From 18aa73e06e30939b6b8d0a2c6def41fb6bd4eef8 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Wed, 27 Jul 2011 11:02:00 +0200
Subject: Fix invalid issuer in unit tests

Fix several test failures when issuer does not match the one
generated by make-testcert (CN=Certificate Authority,O=<realm>).

https://fedorahosted.org/freeipa/ticket/1527
---
 ipalib/x509.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'ipalib/x509.py')

diff --git a/ipalib/x509.py b/ipalib/x509.py
index e757e1d1f..23f337edc 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -45,6 +45,10 @@ from ipalib import errors
 PEM = 0
 DER = 1
 
+def valid_issuer(issuer, realm):
+    return issuer in ('CN=%s Certificate Authority' % realm,
+                      'CN=Certificate Authority,O=%s' % realm,)
+
 def strip_header(pem):
     """
     Remove the header and footer from a certificate.
@@ -187,8 +191,7 @@ def verify_cert_subject(ldap, hostname, dercert):
     issuer = str(nsscert.issuer)
 
     # Handle both supported forms of issuer, from selfsign and dogtag.
-    if ((issuer != 'CN=%s Certificate Authority' % api.env.realm) and
-        (issuer != 'CN=Certificate Authority,O=%s' % api.env.realm)):
+    if (not valid_issuer(issuer, api.env.realm)):
         raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \
         {'issuer' : issuer})
 
-- 
cgit