diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2015-06-23 13:40:30 +0200 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-07-02 14:43:44 +0000 |
| commit | 53b11b611766d79015e17298f2354b7688437e20 (patch) | |
| tree | 7849c9900371bbb83545d83a4b3680d931a63cc9 /ipalib/x509.py | |
| parent | 93dab56ebfa6801e4f032af4a57b7b2179ba29ff (diff) | |
| download | freeipa-53b11b611766d79015e17298f2354b7688437e20.tar.gz freeipa-53b11b611766d79015e17298f2354b7688437e20.tar.xz freeipa-53b11b611766d79015e17298f2354b7688437e20.zip | |
reworked certificate normalization and revocation
Validation of certificate is now handled by `x509.validate_certificate'.
Revocation of the host and service certificates was factored out to a separate
function.
Part of http://www.freeipa.org/page/V4/User_Certificates
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipalib/x509.py')
| -rw-r--r-- | ipalib/x509.py | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/ipalib/x509.py b/ipalib/x509.py index a87dbf413..edd73ebdc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -294,16 +294,24 @@ def normalize_certificate(rawcert): # was base64-encoded and now its not or it came in as DER format. # Let's decode it and see. Fetching the serial number will pass the # certificate through the NSS DER parser. + validate_certificate(dercert, datatype=DER) + + return dercert + + +def validate_certificate(cert, datatype=PEM, dbdir=None): + """ + Perform certificate validation by trying to load it into NSS database + """ try: - serial = unicode(get_serial_number(dercert, DER)) - except NSPRError, nsprerr: + load_certificate(cert, datatype=datatype, dbdir=dbdir) + except NSPRError as nsprerr: if nsprerr.errno == -8183: # SEC_ERROR_BAD_DER raise errors.CertificateFormatError( error=_('improperly formatted DER-encoded certificate')) else: raise errors.CertificateFormatError(error=str(nsprerr)) - return dercert def write_certificate(rawcert, filename): """ |