Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss

This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.

4 files changed, 77 insertions, 45 deletions

diff --git a/tests/test_pkcs10/test3.csr b/tests/test_pkcs10/test3.csr
new file mode 100644
index 000000000..82c84d154
--- /dev/null
+++ b/tests/test_pkcs10/test3.csr
@@ -0,0 +1,3 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+VGhpcyBpcyBhbiBpbnZhbGlkIENTUg==
+-----END NEW CERTIFICATE REQUEST-----
diff --git a/tests/test_pkcs10/test4.csr b/tests/test_pkcs10/test4.csr
new file mode 100644
index 000000000..9f08b802b
--- /dev/null
+++ b/tests/test_pkcs10/test4.csr
@@ -0,0 +1,4 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+Invalidate data
+-----END NEW CERTIFICATE REQUEST-----
+
diff --git a/tests/test_pkcs10/test5.csr b/tests/test_pkcs10/test5.csr
new file mode 100644
index 000000000..41c3c1f3d
--- /dev/null
+++ b/tests/test_pkcs10/test5.csr
@@ -0,0 +1,20 @@
+
+Certificate request generated by Netscape certutil
+Phone: (not specified)
+
+Common Name: test.example.com
+Email: (not specified)
+Organization: IPA
+State: (not specified)
+Country: (not specified)
+
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIIBaDCB0gIBADApMQwwCgYDVQQKEwNJUEExGTAXBgNVBAMTEHRlc3QuZXhhbXBs

+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPnSCLwl7IytP2HC7+zv

+nI2fe6oRCE/J8K1jIoiqS9engx3Yfe4kaXWWzcwmuUV57VhUmWDEQIbSREPdrVSi

+tWC55ilGmPOAEw+mP4qg6Ctb+d8Egmy1JVrpIYCLNXvEd3dAaimB0J+K3hKFRyHI

+2MzrIuFqqohRijkDLwB8oVVdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQACt37K

+j+RMEbqG8s0Uxs3FhcfiAx8Do99CDizY/b7hZEgMyG4dLmm+vSCBbxBrG5oMlxJD

+dxnpk0PQSknNkJVrCS/J1OTpOPRTi4VKATT3tHJAfDbWZTwcSelUCLQ4lREiuT3D

+WP4vKrLIxDJDb+/mwuV7WWo34E6MD9iTB1xINg==
+-----END NEW CERTIFICATE REQUEST-----
diff --git a/tests/test_pkcs10/test_pkcs10.py b/tests/test_pkcs10/test_pkcs10.py
index 66d205b96..4c8ba1366 100644
--- a/tests/test_pkcs10/test_pkcs10.py
+++ b/tests/test_pkcs10/test_pkcs10.py
@@ -26,6 +26,8 @@ import nose
 from tests.util import raises, PluginTester
 from ipalib import pkcs10
 from ipapython import ipautil
+import nss.nss as nss
+from nss.error import NSPRError
 
 class test_update(object):
     """
@@ -33,6 +35,7 @@ class test_update(object):
     """
 
     def setUp(self):
+        nss.nss_init_nodb()
         if ipautil.file_exists("test0.csr"):
             self.testdir="./"
         elif ipautil.file_exists("tests/test_pkcs10/test0.csr"):
@@ -53,15 +56,11 @@ class test_update(object):
         csr = self.read_file("test0.csr")
         request = pkcs10.load_certificate_request(csr)
 
-        attributes = request.get_attributes()
-        subject = request.get_subject()
-        components = subject.get_components()
-        compdict = dict(components)
+        subject = pkcs10.get_subject(request)
 
-        assert(attributes == ())
-        assert(compdict['CN'] == u'test.example.com')
-        assert(compdict['ST'] == u'California')
-        assert(compdict['C'] == u'US')
+        assert(subject.common_name == 'test.example.com')
+        assert(subject.state_name == 'California')
+        assert(subject.country_name == 'US')
 
     def test_1(self):
         """
@@ -70,23 +69,15 @@ class test_update(object):
         csr = self.read_file("test1.csr")
         request = pkcs10.load_certificate_request(csr)
 
-        attributes = request.get_attributes()
-        subject = request.get_subject()
-        components = subject.get_components()
-        compdict = dict(components)
-        attrdict = dict(attributes)
+        subject = pkcs10.get_subject(request)
 
-        assert(compdict['CN'] == u'test.example.com')
-        assert(compdict['ST'] == u'California')
-        assert(compdict['C'] == u'US')
+        assert(subject.common_name == 'test.example.com')
+        assert(subject.state_name == 'California')
+        assert(subject.country_name == 'US')
 
-        extensions = attrdict['1.2.840.113549.1.9.14']
-
-        for ext in range(len(extensions)):
-            if extensions[ext][0] == '2.5.29.17':
-                names = extensions[ext][2]
-                # check the dNSName field
-                assert(names[2] == [u'testlow.example.com'])
+        for extension in request.extensions:
+            if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
+                assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com'
 
     def test_2(self):
         """
@@ -95,25 +86,39 @@ class test_update(object):
         csr = self.read_file("test2.csr")
         request = pkcs10.load_certificate_request(csr)
 
-        attributes = request.get_attributes()
-        subject = request.get_subject()
-        components = subject.get_components()
-        compdict = dict(components)
-        attrdict = dict(attributes)
-
-        assert(compdict['CN'] == u'test.example.com')
-        assert(compdict['ST'] == u'California')
-        assert(compdict['C'] == u'US')
-
-        extensions = attrdict['1.2.840.113549.1.9.14']
-
-        for ext in range(len(extensions)):
-            if extensions[ext][0] == '2.5.29.17':
-                names = extensions[ext][2]
-                # check the dNSName field
-                assert(names[2] == [u'testlow.example.com'])
-            if extensions[ext][0] == '2.5.29.31':
-                urls = extensions[ext][2]
-                assert(len(urls) == 2)
-                assert(urls[0] == u'http://ca.example.com/my.crl')
-                assert(urls[1] == u'http://other.example.com/my.crl')
+        subject = pkcs10.get_subject(request)
+
+        assert(subject.common_name == 'test.example.com')
+        assert(subject.state_name == 'California')
+        assert(subject.country_name == 'US')
+
+        for extension in request.extensions:
+            if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
+                assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com'
+            if extension.oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
+                pts = nss.CRLDistributionPts(extension.value)
+                urls = pts[0].get_general_names()
+                assert('http://ca.example.com/my.crl' in urls)
+                assert('http://other.example.com/my.crl' in urls)
+
+    def test_3(self):
+        """
+        Test CSR with base64-encoded bogus data
+        """
+        csr = self.read_file("test3.csr")
+
+        try:
+            request = pkcs10.load_certificate_request(csr)
+        except NSPRError, nsprerr:
+            # (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message.
+            assert(nsprerr. errno== -8183)
+
+    def test_4(self):
+        """
+        Test CSR with badly formatted base64-encoded data
+        """
+        csr = self.read_file("test4.csr")
+        try:
+            request = pkcs10.load_certificate_request(csr)
+        except TypeError, typeerr:
+            assert(str(typeerr) == 'Incorrect padding')