diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-10-13 17:12:31 +1000 |
|---|---|---|
| committer | David Kupka <dkupka@redhat.com> | 2016-11-10 10:21:47 +0100 |
| commit | db116f73fe5fc199bb2e28103cf5e3e2a24eab4c (patch) | |
| tree | ff1a043b376ec4d98b6399040a868e8b45725ee0 /ipapython | |
| parent | c57dc890b2bf447ab575f2e91249179bce3f05d5 (diff) | |
| download | freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.tar.gz freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.tar.xz freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.zip | |
x509: use python-cryptography to process certs
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects. Update the call sites
accordingly, including removal of NSS initialisation code.
Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames. The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Diffstat (limited to 'ipapython')
| -rw-r--r-- | ipapython/certdb.py | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 06666c022..c2fe599a2 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -22,10 +22,12 @@ import re import tempfile import shutil import base64 +from cryptography.hazmat.primitives import serialization from nss import nss from nss.error import NSPRError from ipaplatform.paths import paths +from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger from ipapython import ipautil from ipalib import x509 @@ -258,7 +260,7 @@ class NSSDatabase(object): 'X.509 CERTIFICATE'): try: x509.load_certificate(match.group(2)) - except NSPRError as e: + except ValueError as e: if label != 'CERTIFICATE': root_logger.warning( "Skipping certificate in %s at line %s: %s", @@ -334,7 +336,7 @@ class NSSDatabase(object): # Try to load the file as DER certificate try: x509.load_certificate(data, x509.DER) - except NSPRError: + except ValueError: pass else: data = x509.make_pem(base64.b64encode(data)) @@ -379,12 +381,11 @@ class NSSDatabase(object): raise RuntimeError( "No server certificates found in %s" % (', '.join(files))) - nss_certs = x509.load_certificate_list(extracted_certs) - nss_cert = None - for nss_cert in nss_certs: - nickname = str(nss_cert.subject) - self.add_cert(nss_cert.der_data, nickname, ',,') - del nss_certs, nss_cert + certs = x509.load_certificate_list(extracted_certs) + for cert in certs: + nickname = str(DN(cert.subject)) + data = cert.public_bytes(serialization.Encoding.DER) + self.add_cert(data, nickname, ',,') if extracted_key: in_file = ipautil.write_tmp_file(extracted_certs + extracted_key) |