lrossett / centos / centpkg

Forked from centos/centpkg 3 years ago
Blob Blame History Raw

from __future__ import print_function

import os
from OpenSSL import crypto
import urlgrabber
import datetime

# This file was modified from the fedora_cert section in fedora-packager written
# by Dennis Gilmore (

# Define our own error class
class centos_cert_error(Exception):

def _open_cert():
    Read in the certificate so we dont duplicate the code 
     # Make sure we can even read the thing.
    cert_file = os.path.join(os.path.expanduser('~'), ".koji", "client.crt")
    if not os.access(cert_file, os.R_OK):
        raise centos_cert_error("""!!!    cannot read your centos cert file   !!!
!!! Ensure the file is readable and try again !!!""")
    raw_cert = open(cert_file).read()
    my_cert = crypto.load_certificate(crypto.FILETYPE_PEM, raw_cert)
    return my_cert

def verify_cert():
    Check that the user cert is valid.
    things to check/return
    not revoked
    Expiry time warn if less than 21 days
    my_cert = _open_cert()
    serial_no = my_cert.get_serial_number()
    valid_until = my_cert.get_notAfter()[:8]
    # CRL verification would go here
    #crl = urlgrabber.urlread("https://<url_to_crl>/ca/crl.pem")
    dateFmt = '%Y%m%d'
    delta = + datetime.timedelta(days=21)
    warn = datetime.datetime.strftime(delta, dateFmt)

    print('cert expires: %s-%s-%s' % (valid_until[:4], valid_until[4:6], valid_until[6:8]))

    if valid_until < warn:
        print('WARNING: Your cert expires soon.')

def certificate_expired():
    Check to see if client cert is expired
    Returns True or False

    my_cert = _open_cert()

    if my_cert.has_expired():
        return True
        return False

def read_user_cert():
    Figure out the Fedora user name from client cert

    my_cert = _open_cert()

    subject = str(my_cert.get_subject())
    subject_line = subject.split("CN=")
    cn_parts = subject_line[1].split("/")
    username = cn_parts[0]
    return username