diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-02-01 14:00:28 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-02-02 14:02:46 -0500 |
| commit | dc55240fe8ce2f27aaca05a5287089080c902c85 (patch) | |
| tree | 684f7a6d20927fc519dea6652536922d1f08bed2 | |
| parent | 8ca97cdf3541adefe11ca0fc4ac49f01e8fb6984 (diff) | |
| download | freeipa-dc55240fe8ce2f27aaca05a5287089080c902c85.tar.gz freeipa-dc55240fe8ce2f27aaca05a5287089080c902c85.tar.xz freeipa-dc55240fe8ce2f27aaca05a5287089080c902c85.zip | |
Be more careful when base64-decoding certificates
Only decode certs that have a BEGIN/END block, otherwise assume it
is in DER format.
| -rw-r--r-- | ipalib/plugins/service.py | 9 | ||||
| -rw-r--r-- | ipaserver/install/certs.py | 13 | ||||
| -rw-r--r-- | ipaserver/install/service.py | 2 | ||||
| -rw-r--r-- | ipaserver/plugins/selfsign.py | 1 |
4 files changed, 9 insertions, 16 deletions
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 6ad992f3b..a477de9ad 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -28,6 +28,7 @@ from ipalib import Str, Flag, Bytes from ipalib.plugins.baseldap import * from ipalib import x509 from pyasn1.error import PyAsn1Error +from ipalib import _, ngettext def get_serial(certificate): @@ -37,16 +38,12 @@ def get_serial(certificate): """ if type(certificate) in (list, tuple): certificate = certificate[0] - try: - certificate = base64.b64decode(certificate) - except Exception: - pass try: serial = x509.get_serial_number(certificate, type=x509.DER) - except PyAsn1Error: + except PyAsn1Error, e: raise errors.GenericError( - format='Unable to decode certificate in entry' + format='Unable to decode certificate in entry: %s' % e ) return serial diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 4fb794c82..080fe0092 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -476,11 +476,6 @@ class CertDB(object): os.unlink(self.certreq_fname) os.unlink(self.certder_fname) - # On the off-chance the certificate is base64-encoded - try: - dercert = base64.b64decode(dercert) - except: - pass return dercert def create_signing_cert(self, nickname, hostname, other_certdb=None, subject=None): @@ -593,11 +588,11 @@ class CertDB(object): doc.unlink() conn.close() - # base64-decode the result + # base64-decode the result for uniformity cert = base64.b64decode(cert) # Write the certificate to a file. It will be imported in a later - # step. + # step. This file will be read later to be imported. f = open(cert_fname, "w") f.write(cert) f.close() @@ -682,9 +677,11 @@ class CertDB(object): doc.unlink() conn.close() - # base64-decode the cert + # base64-decode the cert for uniformity cert = base64.b64decode(cert) + # Write the certificate to a file. It will be imported in a later + # step. This file will be read later to be imported. f = open(cert_fname, "w") f.write(cert) f.close() diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 5aee093ec..d9db9ba45 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -169,7 +169,7 @@ class Service: e = self.dercert.find('-----END CERTIFICATE-----') s = s + 27 self.dercert = self.dercert[s:e] - self.dercert = base64.b64decode(self.dercert) + self.dercert = base64.b64decode(self.dercert) except Exception: pass dn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (self.principal, self.suffix) diff --git a/ipaserver/plugins/selfsign.py b/ipaserver/plugins/selfsign.py index af832a610..aaa869105 100644 --- a/ipaserver/plugins/selfsign.py +++ b/ipaserver/plugins/selfsign.py @@ -48,7 +48,6 @@ import tempfile from pyasn1 import error from ipalib.request import ugettext as _ from pyasn1.codec.der import encoder -import base64 from ipalib.plugins.cert import get_csr_hostname class ra(rabase.rabase): |