From dd69c7dbe68e8f8674994a54ea913f2dd2e52c32 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 8 Jun 2011 10:54:41 -0400
Subject: Make data type of certificates more obvious/predictable internally.

For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().

This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.

This also tries to use variable names to indicate what format the certificate
is in at any given point:

dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format

ticket 32
---
 ipaserver/install/cainstance.py | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

(limited to 'ipaserver/install/cainstance.py')

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 30aa9f525..001e6eb09 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -38,7 +38,7 @@ import stat
 import socket
 from ipapython import dogtag
 from ipapython.certdb import get_ca_nickname
-from ipalib import pkcs10
+from ipalib import pkcs10, x509
 import subprocess
 
 from nss.error import NSPRError
@@ -322,7 +322,7 @@ class CADSInstance(service.Service):
 
             # We only handle one server cert
             self.nickname = server_certs[0][0]
-            self.dercert = dsdb.get_cert_from_db(self.nickname)
+            self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
             dsdb.track_server_cert(self.nickname, self.principal, dsdb.passwd_fname)
 
     def create_certdb(self):
@@ -721,13 +721,6 @@ class CAInstance(service.Service):
             # TODO: roll back here?
             logging.critical("Failed to restart the certificate server. See the installation log for details.")
 
-    def __get_agent_cert(self, nickname):
-        args = ["/usr/bin/certutil", "-L", "-d", self.ca_agent_db, "-n", nickname, "-a"]
-        (out, err, returncode) = ipautil.run(args)
-        out = out.replace('-----BEGIN CERTIFICATE-----', '')
-        out = out.replace('-----END CERTIFICATE-----', '')
-        return out
-
     def __issue_ra_cert(self):
         # The CA certificate is in the agent DB but isn't trusted
         (admin_fd, admin_name) = tempfile.mkstemp()
@@ -801,8 +794,7 @@ class CAInstance(service.Service):
 
         self.ra_cert = outputList['b64_cert']
         self.ra_cert = self.ra_cert.replace('\\n','')
-        self.ra_cert = self.ra_cert.replace('-----BEGIN CERTIFICATE-----','')
-        self.ra_cert = self.ra_cert.replace('-----END CERTIFICATE-----','')
+        self.ra_cert = x509.strip_header(self.ra_cert)
 
         # Add the new RA cert to the database in /etc/httpd/alias
         (agent_fd, agent_name) = tempfile.mkstemp()
-- 
cgit