diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-07-24 09:23:07 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-08-11 15:28:28 +0200 |
commit | e92f25bd50b60ce3c5d2c09bea700001050651a3 (patch) | |
tree | c9829de0467acc2a399415958a3c3caf65efdcad /ipalib/pkcs10.py | |
parent | 812ab600a33f0a334e757420783583f700ec07e7 (diff) | |
download | freeipa-e92f25bd50b60ce3c5d2c09bea700001050651a3.tar.gz freeipa-e92f25bd50b60ce3c5d2c09bea700001050651a3.tar.xz freeipa-e92f25bd50b60ce3c5d2c09bea700001050651a3.zip |
Work around python-nss bug on unrecognised OIDs
A bug in python-nss causes an error to be thrown when converting an
unrecognised OID to a string. If cert-request receives a PKCS #10
CSR with an unknown extension, the error is thrown.
Work around this error by first checking if the OID is recognised
and, if it is not, using a different method to obtain its string
representation.
Once the python-nss bug is fixed, this workaround should be
reverted. https://bugzilla.redhat.com/show_bug.cgi?id=1246729
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipalib/pkcs10.py')
-rw-r--r-- | ipalib/pkcs10.py | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py index 6299dfea4..646708351 100644 --- a/ipalib/pkcs10.py +++ b/ipalib/pkcs10.py @@ -53,7 +53,20 @@ def get_extensions(csr, datatype=PEM): The return value is a tuple of strings """ request = load_certificate_request(csr, datatype) - return tuple(nss.oid_dotted_decimal(ext.oid_tag)[4:] + + # Work around a bug in python-nss where nss.oid_dotted_decimal + # errors on unrecognised OIDs + # + # https://bugzilla.redhat.com/show_bug.cgi?id=1246729 + # + def get_prefixed_oid_str(ext): + """Returns a string like 'OID.1.2...'.""" + if ext.oid_tag == 0: + return repr(ext) + else: + return nss.oid_dotted_decimal(ext.oid) + + return tuple(get_prefixed_oid_str(ext)[4:] for ext in request.extensions) class _PrincipalName(univ.Sequence): |