Generalizing CA path for certificate verification to settings

863b4360 · Tanner Prestegard · a2e2470d · 863b4360 · 863b4360
Verified Commit 863b4360 authored 6 years ago by Tanner Prestegard
--- a/config/settings/base.py
+++ b/config/settings/base.py
@@ -274,6 +274,9 @@ X509_ISSUER_DN_HEADER = 'HTTP_SSL_CLIENT_I_DN'
 X509_CERT_HEADER = 'HTTP_X_FORWARDED_TLS_CLIENT_CERT'
 X509_INFOS_HEADER = 'HTTP_X_FORWARDED_TLS_CLIENT_CERT_INFOS'

+# Path to CA store for X509 certificate verification
+CAPATH = '/etc/grid-security/certificates'
+
 # List of authentication backends to use when attempting to authenticate
 # a user.  Will be used in this order.  Authentication for the API is
 # handled by the REST_FRAMEWORK dictionary.

--- a/gracedb/api/backends.py
+++ b/gracedb/api/backends.py
@@ -249,16 +249,14 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication):

        return cert_der

-    def verify_certificate_chain(self, cert_data,
-        trusted_certs='/etc/grid-security/certificates'):
-
+    def verify_certificate_chain(self, cert_data, capath=settings.CAPATH):
        # Load certificate data
        certificate = OpenSSL.crypto.load_certificate(
            OpenSSL.crypto.FILETYPE_ASN1, cert_data)

        # Set up context and get certificate store 
        ctx = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
-        ctx.load_verify_locations(None, capath=trusted_certs)
+        ctx.load_verify_locations(None, capath=capath)
        store = ctx.get_cert_store()

        # Verify certificate