diff --git a/app/models/site_cert.rb b/app/models/site_cert.rb index 81260b6..3d06149 100644 --- a/app/models/site_cert.rb +++ b/app/models/site_cert.rb @@ -33,37 +33,42 @@ class SiteCert end def change_data if !@skip_callback - org_cert_file_name = self.cert_file.file.file.to_s - cert_file_name = org_cert_file_name.sub(/.cer$/, '.crt') - if org_cert_file_name != cert_file_name - if File.read(org_cert_file_name).match(/\A\s*---/) - FileUtils.cp(org_cert_file_name, cert_file_name) - else - `openssl x509 --inform DER -in #{org_cert_file_name} --out #{cert_file_name}` - end - self.cert_file.retrieve_from_store!(File.basename(cert_file_name)) - end - cert_file_md5 = `openssl x509 -noout -modulus -in #{cert_file_name} | openssl md5` - private_key_md5 = `openssl rsa -noout -modulus -in #{self.private_key.file.file} | openssl md5` - is_valid = (cert_file_md5 == private_key_md5) - domain_names = `openssl x509 -text < #{cert_file_name} | grep 'DNS:' | sed 's/\s*DNS:\([a-z0-9.\-]*\)[,\s]\?/\1 /g'`.split('DNS:').map{|s| s.sub(',','').strip}.select{|s| s.present?} rescue [] - if domain_names.length == 0 - domain_names = [`openssl x509 -text < #{cert_file_name} | grep 'Subject' | grep 'CN =' | grep 'Subject' | grep 'CN =' |sed 's/\s*Subject: //g'`[0...-1].split(/, | = /).each_slice(2).to_h['CN']] rescue [] - end - sign_algo_valid = `openssl x509 -text < #{cert_file_name} | grep 'Signature Algorithm: sha1'`[0...-1].blank? rescue false invalid_messages = [] - if !is_valid + if self.cert_file.present? + org_cert_file_name = self.cert_file.file.file.to_s + cert_file_name = org_cert_file_name.sub(/.cer$/, '.crt') + if org_cert_file_name != cert_file_name + if File.read(org_cert_file_name).match(/\A\s*---/) + FileUtils.cp(org_cert_file_name, cert_file_name) + else + `openssl x509 --inform DER -in #{org_cert_file_name} --out #{cert_file_name}` + end + self["cert_file"] = File.basename(cert_file_name) + self.cert_file.retrieve_from_store!(File.basename(cert_file_name)) + end + cert_file_md5 = `openssl x509 -noout -modulus -in #{cert_file_name} | openssl md5` + domain_names = `openssl x509 -text < #{cert_file_name} | grep 'DNS:' | sed 's/\s*DNS:\([a-z0-9.\-]*\)[,\s]\?/\1 /g'`.split('DNS:').map{|s| s.sub(',','').strip}.select{|s| s.present?} rescue [] + if domain_names.length == 0 + domain_names = [`openssl x509 -text < #{cert_file_name} | grep 'Subject' | grep 'CN =' | grep 'Subject' | grep 'CN =' |sed 's/\s*Subject: //g'`[0...-1].split(/, | = /).each_slice(2).to_h['CN']] rescue [] + end + sign_algo_valid = `openssl x509 -text < #{cert_file_name} | grep 'Signature Algorithm: sha1'`[0...-1].blank? rescue false + if !sign_algo_valid + invalid_messages << 'Signature Algorithm cannot use sha1, please use sha256' + end + if domain_names.blank? + invalid_messages << 'Domain Names(alt_names) is empty.' + end + end + if self.private_key.present? + private_key_md5 = `openssl rsa -noout -modulus -in #{self.private_key.file.file} | openssl md5` + end + self.is_valid = (cert_file_md5 ? (cert_file_md5 == private_key_md5) : false) + unless self.is_valid invalid_messages << 'cert and key not match' end - if !sign_algo_valid - invalid_messages << 'Signature Algorithm cannot use sha1, please use sha256' - end - if domain_names.blank? - invalid_messages << 'Domain Names(alt_names) is empty.' - end self.invalid_message = invalid_messages.join(', ') - if is_valid - is_valid = sign_algo_valid + if self.is_valid + self.is_valid = sign_algo_valid end if domain_names.blank? self.is_valid = false @@ -72,7 +77,6 @@ class SiteCert end_date_text = `openssl x509 -text < #{cert_file_name} -enddate -noout`.split('=').last.strip self.start_date = DateTime.parse(start_date_text) rescue nil self.end_date = DateTime.parse(end_date_text) rescue nil - self.is_valid = is_valid self.domain_names = domain_names end @skip_callback = true