diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2009-11-24 16:07:44 -0500 |
|---|---|---|
| committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-11-30 18:10:09 -0700 |
| commit | ab1667f3c1607a22c6df49ceba58274347bc5826 (patch) | |
| tree | bc2e6102d3d9cd103d2418ad5372e164e0e7533d /ipaserver/plugins/selfsign.py | |
| parent | 7c2c2d6130648fb6dd7c0e52d802cc6eff39ef95 (diff) | |
| download | freeipa-ab1667f3c1607a22c6df49ceba58274347bc5826.tar.gz freeipa-ab1667f3c1607a22c6df49ceba58274347bc5826.tar.xz freeipa-ab1667f3c1607a22c6df49ceba58274347bc5826.zip | |
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.
Subject alt names are only allowed if:
- the host for the alt name exists in IPA
- if binding as host principal, the host is in the services managedBy attr
Diffstat (limited to 'ipaserver/plugins/selfsign.py')
| -rw-r--r-- | ipaserver/plugins/selfsign.py | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/ipaserver/plugins/selfsign.py b/ipaserver/plugins/selfsign.py index 0ba7a7c44..d4b2efcf7 100644 --- a/ipaserver/plugins/selfsign.py +++ b/ipaserver/plugins/selfsign.py @@ -36,12 +36,13 @@ if api.env.ra_plugin != 'selfsign': raise SkipPluginModule(reason='selfsign is not selected as RA plugin, it is %s' % api.env.ra_plugin) from ipalib import Backend from ipalib import errors +from ipalib import x509 import subprocess import os from ipaserver.plugins import rabase from ipaserver.install import certs import tempfile -from OpenSSL import crypto +from pyasn1 import error class ra(rabase.rabase): """ @@ -56,6 +57,15 @@ class ra(rabase.rabase): :param request_type: The request type (defaults to ``'pkcs10'``). """ (csr_fd, csr_name) = tempfile.mkstemp() + + # certutil wants the CSR to have have a header and footer. Add one + # if it isn't there. + s = csr.find('-----BEGIN NEW CERTIFICATE REQUEST-----') + if s == -1: + s = csr.find('-----BEGIN CERTIFICATE REQUEST-----') + if s == -1: + csr = '-----BEGIN NEW CERTIFICATE REQUEST-----\n' + csr + \ + '-----END NEW CERTIFICATE REQUEST-----\n' os.write(csr_fd, csr) os.close(csr_fd) (cert_fd, cert_name) = tempfile.mkstemp() @@ -101,16 +111,15 @@ class ra(rabase.rabase): try: # Grab the subject, reverse it, combine it and return it - x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert) - sub = x509.get_subject().get_components() + sub = list(x509.get_subject_components(cert)) sub.reverse() subject = "" for s in sub: subject = subject + "%s=%s," % (s[0], s[1]) subject = subject[:-1] - serial = x509.get_serial_number() - except crypto.Error, e: + serial = x509.get_serial_number(cert) + except error.PyAsn1Error, e: raise errors.GenericError(format='Unable to decode certificate in entry: %s' % str(e)) # To make it look like dogtag return just the base64 data. |