diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-06-08 10:54:41 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-06-21 19:09:50 -0400 |
commit | dd69c7dbe68e8f8674994a54ea913f2dd2e52c32 (patch) | |
tree | 5fdc303354eb26a1d2cd206c81babdc73e8d51b9 /ipalib/plugins/host.py | |
parent | 3a36eced53e540fe8f2b23eadf7dffda080324de (diff) | |
download | freeipa-dd69c7dbe68e8f8674994a54ea913f2dd2e52c32.tar.gz freeipa-dd69c7dbe68e8f8674994a54ea913f2dd2e52c32.tar.xz freeipa-dd69c7dbe68e8f8674994a54ea913f2dd2e52c32.zip |
Make data type of certificates more obvious/predictable internally.
For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().
This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.
This also tries to use variable names to indicate what format the certificate
is in at any given point:
dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format
ticket 32
Diffstat (limited to 'ipalib/plugins/host.py')
-rw-r--r-- | ipalib/plugins/host.py | 22 |
1 files changed, 9 insertions, 13 deletions
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index ec58e1e40..1cd3fc061 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -81,11 +81,7 @@ from ipalib import Str, Flag, Bytes from ipalib.plugins.baseldap import * from ipalib.plugins.service import split_principal from ipalib.plugins.service import validate_certificate -from ipalib.plugins.service import normalize_certificate from ipalib.plugins.service import set_certificate_attrs -from ipalib.plugins.service import make_pem, check_writable_file -from ipalib.plugins.service import write_certificate -from ipalib.plugins.service import verify_cert_subject from ipalib.plugins.dns import dns_container_exists, _record_types from ipalib.plugins.dns import add_forward_record from ipalib import _, ngettext @@ -423,8 +419,8 @@ class host_add(LDAPCreate): del entry_attrs['random'] cert = options.get('usercertificate') if cert: - cert = normalize_certificate(cert) - verify_cert_subject(ldap, keys[-1], cert) + cert = x509.normalize_certificate(cert) + x509.verify_cert_subject(ldap, keys[-1], cert) entry_attrs['usercertificate'] = cert entry_attrs['managedby'] = dn return dn @@ -562,7 +558,7 @@ class host_del(LDAPDelete): self.obj.handle_not_found(*keys) if 'usercertificate' in entry_attrs: - cert = normalize_certificate(entry_attrs.get('usercertificate')[0]) + cert = x509.normalize_certificate(entry_attrs.get('usercertificate')[0]) try: serial = unicode(x509.get_serial_number(cert, x509.DER)) try: @@ -626,12 +622,12 @@ class host_mod(LDAPUpdate): if 'krbprincipalaux' not in obj_classes: obj_classes.append('krbprincipalaux') entry_attrs['objectclass'] = obj_classes - cert = normalize_certificate(entry_attrs.get('usercertificate')) + cert = x509.normalize_certificate(entry_attrs.get('usercertificate')) if cert: - verify_cert_subject(ldap, keys[-1], cert) + x509.verify_cert_subject(ldap, keys[-1], cert) (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate']) if 'usercertificate' in entry_attrs_old: - oldcert = normalize_certificate(entry_attrs_old.get('usercertificate')[0]) + oldcert = x509.normalize_certificate(entry_attrs_old.get('usercertificate')[0]) try: serial = unicode(x509.get_serial_number(oldcert, x509.DER)) try: @@ -733,10 +729,10 @@ class host_show(LDAPRetrieve): def forward(self, *keys, **options): if 'out' in options: - check_writable_file(options['out']) + util.check_writable_file(options['out']) result = super(host_show, self).forward(*keys, **options) if 'usercertificate' in result['result']: - write_certificate(result['result']['usercertificate'][0], options['out']) + x509.write_certificate(result['result']['usercertificate'][0], options['out']) result['summary'] = _('Certificate stored in file \'%(file)s\'') % dict(file=options['out']) return result else: @@ -792,7 +788,7 @@ class host_disable(LDAPQuery): except errors.AlreadyInactive: pass if 'usercertificate' in entry_attrs: - cert = normalize_certificate(entry_attrs.get('usercertificate')[0]) + cert = x509.normalize_certificate(entry_attrs.get('usercertificate')[0]) try: serial = unicode(x509.get_serial_number(cert, x509.DER)) try: |