Replaced the Popen commands in check_cert_key to use OpenSSL

ssm/crypto.py

@@ -49,10 +49,7 @@ def _from_file(filename):
 
 
 def check_cert_key(certpath, keypath):
-    """Check that a certificate and a key match.
-
-    Uses openssl directly to fetch the modulus of each, which must be the same.
-    """
+    """Check that a certificate and a key match."""
     try:
         cert = _from_file(certpath)
         key = _from_file(keypath)
@@ -64,23 +61,32 @@ def check_cert_key(certpath, keypath):
     if cert == key:
         return False
 
-    p1 = Popen(['openssl', 'x509', '-pubkey', '-noout'],
-               stdin=PIPE, stdout=PIPE, stderr=PIPE, universal_newlines=True)
-    pubkey1, error = p1.communicate(cert)
+    try:
+        certificate = OpenSSL.crypto.load_certificate(
+            OpenSSL.crypto.FILETYPE_PEM, cert
+        )
+        crypto_public_key = certificate.get_pubkey()
+        certificate_public_key = OpenSSL.crypto.dump_publickey(
+            OpenSSL.crypto.FILETYPE_PEM, crypto_public_key
+        )
 
-    if error != '':
+    except OpenSSL.crypto.Error as error:
         log.error(error)
         return False
 
-    p2 = Popen(['openssl', 'pkey', '-pubout'],
-               stdin=PIPE, stdout=PIPE, stderr=PIPE, universal_newlines=True)
-    pubkey2, error = p2.communicate(key)
+    try:
+        private_key = OpenSSL.crypto.load_privatekey(
+            OpenSSL.crypto.FILETYPE_PEM, key
+        )
+        private_public_key = OpenSSL.crypto.dump_publickey(
+            OpenSSL.crypto.FILETYPE_PEM, private_key
+        )
 
-    if error != '':
+    except OpenSSL.crypto.Error as error:
         log.error(error)
         return False
 
-    return pubkey1.strip() == pubkey2.strip()
+    return certificate_public_key.strip() == private_public_key.strip()
 
 def sign(text, certpath, keypath):
     """Sign the message using the certificate and key in the files specified.