From 4ae3f815ba8e8f910cd2179c5ed402e7c3ea3db8 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 10 Jun 2014 14:19:07 +0200
Subject: Add functions for extracting certificates fields in DER to
 ipalib.x509.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipalib/x509.py | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

(limited to 'ipalib/x509.py')

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 2d38261f6..bc9ea5f25 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -37,6 +37,8 @@ import base64
 import re
 import nss.nss as nss
 from nss.error import NSPRError
+from pyasn1.type import univ, namedtype, tag
+from pyasn1.codec.der import decoder, encoder
 from ipapython import ipautil
 from ipalib import api
 from ipalib import _
@@ -171,6 +173,59 @@ def is_self_signed(certificate, datatype=PEM, dbdir=None):
     del nsscert
     return self_signed
 
+class _TBSCertificate(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType(
+            'version',
+            univ.Integer().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 0))),
+        namedtype.NamedType('serialNumber', univ.Integer()),
+        namedtype.NamedType('signature', univ.Sequence()),
+        namedtype.NamedType('issuer', univ.Sequence()),
+        namedtype.NamedType('validity', univ.Sequence()),
+        namedtype.NamedType('subject', univ.Sequence()),
+        namedtype.NamedType('subjectPublicKeyInfo', univ.Sequence()),
+        namedtype.OptionalNamedType(
+            'issuerUniquedID',
+            univ.BitString().subtype(implicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 1))),
+        namedtype.OptionalNamedType(
+            'subjectUniquedID',
+            univ.BitString().subtype(implicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 2))),
+        namedtype.OptionalNamedType(
+            'extensions',
+            univ.Sequence().subtype(explicitTag=tag.Tag(
+                tag.tagClassContext, tag.tagFormatSimple, 3))),
+        )
+
+class _Certificate(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('tbsCertificate', _TBSCertificate()),
+        namedtype.NamedType('signatureAlgorithm', univ.Sequence()),
+        namedtype.NamedType('signature', univ.BitString()),
+        )
+
+def _get_der_field(cert, datatype, dbdir, field):
+    cert = load_certificate(cert, datatype, dbdir)
+    cert = cert.der_data
+    cert = decoder.decode(cert, _Certificate())[0]
+    field = cert['tbsCertificate'][field]
+    field = encoder.encode(field)
+    return field
+
+def get_der_subject(cert, datatype=PEM, dbdir=None):
+    return _get_der_field(cert, datatype, dbdir, 'subject')
+
+def get_der_issuer(cert, datatype=PEM, dbdir=None):
+    return _get_der_field(cert, datatype, dbdir, 'issuer')
+
+def get_der_serial_number(cert, datatype=PEM, dbdir=None):
+    return _get_der_field(cert, datatype, dbdir, 'serialNumber')
+
+def get_der_public_key_info(cert, datatype=PEM, dbdir=None):
+    return _get_der_field(cert, datatype, dbdir, 'subjectPublicKeyInfo')
+
 def make_pem(data):
     """
     Convert a raw base64-encoded blob into something that looks like a PE
-- 
cgit