Add ca-only policy

This policy forces CA validation every time. This also checks things like date validity.
2026-05-07 17:27:16 +00:00 · 2026-05-05 14:39:42 -04:00
parent 454e1b8267
commit cc70dcfa2b
1 changed files with 3 additions and 2 deletions
@@ -314,7 +314,7 @@ class TLSCertVerifier(object):
                tasks.spawn(self.cfm.set_node_attributes(
                    {self.node: {self.fieldname: fingerprint}}))
                return True
-        elif cert_matches(storedprint, certificate):
+        elif cert_matches(storedprint, certificate) and newpolicy != 'ca-only':
            return True
        fingerprint = get_fingerprint(certificate, 'sha256')
        # No pinned certificate match
@@ -328,7 +328,8 @@ class TLSCertVerifier(object):
                        {self.node: {self.fieldname: fingerprint}}))
                    return True
            except Exception:
-                pass
+                if newpolicy == 'ca-only':
+                    raise
        raise cexc.PubkeyInvalid(
            'Mismatched certificate detected', certificate, fingerprint,
            self.fieldname, 'mismatch')