Make data type of certificates more obvious/predictable internally.

For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().

This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.

This also tries to use variable names to indicate what format the certificate
is in at any given point:

dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format

ticket 32

1 files changed, 2 insertions, 12 deletions

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index d8d04e73..efbb2c93 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -94,6 +94,7 @@ class Service(object):
         self.realm = None
         self.suffix = None
         self.principal = None
+        self.dercert = None
 
     def ldap_connect(self):
         self.admin_conn = self.__get_conn(self.fqdn, self.dm_password)
@@ -192,23 +193,12 @@ class Service(object):
         """
         Add a certificate to a service
 
-        This should be passed in DER format but we'll be nice and convert
-        a base64-encoded cert if needed (like when we add certs that come
-        from PKCS#12 files.)
+        This server cert should be in DER format.
         """
 
         if not self.admin_conn:
             self.ldap_connect()
 
-        try:
-            s = self.dercert.find('-----BEGIN CERTIFICATE-----')
-            if s > -1:
-                e = self.dercert.find('-----END CERTIFICATE-----')
-                s = s + 27
-                self.dercert = self.dercert[s:e]
-                self.dercert = base64.b64decode(self.dercert)
-        except Exception:
-            pass
         dn = "krbprincipalname=%s,cn=services,cn=accounts,%s" % (self.principal, self.suffix)
         mod = [(ldap.MOD_ADD, 'userCertificate', self.dercert)]
         try: