Make data type of certificates more obvious/predictable internally.

For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().

This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.

This also tries to use variable names to indicate what format the certificate
is in at any given point:

dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format

ticket 32

1 files changed, 15 insertions, 2 deletions

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index da89370af..07dda2cc0 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -432,11 +432,22 @@ class CertDB(object):
             except RuntimeError:
                 break
 
-    def get_cert_from_db(self, nickname):
+    def get_cert_from_db(self, nickname, pem=True):
+        """
+        Retrieve a certificate from the current NSS database for nickname.
+
+        pem controls whether the value returned PEM or DER-encoded. The
+        default is the data straight from certutil -a.
+        """
         try:
             args = ["-L", "-n", nickname, "-a"]
             (cert, err, returncode) = self.run_certutil(args)
-            return cert
+            if pem:
+                return cert
+            else:
+                (cert, start) = find_cert_from_txt(cert, start=0)
+                dercert = base64.b64decode(cert)
+                return dercert
         except ipautil.CalledProcessError:
             return ''
 
@@ -501,6 +512,8 @@ class CertDB(object):
         that will issue our cert.
 
         You can override the certificate Subject by specifying a subject.
+
+        Returns a certificate in DER format.
         """
         cdb = other_certdb
         if not cdb: