1 files changed, 20 insertions, 6 deletions

diff --git a/branding/scripts/check-ca-crt.py b/branding/scripts/check-ca-crt.py
index 6462467..431d059 100755
--- a/branding/scripts/check-ca-crt.py
+++ b/branding/scripts/check-ca-crt.py
@@ -1,29 +1,37 @@
 #!/usr/bin/env python3
 import re
 import sys
+import configparser
 import urllib.request
 
 SCRIPT_NAME = 'check-ca-crt.py'
 
 USAGE = '''Check that the stored provider CA matches the one announced online.
-Usage: {name} <provider> <uri>
+Usage: {name} <provider> <config>
 
-Example: {name} riseup black.riseup.net'''.format(name=SCRIPT_NAME)
+Example: {name} riseup branding/config/vendor.conf'''.format(name=SCRIPT_NAME)
 
 
 def getLocalCert(provider):
     sanitized = re.sub(r'[^\w\s-]', '', provider).strip().lower()
-    with open('config/{provider}-ca.crt'.format(provider=sanitized)) as crt:
+    with open('branding/config/'
+              '{provider}-ca.crt'.format(provider=sanitized)) as crt:
         return crt.read().strip()
 
 
 def getRemoteCert(uri):
-    fp = urllib.request.urlopen('https://' + uri + '/ca.crt')
+    fp = urllib.request.urlopen(uri)
     remote_cert = fp.read().decode('utf-8').strip()
     fp.close()
     return remote_cert
 
 
+def getUriForProvider(provider, configfile):
+    c = configparser.ConfigParser()
+    c.read(configfile)
+    return c[provider]['caURL']
+
+
 if __name__ == '__main__':
 
     if len(sys.argv) != 3:
@@ -32,7 +40,13 @@ if __name__ == '__main__':
         sys.exit(1)
 
     provider = sys.argv[1]
-    uri = sys.argv[2]
+    config = sys.argv[2]
+
+    try:
+        uri = getUriForProvider(provider, config)
+    except IndexError:
+        print('[!] Misconfigured provider')
+        sys.exit(1)
 
     local = getLocalCert(provider)
     remote = getRemoteCert(uri)
@@ -43,4 +57,4 @@ if __name__ == '__main__':
         print('[!] ERROR: remote and local CA certs do not match')
         sys.exit(1)
     else:
-        print('OK')
+        print('OK: local CA matches what provider announces')