diff options
Diffstat (limited to 'ipaserver/plugins')
-rw-r--r-- | ipaserver/plugins/selfsign.py | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/ipaserver/plugins/selfsign.py b/ipaserver/plugins/selfsign.py index 7d5dafa7d..af832a610 100644 --- a/ipaserver/plugins/selfsign.py +++ b/ipaserver/plugins/selfsign.py @@ -38,13 +38,18 @@ if api.env.ra_plugin != 'selfsign': from ipalib import Backend from ipalib import errors from ipalib import x509 +from ipalib import pkcs10 import subprocess import os +import re from ipaserver.plugins import rabase from ipaserver.install import certs import tempfile from pyasn1 import error from ipalib.request import ugettext as _ +from pyasn1.codec.der import encoder +import base64 +from ipalib.plugins.cert import get_csr_hostname class ra(rabase.rabase): """ @@ -79,6 +84,28 @@ class ra(rabase.rabase): .. [2] Base64 encoded """ + try: + config = api.Command['config_show']()['result'] + subject_base = config.get('ipacertificatesubjectbase')[0] + hostname = get_csr_hostname(csr) + request = pkcs10.load_certificate_request(csr) + base = re.split(',\s*(?=\w+=)', subject_base) + base.reverse() + base.append("CN=%s" % hostname) + request_subject = request.get_subject().get_components() + new_request = [] + for r in request_subject: + new_request.append("%s=%s" % (r[0], r[1])) + + if str(base).lower() != str(new_request).lower(): + subject_base='CN=%s, %s' % (hostname, subject_base) + new_request.reverse() + raise errors.CertificateOperationError(error=_('Request subject \'%s\' does not match the form \'%s\'' % (", ".join(new_request), subject_base))) + except errors.CertificateOperationError, e: + raise e + except Exception, e: + raise errors.CertificateOperationError(error=_('unable to decode csr: %s' % e)) + # certutil wants the CSR to have have a header and footer. Add one # if it isn't there. s = csr.find('-----BEGIN NEW CERTIFICATE REQUEST-----') @@ -86,7 +113,7 @@ class ra(rabase.rabase): s = csr.find('-----BEGIN CERTIFICATE REQUEST-----') if s == -1: csr = '-----BEGIN NEW CERTIFICATE REQUEST-----\n' + csr + \ - '-----END NEW CERTIFICATE REQUEST-----\n' + '\n-----END NEW CERTIFICATE REQUEST-----\n' try: (csr_fd, csr_name) = tempfile.mkstemp() |