diff options
Diffstat (limited to 'ipalib/plugins/cert.py')
-rw-r--r-- | ipalib/plugins/cert.py | 40 |
1 files changed, 15 insertions, 25 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 1de4ac64e..ed1d65ad2 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -69,7 +69,6 @@ from ipalib import x509 from ipalib.plugins.virtual import * from ipalib.plugins.service import split_principal import base64 -from pyasn1.error import PyAsn1Error import logging import traceback from ipalib.text import _ @@ -77,37 +76,31 @@ from ipalib.request import context from ipalib.output import Output from ipalib.plugins.service import validate_principal import nss.nss as nss +from nss.error import NSPRError def get_csr_hostname(csr): """ - Return the value of CN in the subject of the request + Return the value of CN in the subject of the request or None """ try: request = pkcs10.load_certificate_request(csr) - sub = request.get_subject().get_components() - for s in sub: - if s[0].lower() == "cn": - return s[1] - except PyAsn1Error: - # The ASN.1 decoding errors tend to be long and involved and the - # last bit is generally not interesting. We need the whole traceback. - logging.error('Unable to decode CSR\n%s', traceback.format_exc()) - raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request')) - - return None + subject = pkcs10.get_subject(request) + return subject.common_name + except NSPRError, nsprerr: + raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request:')) def get_subjectaltname(csr): """ - Return the value of the subject alt name, if any + Return the first value of the subject alt name, if any """ try: request = pkcs10.load_certificate_request(csr) - except PyAsn1Error: - # The ASN.1 decoding errors tend to be long and involved and the - # last bit is generally not interesting. We need the whole traceback. - logging.error('Unable to decode CSR\n%s', traceback.format_exc()) + for extension in request.extensions: + if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME: + return nss.x509_alt_name(extension.value)[0] + return None + except NSPRError, nsprerr: raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request')) - return request.get_subjectaltname() def validate_csr(ugettext, csr): """ @@ -116,13 +109,9 @@ def validate_csr(ugettext, csr): """ try: request = pkcs10.load_certificate_request(csr) - - # Explicitly request the attributes. This fires off additional - # decoding to get things like the subjectAltName. - attrs = request.get_attributes() except TypeError, e: raise errors.Base64DecodeError(reason=str(e)) - except PyAsn1Error: + except NSPRError: raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request')) except Exception, e: raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request: %s') % str(e)) @@ -290,7 +279,8 @@ class cert_request(VirtualCommand): raise errors.ACIError(info="Insufficient 'write' privilege to the 'userCertificate' attribute of entry '%s'." % dn) # Validate the subject alt name, if any - subjectaltname = get_subjectaltname(csr) + request = pkcs10.load_certificate_request(csr) + subjectaltname = pkcs10.get_subjectaltname(request) if subjectaltname is not None: for name in subjectaltname: try: |