From ab1667f3c1607a22c6df49ceba58274347bc5826 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 24 Nov 2009 16:07:44 -0500
Subject: Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.

The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.

Subject alt names are only allowed if:
  - the host for the alt name exists in IPA
  - if binding as host principal, the host is in the services managedBy attr
---
 ipalib/plugins/service.py | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

(limited to 'ipalib/plugins/service.py')

diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 449acbae..c88695e4 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -23,11 +23,10 @@ Services (Identity)
 """
 import base64
 
-from OpenSSL import crypto
-
 from ipalib import api, errors
 from ipalib import Str, Flag, Bytes
 from ipalib.plugins.baseldap import *
+from ipalib import x509
 
 
 def get_serial(certificate):
@@ -35,8 +34,7 @@ def get_serial(certificate):
     Given a certificate, return the serial number in that cert.
     """
     try:
-        x509 = crypto.load_certificate(crypto.FILETYPE_ASN1, certificate)
-        serial = str(x509.get_serial_number())
+        serial = str(x509.get_serial_number(certificate))
     except crypto.Error:
         raise errors.GenericError(
             format='Unable to decode certificate in entry'
@@ -247,7 +245,7 @@ api.register(service_show)
 
 class service_add_host(LDAPAddMember):
     """
-    Add members to service.
+    Add hosts that can manage this service.
     """
     member_attributes = ['managedby']
 
@@ -256,7 +254,7 @@ api.register(service_add_host)
 
 class service_remove_host(LDAPRemoveMember):
     """
-    Remove members from service.
+    Remove hosts that can manage this service.
     """
     member_attributes = ['managedby']
 
-- 
cgit