From 8d2d7429beb6bf66cb3c4fc35a7a3dbb165a432c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 24 Jun 2010 11:40:02 -0400
Subject: Clean up crypto code, take advantage of new nss-python capabilities

This patch does the following:
- drops our in-tree x509v3 parser to use the python-nss one
- return more information on certificates
- make an API change, renaming cert-get to cert-show
- Drop a lot of duplicated code
---
 ipalib/plugins/service.py | 25 +++++--------------------
 1 file changed, 5 insertions(+), 20 deletions(-)

(limited to 'ipalib/plugins/service.py')

diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 623128bf..37de3df4 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -64,26 +64,9 @@ from ipalib import api, errors
 from ipalib import Str, Flag, Bytes
 from ipalib.plugins.baseldap import *
 from ipalib import x509
-from pyasn1.error import PyAsn1Error
 from ipalib import _, ngettext
 
 
-def get_serial(certificate):
-    """
-    Given a certificate, return the serial number in that
-    cert as a Python long object.
-    """
-    if type(certificate) in (list, tuple):
-        certificate = certificate[0]
-
-    try:
-        serial = x509.get_serial_number(certificate, type=x509.DER)
-    except PyAsn1Error, e:
-        raise errors.GenericError(
-            format='Unable to decode certificate in entry: %s' % e
-        )
-    return serial
-
 def split_principal(principal):
     service = hostname = realm = None
 
@@ -194,6 +177,7 @@ class service_add(LDAPCreate):
 
         cert = entry_attrs.get('usercertificate')
         if cert:
+            cert = cert[0]
             # FIXME: should be in a normalizer: need to fix normalizers
             #        to work on non-unicode data
             entry_attrs['usercertificate'] = base64.b64decode(cert)
@@ -229,9 +213,10 @@ class service_del(LDAPDelete):
             (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
             cert = entry_attrs.get('usercertificate')
             if cert:
-                serial = unicode(get_serial(cert))
+                cert = cert[0]
+                serial = unicode(x509.get_serial_number(cert, x509.DER))
                 try:
-                    result = api.Command['cert_get'](unicode(serial))['result']
+                    result = api.Command['cert_show'](unicode(serial))['result']
                     if 'revocation_reason' not in result:
                         try:
                             api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
@@ -267,7 +252,7 @@ class service_mod(LDAPUpdate):
             if 'usercertificate' in entry_attrs_old:
                 # FIXME: what to do here? do we revoke the old cert?
                 fmt = 'entry already has a certificate, serial number: %s' % (
-                    get_serial(entry_attrs_old['usercertificate'])
+                    x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER)
                 )
                 raise errors.GenericError(format=fmt)
             # FIXME: should be in normalizer; see service_add
-- 
cgit