diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-10-11 12:43:22 +1000 |
|---|---|---|
| committer | David Kupka <dkupka@redhat.com> | 2016-11-10 10:21:47 +0100 |
| commit | 44c2d685f01eb4c03e4659125e41d73b8be47c19 (patch) | |
| tree | 5f4f45dd6dcce1b96e630e400b80324412843c75 | |
| parent | 85487281cdc09720f6a0385ebb7157742d762a0c (diff) | |
| download | freeipa-44c2d685f01eb4c03e4659125e41d73b8be47c19.tar.gz freeipa-44c2d685f01eb4c03e4659125e41d73b8be47c19.tar.xz freeipa-44c2d685f01eb4c03e4659125e41d73b8be47c19.zip | |
x509: avoid use of nss.data_to_hex
Avoid use of the nss.data_to_hex function for formatting certificate
fingerprints. Add our own helper functions to format the
fingerprints as hex (with colons).
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
| -rw-r--r-- | ipalib/x509.py | 23 | ||||
| -rw-r--r-- | ipaserver/plugins/cert.py | 8 | ||||
| -rw-r--r-- | ipaserver/plugins/service.py | 6 |
3 files changed, 31 insertions, 6 deletions
diff --git a/ipalib/x509.py b/ipalib/x509.py index e67aab628..cac5e9c59 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -33,6 +33,7 @@ from __future__ import print_function +import binascii import collections import os import sys @@ -552,6 +553,28 @@ def process_othernames(gns): yield gn +def chunk(size, s): + """Yield chunks of the specified size from the given string. + + The input must be a multiple of the chunk size (otherwise + trailing characters are dropped). + + Works on character strings only. + + """ + return (u''.join(span) for span in six.moves.zip(*[iter(s)] * size)) + + +def add_colons(s): + """Add colons between each nibble pair in a hex string.""" + return u':'.join(chunk(2, s)) + + +def to_hex_with_colons(bs): + """Convert bytes to a hex string with colons.""" + return add_colons(binascii.hexlify(bs).decode('utf-8')) + + if __name__ == '__main__': # this can be run with: # python ipalib/x509.py < /etc/ipa/ca.crt diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 5e85942dd..a534c4d26 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -379,10 +379,10 @@ class BaseCertObject(Object): obj['valid_not_before'] = unicode(cert.valid_not_before_str) obj['valid_not_after'] = unicode(cert.valid_not_after_str) if full: - obj['md5_fingerprint'] = unicode( - nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0]) - obj['sha1_fingerprint'] = unicode( - nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0]) + obj['md5_fingerprint'] = x509.to_hex_with_colons( + nss.md5_digest(cert.der_data)) + obj['sha1_fingerprint'] = x509.to_hex_with_colons( + nss.sha1_digest(cert.der_data)) try: ext_san = cert.get_extension(nss.SEC_OID_X509_SUBJECT_ALT_NAME) diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index e57ca523a..a39ba3249 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -274,8 +274,10 @@ def set_certificate_attrs(entry_attrs): entry_attrs['issuer'] = unicode(cert.issuer) entry_attrs['valid_not_before'] = unicode(cert.valid_not_before_str) entry_attrs['valid_not_after'] = unicode(cert.valid_not_after_str) - entry_attrs['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0]) - entry_attrs['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0]) + entry_attrs['md5_fingerprint'] = x509.to_hex_with_colons( + nss.md5_digest(cert.der_data)) + entry_attrs['sha1_fingerprint'] = x509.to_hex_with_colons( + nss.sha1_digest(cert.der_data)) def check_required_principal(ldap, principal): """ |