diff --git a/src/allmydata/grid_manager.py b/src/allmydata/grid_manager.py index 4c16b572a..fde88824e 100644 --- a/src/allmydata/grid_manager.py +++ b/src/allmydata/grid_manager.py @@ -346,7 +346,7 @@ def validate_grid_manager_certificate(gm_key, alleged_cert): return cert -def create_grid_manager_verifier(keys, certs, now_fn=None, bad_cert=None): +def create_grid_manager_verifier(keys, certs, public_key, now_fn=None, bad_cert=None): """ Creates a predicate for confirming some Grid Manager-issued certificates against Grid Manager keys. A predicate is used @@ -358,6 +358,9 @@ def create_grid_manager_verifier(keys, certs, now_fn=None, bad_cert=None): :param list certs: 1 or more Grid Manager certificates each of which is a `dict` containing 'signature' and 'certificate' keys. + :param str public_key: the identifier of the server we expect + certificates for. + :param callable now_fn: a callable which returns the current UTC timestamp (or datetime.utcnow if None). @@ -416,10 +419,11 @@ def create_grid_manager_verifier(keys, certs, now_fn=None, bad_cert=None): # if *any* certificate is still valid then we consider the server valid for cert in valid_certs: expires = datetime.utcfromtimestamp(cert['expires']) - # cert_pubkey = keyutil.parse_pubkey(cert['public_key'].encode('ascii')) - if expires > now: - # not-expired - return True + cert_pubkey = ed25519.verifying_key_from_string(cert['public_key'].encode('ascii')) + if cert['public_key'] == public_key: + if expires > now: + # not-expired + return True return False return validate diff --git a/src/allmydata/storage_client.py b/src/allmydata/storage_client.py index aa8431e05..293683f66 100644 --- a/src/allmydata/storage_client.py +++ b/src/allmydata/storage_client.py @@ -285,6 +285,7 @@ class StorageFarmBroker(service.MultiService): gm_verifier = create_grid_manager_verifier( self.storage_client_config.grid_manager_keys, server["ann"].get("grid-manager-certificates", []), + "pub-{}".format(server_id), # server_id is v0- not pub-v0-key .. for reasons? ) s = NativeStorageServer( diff --git a/src/allmydata/test/test_grid_manager.py b/src/allmydata/test/test_grid_manager.py index bcea741d7..5323a6548 100644 --- a/src/allmydata/test/test_grid_manager.py +++ b/src/allmydata/test/test_grid_manager.py @@ -287,6 +287,7 @@ class GridManagerVerifier(SyncTestCase): verify = create_grid_manager_verifier( [self.gm._public_key], [cert0], + ed25519.string_from_verifying_key(pub0), ) self.assertTrue(verify())