017-07-08 16:20:12 +02:00 · 62bdf663f2
commit 62bdf663f2
parent 48ef16ab0d
3 changed files with 10 additions and 8 deletions
--- a/certbot/crypto_util.py
+++ b/certbot/crypto_util.py
@ -214,7 +214,7 @@ def verify_renewable_cert(renewable_cert):
    """
    verify_renewable_cert_sig(renewable_cert)
    verify_fullchain(renewable_cert)
-    verify_cert_matches_priv_key(renewable_cert)
+    verify_cert_matches_priv_key(renewable_cert.cert, renewable_cert.privkey)


 def verify_renewable_cert_sig(renewable_cert):
@ -238,17 +238,18 @@ def verify_renewable_cert_sig(renewable_cert):
        raise errors.Error(error_str)


-def verify_cert_matches_priv_key(renewable_cert):
+def verify_cert_matches_priv_key(cert_path, key_path):
    """ Verifies that the private key and cert match.

-    :param `.storage.RenewableCert` renewable_cert: cert to verify
+    :param str cert_path: path to a cert in PEM format
+    :param str key_path: path to a private key file

    :raises errors.Error: If they don't match.
    """
    try:
-        with open(renewable_cert.cert) as cert:
+        with open(cert_path) as cert:
            cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert.read())
-        with open(renewable_cert.privkey) as privkey:
+        with open(key_path) as privkey:
            privkey = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, privkey.read())
        context = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
        context.use_privatekey(privkey)
@ -257,8 +258,8 @@ def verify_cert_matches_priv_key(renewable_cert):
    except (IOError, OpenSSL.SSL.Error) as e:
        error_str = "verifying the cert located at {0} matches the \
                private key located at {1} has failed. \
-                Details: {2}".format(renewable_cert.cert,
-                        renewable_cert.privkey, e)
+                Details: {2}".format(cert_path,
+                        key_path, e)
        logger.exception(error_str)
        raise errors.Error(error_str)

--- a/certbot/main.py
+++ b/certbot/main.py
@ -562,6 +562,7 @@ def revoke(config, unused_plugins):  # TODO: coop with renewal config
    if config.key_path is not None:  # revocation by cert key
        logger.debug("Revoking %s using cert key %s",
                     config.cert_path[0], config.key_path[0])
+        crypto_util.verify_cert_matches_priv_key(config.cert_path[0], config.key_path[1])
        key = jose.JWK.load(config.key_path[1])
    else:  # revocation by account key
        logger.debug("Revoking %s using Account Key", config.cert_path[0])
--- a/certbot/tests/crypto_util_test.py
+++ b/certbot/tests/crypto_util_test.py
@ -252,7 +252,7 @@ class VerifyCertMatchesPrivKeyTest(VerifyCertSetup):

    def _call(self, renewable_cert):
        from certbot.crypto_util import verify_cert_matches_priv_key
-        return verify_cert_matches_priv_key(renewable_cert)
+        return verify_cert_matches_priv_key(renewable_cert.cert, renewable_cert.privkey)

    def test_cert_priv_key_match(self):
        self.assertEqual(None, self._call(self.renewable_cert))