Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss

This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
author: Rob Crittenden <rcritten@redhat.com> 2010-07-20 14:00:43 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2010-07-29 10:50:10 -0400
commit: b7ca3d68c28b54500a2f908c4e2e6c89b2433461 (patch)
tree: fca9d664df546fca527a8194e0b4e9e301aa1b06 /ipalib/plugins/cert.py
parent: 563c7cde407bc63621a14b1fddff972a105dfc50 (diff)
download: freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.tar.gz
freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.tar.xz
freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.zip
1 files changed, 15 insertions, 25 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 1de4ac64e..ed1d65ad2 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -69,7 +69,6 @@ from ipalib import x509
 from ipalib.plugins.virtual import *
 from ipalib.plugins.service import split_principal
 import base64
-from pyasn1.error import PyAsn1Error
 import logging
 import traceback
 from ipalib.text import _
@@ -77,37 +76,31 @@ from ipalib.request import context
 from ipalib.output import Output
 from ipalib.plugins.service import validate_principal
 import nss.nss as nss
+from nss.error import NSPRError
 
 def get_csr_hostname(csr):
     """
-    Return the value of CN in the subject of the request
+    Return the value of CN in the subject of the request or None
     """
     try:
         request = pkcs10.load_certificate_request(csr)
-        sub = request.get_subject().get_components()
-        for s in sub:
-            if s[0].lower() == "cn":
-                return s[1]
-    except PyAsn1Error:
-        # The ASN.1 decoding errors tend to be long and involved and the
-        # last bit is generally not interesting. We need the whole traceback.
-        logging.error('Unable to decode CSR\n%s', traceback.format_exc())
-        raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request'))
-
-    return None
+        subject = pkcs10.get_subject(request)
+        return subject.common_name
+    except NSPRError, nsprerr:
+        raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request:'))
 
 def get_subjectaltname(csr):
     """
-    Return the value of the subject alt name, if any
+    Return the first value of the subject alt name, if any
     """
     try:
         request = pkcs10.load_certificate_request(csr)
-    except PyAsn1Error:
-        # The ASN.1 decoding errors tend to be long and involved and the
-        # last bit is generally not interesting. We need the whole traceback.
-        logging.error('Unable to decode CSR\n%s', traceback.format_exc())
+        for extension in request.extensions:
+            if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
+                return nss.x509_alt_name(extension.value)[0]
+        return None
+    except NSPRError, nsprerr:
         raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request'))
-    return request.get_subjectaltname()
 
 def validate_csr(ugettext, csr):
     """
@@ -116,13 +109,9 @@ def validate_csr(ugettext, csr):
     """
     try:
         request = pkcs10.load_certificate_request(csr)
-
-        # Explicitly request the attributes. This fires off additional
-        # decoding to get things like the subjectAltName.
-        attrs = request.get_attributes()
     except TypeError, e:
         raise errors.Base64DecodeError(reason=str(e))
-    except PyAsn1Error:
+    except NSPRError:
         raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request'))
     except Exception, e:
         raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request: %s') % str(e))
@@ -290,7 +279,8 @@ class cert_request(VirtualCommand):
             raise errors.ACIError(info="Insufficient 'write' privilege to the 'userCertificate' attribute of entry '%s'." % dn)
 
         # Validate the subject alt name, if any
-        subjectaltname = get_subjectaltname(csr)
+        request = pkcs10.load_certificate_request(csr)
+        subjectaltname = pkcs10.get_subjectaltname(request)
         if subjectaltname is not None:
             for name in subjectaltname:
                 try:
author	Rob Crittenden <rcritten@redhat.com>	2010-07-20 14:00:43 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2010-07-29 10:50:10 -0400
commit	b7ca3d68c28b54500a2f908c4e2e6c89b2433461 (patch)
tree	fca9d664df546fca527a8194e0b4e9e301aa1b06 /ipalib/plugins/cert.py
parent	563c7cde407bc63621a14b1fddff972a105dfc50 (diff)
download	freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.tar.gz freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.tar.xz freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.zip