summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-07-20 14:00:43 -0400
committerRob Crittenden <rcritten@redhat.com>2010-07-29 10:50:10 -0400
commitb7ca3d68c28b54500a2f908c4e2e6c89b2433461 (patch)
treefca9d664df546fca527a8194e0b4e9e301aa1b06 /ipalib/plugins
parent563c7cde407bc63621a14b1fddff972a105dfc50 (diff)
downloadfreeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.tar.gz
freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.tar.xz
freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.zip
Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
Diffstat (limited to 'ipalib/plugins')
-rw-r--r--ipalib/plugins/cert.py40
1 files changed, 15 insertions, 25 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 1de4ac64e..ed1d65ad2 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -69,7 +69,6 @@ from ipalib import x509
from ipalib.plugins.virtual import *
from ipalib.plugins.service import split_principal
import base64
-from pyasn1.error import PyAsn1Error
import logging
import traceback
from ipalib.text import _
@@ -77,37 +76,31 @@ from ipalib.request import context
from ipalib.output import Output
from ipalib.plugins.service import validate_principal
import nss.nss as nss
+from nss.error import NSPRError
def get_csr_hostname(csr):
"""
- Return the value of CN in the subject of the request
+ Return the value of CN in the subject of the request or None
"""
try:
request = pkcs10.load_certificate_request(csr)
- sub = request.get_subject().get_components()
- for s in sub:
- if s[0].lower() == "cn":
- return s[1]
- except PyAsn1Error:
- # The ASN.1 decoding errors tend to be long and involved and the
- # last bit is generally not interesting. We need the whole traceback.
- logging.error('Unable to decode CSR\n%s', traceback.format_exc())
- raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request'))
-
- return None
+ subject = pkcs10.get_subject(request)
+ return subject.common_name
+ except NSPRError, nsprerr:
+ raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request:'))
def get_subjectaltname(csr):
"""
- Return the value of the subject alt name, if any
+ Return the first value of the subject alt name, if any
"""
try:
request = pkcs10.load_certificate_request(csr)
- except PyAsn1Error:
- # The ASN.1 decoding errors tend to be long and involved and the
- # last bit is generally not interesting. We need the whole traceback.
- logging.error('Unable to decode CSR\n%s', traceback.format_exc())
+ for extension in request.extensions:
+ if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
+ return nss.x509_alt_name(extension.value)[0]
+ return None
+ except NSPRError, nsprerr:
raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request'))
- return request.get_subjectaltname()
def validate_csr(ugettext, csr):
"""
@@ -116,13 +109,9 @@ def validate_csr(ugettext, csr):
"""
try:
request = pkcs10.load_certificate_request(csr)
-
- # Explicitly request the attributes. This fires off additional
- # decoding to get things like the subjectAltName.
- attrs = request.get_attributes()
except TypeError, e:
raise errors.Base64DecodeError(reason=str(e))
- except PyAsn1Error:
+ except NSPRError:
raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request'))
except Exception, e:
raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request: %s') % str(e))
@@ -290,7 +279,8 @@ class cert_request(VirtualCommand):
raise errors.ACIError(info="Insufficient 'write' privilege to the 'userCertificate' attribute of entry '%s'." % dn)
# Validate the subject alt name, if any
- subjectaltname = get_subjectaltname(csr)
+ request = pkcs10.load_certificate_request(csr)
+ subjectaltname = pkcs10.get_subjectaltname(request)
if subjectaltname is not None:
for name in subjectaltname:
try: