Split x509.load_certificate() into PEM/DER functions

Splitting the load_certificate() function into two separate helps us word the requirements for the input explicitly. It also makes our backend similar to the one of python-cryptography so eventually we can swap python-cryptography for IPA x509 module. https://pagure.io/freeipa/issue/4985 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
author: Stanislav Laznicka <slaznick@redhat.com> 2017-06-16 09:36:26 +0200
committer: Pavel Vomacka <pvomacka@redhat.com> 2017-07-27 10:28:58 +0200
commit: 4375ef860fdd8221baeff23e88f9217b0cddc5ac (patch)
tree: 1475171b8a22c3c938466c0cbb2d24afc6db60df /ipalib
parent: 284658e08ef88ae2796ace0a4f172e7b8464a5e9 (diff)
download: freeipa-4375ef860fdd8221baeff23e88f9217b0cddc5ac.tar.gz
freeipa-4375ef860fdd8221baeff23e88f9217b0cddc5ac.tar.xz
freeipa-4375ef860fdd8221baeff23e88f9217b0cddc5ac.zip
2 files changed, 34 insertions, 24 deletions
diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py
index bc2079fb1..0d0902fc1 100644
--- a/ipalib/install/certstore.py
+++ b/ipalib/install/certstore.py
@@ -30,7 +30,7 @@ from ipalib import errors, x509
 
 def _parse_cert(dercert):
     try:
-        cert = x509.load_certificate(dercert, x509.DER)
+        cert = x509.load_der_x509_certificate(dercert)
         subject = DN(cert.subject)
         issuer = DN(cert.issuer)
         serial_number = cert.serial_number
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 4d866a64c..5bec5ae59 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -19,7 +19,7 @@
 
 # Certificates should be stored internally DER-encoded. We can be passed
 # a certificate several ways: read if from LDAP, read it from a 3rd party
-# app (dogtag, candlepin, etc) or as user input. The normalize_certificate()
+# app (dogtag, candlepin, etc) or as user input. The ensure_der_format()
 # function will convert an incoming certificate to DER-encoding.
 
 # Conventions
@@ -101,24 +101,26 @@ def strip_header(pem):
         return pem
 
 
-def load_certificate(data, datatype=PEM):
+def load_pem_x509_certificate(data):
     """
-    Load an X.509 certificate.
+    Load an X.509 certificate in PEM format.
 
-    :param datatype: PEM for base64-encoded data (with or without header),
-                     or DER
-    :return: a python-cryptography ``CertificateSigningRequest`` object.
+    :returns: a python-cryptography ``Certificate`` object.
     :raises: ``ValueError`` if unable to load the certificate.
-
     """
-    if type(data) in (tuple, list):
-        data = data[0]
+    return crypto_x509.load_pem_x509_certificate(data,
+                                                 backend=default_backend())
+
 
-    if (datatype == PEM):
-        data = strip_header(data)
-        data = base64.b64decode(data)
+def load_der_x509_certificate(data):
+    """
+    Load an X.509 certificate in DER format.
 
-    return cryptography.x509.load_der_x509_certificate(data, default_backend())
+    :returns: a python-cryptography ``Certificate`` object.
+    :raises: ``ValueError`` if unable to load the certificate.
+    """
+    return crypto_x509.load_der_x509_certificate(data,
+                                                 backend=default_backend())
 
 
 def load_certificate_from_file(filename, dbdir=None):
@@ -126,10 +128,9 @@ def load_certificate_from_file(filename, dbdir=None):
     Load a certificate from a PEM file.
 
     Returns a python-cryptography ``Certificate`` object.
-
     """
     with open(filename, mode='rb') as f:
-        return load_certificate(f.read(), PEM)
+        return load_pem_x509_certificate(f.read())
 
 
 def load_certificate_list(data):
@@ -140,8 +141,7 @@ def load_certificate_list(data):
 
     """
     certs = PEM_REGEX.findall(data)
-    certs = [load_certificate(cert, PEM) for cert in certs]
-    return certs
+    return [load_pem_x509_certificate(cert) for cert in certs]
 
 
 def load_certificate_list_from_file(filename):
@@ -151,7 +151,7 @@ def load_certificate_list_from_file(filename):
     Return a list of python-cryptography ``Certificate`` objects.
 
     """
-    with open(filename) as f:
+    with open(filename, 'rb') as f:
         return load_certificate_list(f.read())
 
 
@@ -242,7 +242,8 @@ def make_pem(data):
     pemcert + \
     '\n-----END CERTIFICATE-----'
 
-def normalize_certificate(rawcert):
+
+def ensure_der_format(rawcert):
     """
     Incoming certificates should be DER-encoded. If not it is converted to
     DER-format.
@@ -274,17 +275,26 @@ def normalize_certificate(rawcert):
 
     # At this point we should have a DER certificate.
     # Attempt to decode it.
-    validate_certificate(dercert, datatype=DER)
-
+    validate_der_x509_certificate(dercert)
     return dercert
 
 
-def validate_certificate(cert, datatype=PEM):
+def validate_pem_x509_certificate(cert):
+    """
+    Perform cert validation by trying to load it via python-cryptography.
+    """
+    try:
+        load_pem_x509_certificate(cert)
+    except ValueError as e:
+        raise errors.CertificateFormatError(error=str(e))
+
+
+def validate_der_x509_certificate(cert):
     """
     Perform cert validation by trying to load it via python-cryptography.
     """
     try:
-        load_certificate(cert, datatype=datatype)
+        load_der_x509_certificate(cert)
     except ValueError as e:
         raise errors.CertificateFormatError(error=str(e))
author	Stanislav Laznicka <slaznick@redhat.com>	2017-06-16 09:36:26 +0200
committer	Pavel Vomacka <pvomacka@redhat.com>	2017-07-27 10:28:58 +0200
commit	4375ef860fdd8221baeff23e88f9217b0cddc5ac (patch)
tree	1475171b8a22c3c938466c0cbb2d24afc6db60df /ipalib
parent	284658e08ef88ae2796ace0a4f172e7b8464a5e9 (diff)
download	freeipa-4375ef860fdd8221baeff23e88f9217b0cddc5ac.tar.gz freeipa-4375ef860fdd8221baeff23e88f9217b0cddc5ac.tar.xz freeipa-4375ef860fdd8221baeff23e88f9217b0cddc5ac.zip