From b7ca3d68c28b54500a2f908c4e2e6c89b2433461 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 20 Jul 2010 14:00:43 -0400 Subject: Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now. --- ipaserver/install/dsinstance.py | 2 +- ipaserver/plugins/selfsign.py | 28 +++++++++++----------------- 2 files changed, 12 insertions(+), 18 deletions(-) (limited to 'ipaserver') diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index e1ddef394..3ea9c94ce 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -366,7 +366,7 @@ class DsInstance(service.Service): self._ldap_mod("ipa-winsync-conf.ldif") def __config_version_module(self): - self._ldap_mod("ipa-version-conf.ldif") + self._ldap_mod("version-conf.ldif") def __user_private_groups(self): if has_managed_entries(self.host_name, self.dm_password): diff --git a/ipaserver/plugins/selfsign.py b/ipaserver/plugins/selfsign.py index 39d1c539f..5333a89a3 100644 --- a/ipaserver/plugins/selfsign.py +++ b/ipaserver/plugins/selfsign.py @@ -45,10 +45,9 @@ import re from ipaserver.plugins import rabase from ipaserver.install import certs import tempfile -from pyasn1 import error from ipalib import _ -from pyasn1.codec.der import encoder from ipalib.plugins.cert import get_csr_hostname +from nss.error import NSPRError class ra(rabase.rabase): """ @@ -87,23 +86,19 @@ class ra(rabase.rabase): config = api.Command['config_show']()['result'] subject_base = config.get('ipacertificatesubjectbase')[0] hostname = get_csr_hostname(csr) - request = pkcs10.load_certificate_request(csr) base = re.split(',\s*(?=\w+=)', subject_base) - base.reverse() - base.append("CN=%s" % hostname) - request_subject = request.get_subject().get_components() - new_request = [] - for r in request_subject: - new_request.append("%s=%s" % (r[0], r[1])) - - if str(base).lower() != str(new_request).lower(): - subject_base='CN=%s, %s' % (hostname, subject_base) - new_request.reverse() + base.insert(0,'CN=%s' % hostname) + subject_base = ",".join(base) + request = pkcs10.load_certificate_request(csr) + # python-nss normalizes the request subject + request_subject = str(pkcs10.get_subject(request)) + + if str(subject_base).lower() != request_subject.lower(): raise errors.CertificateOperationError(error=_('Request subject "%(request_subject)s" does not match the form "%(subject_base)s"') % \ - {'request_subject' : ', '.join(new_request), 'subject_base' : subject_base}) + {'request_subject' : request_subject, 'subject_base' : subject_base}) except errors.CertificateOperationError, e: raise e - except Exception, e: + except NSPRError, e: raise errors.CertificateOperationError(error=_('unable to decode csr: %s' % e)) # certutil wants the CSR to have have a header and footer. Add one @@ -207,11 +202,10 @@ class ra(rabase.rabase): pass try: - # Grab the subject, reverse it, combine it and return it subject = x509.get_subject(cert) serial = x509.get_serial_number(cert) - except error.PyAsn1Error, e: + except NSPRError, e: self.log.error('Unable to decode certificate in entry: %s' % str(e)) raise errors.CertificateOperationError(error='Unable to decode certificate in entry: %s' % str(e)) -- cgit