diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-07-20 14:00:43 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-07-29 10:50:10 -0400 |
| commit | b7ca3d68c28b54500a2f908c4e2e6c89b2433461 (patch) | |
| tree | fca9d664df546fca527a8194e0b4e9e301aa1b06 /ipaserver/plugins/selfsign.py | |
| parent | 563c7cde407bc63621a14b1fddff972a105dfc50 (diff) | |
| download | freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.tar.gz freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.tar.xz freeipa-b7ca3d68c28b54500a2f908c4e2e6c89b2433461.zip | |
Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests
Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one. I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
Diffstat (limited to 'ipaserver/plugins/selfsign.py')
| -rw-r--r-- | ipaserver/plugins/selfsign.py | 28 |
1 files changed, 11 insertions, 17 deletions
diff --git a/ipaserver/plugins/selfsign.py b/ipaserver/plugins/selfsign.py index 39d1c539f..5333a89a3 100644 --- a/ipaserver/plugins/selfsign.py +++ b/ipaserver/plugins/selfsign.py @@ -45,10 +45,9 @@ import re from ipaserver.plugins import rabase from ipaserver.install import certs import tempfile -from pyasn1 import error from ipalib import _ -from pyasn1.codec.der import encoder from ipalib.plugins.cert import get_csr_hostname +from nss.error import NSPRError class ra(rabase.rabase): """ @@ -87,23 +86,19 @@ class ra(rabase.rabase): config = api.Command['config_show']()['result'] subject_base = config.get('ipacertificatesubjectbase')[0] hostname = get_csr_hostname(csr) - request = pkcs10.load_certificate_request(csr) base = re.split(',\s*(?=\w+=)', subject_base) - base.reverse() - base.append("CN=%s" % hostname) - request_subject = request.get_subject().get_components() - new_request = [] - for r in request_subject: - new_request.append("%s=%s" % (r[0], r[1])) - - if str(base).lower() != str(new_request).lower(): - subject_base='CN=%s, %s' % (hostname, subject_base) - new_request.reverse() + base.insert(0,'CN=%s' % hostname) + subject_base = ",".join(base) + request = pkcs10.load_certificate_request(csr) + # python-nss normalizes the request subject + request_subject = str(pkcs10.get_subject(request)) + + if str(subject_base).lower() != request_subject.lower(): raise errors.CertificateOperationError(error=_('Request subject "%(request_subject)s" does not match the form "%(subject_base)s"') % \ - {'request_subject' : ', '.join(new_request), 'subject_base' : subject_base}) + {'request_subject' : request_subject, 'subject_base' : subject_base}) except errors.CertificateOperationError, e: raise e - except Exception, e: + except NSPRError, e: raise errors.CertificateOperationError(error=_('unable to decode csr: %s' % e)) # certutil wants the CSR to have have a header and footer. Add one @@ -207,11 +202,10 @@ class ra(rabase.rabase): pass try: - # Grab the subject, reverse it, combine it and return it subject = x509.get_subject(cert) serial = x509.get_serial_number(cert) - except error.PyAsn1Error, e: + except NSPRError, e: self.log.error('Unable to decode certificate in entry: %s' % str(e)) raise errors.CertificateOperationError(error='Unable to decode certificate in entry: %s' % str(e)) |