diff options
Diffstat (limited to 'branding/scripts/check-ca-crt.py')
-rwxr-xr-x | branding/scripts/check-ca-crt.py | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/branding/scripts/check-ca-crt.py b/branding/scripts/check-ca-crt.py index 6462467..431d059 100755 --- a/branding/scripts/check-ca-crt.py +++ b/branding/scripts/check-ca-crt.py @@ -1,29 +1,37 @@ #!/usr/bin/env python3 import re import sys +import configparser import urllib.request SCRIPT_NAME = 'check-ca-crt.py' USAGE = '''Check that the stored provider CA matches the one announced online. -Usage: {name} <provider> <uri> +Usage: {name} <provider> <config> -Example: {name} riseup black.riseup.net'''.format(name=SCRIPT_NAME) +Example: {name} riseup branding/config/vendor.conf'''.format(name=SCRIPT_NAME) def getLocalCert(provider): sanitized = re.sub(r'[^\w\s-]', '', provider).strip().lower() - with open('config/{provider}-ca.crt'.format(provider=sanitized)) as crt: + with open('branding/config/' + '{provider}-ca.crt'.format(provider=sanitized)) as crt: return crt.read().strip() def getRemoteCert(uri): - fp = urllib.request.urlopen('https://' + uri + '/ca.crt') + fp = urllib.request.urlopen(uri) remote_cert = fp.read().decode('utf-8').strip() fp.close() return remote_cert +def getUriForProvider(provider, configfile): + c = configparser.ConfigParser() + c.read(configfile) + return c[provider]['caURL'] + + if __name__ == '__main__': if len(sys.argv) != 3: @@ -32,7 +40,13 @@ if __name__ == '__main__': sys.exit(1) provider = sys.argv[1] - uri = sys.argv[2] + config = sys.argv[2] + + try: + uri = getUriForProvider(provider, config) + except IndexError: + print('[!] Misconfigured provider') + sys.exit(1) local = getLocalCert(provider) remote = getRemoteCert(uri) @@ -43,4 +57,4 @@ if __name__ == '__main__': print('[!] ERROR: remote and local CA certs do not match') sys.exit(1) else: - print('OK') + print('OK: local CA matches what provider announces') |