diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-08-15 15:39:49 +1000 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2016-08-26 09:09:45 +0200 |
| commit | a381d888cd6effc480c373f19f6a0ecbf00c4182 (patch) | |
| tree | 13231d09928442622da4cb392f9b705fc1030330 | |
| parent | e3acc3659c6349a0de837f9441c6324055d9a100 (diff) | |
| download | freeipa-a381d888cd6effc480c373f19f6a0ecbf00c4182.tar.gz freeipa-a381d888cd6effc480c373f19f6a0ecbf00c4182.tar.xz freeipa-a381d888cd6effc480c373f19f6a0ecbf00c4182.zip | |
x509: include otherName DER value in GeneralNameInfo
We want to include the whole DER value when we pretty-print
unrecognised otherNames, so add a field to the GeneralNameInfo
namedtuple and populate it for otherNames.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
| -rw-r--r-- | ipalib/x509.py | 13 | ||||
| -rw-r--r-- | ipaserver/plugins/cert.py | 2 |
2 files changed, 10 insertions, 5 deletions
diff --git a/ipalib/x509.py b/ipalib/x509.py index 541609fbc..e986a97a5 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -465,7 +465,7 @@ def _decode_krb5principalname(data): GeneralNameInfo = collections.namedtuple( - 'GeneralNameInfo', ('type', 'desc', 'value')) + 'GeneralNameInfo', ('type', 'desc', 'value', 'der_value')) def decode_generalnames(secitem): @@ -477,8 +477,9 @@ def decode_generalnames(secitem): The input is the DER-encoded extension data, without the OCTET STRING header, as an nss SecItem object. - Return a list of tuples of name types (as string, suitable for - presentation) and names (as string, suitable for presentation). + Return a list of ``GeneralNameInfo`` namedtuples. The + ``der_value`` field is set for otherNames, otherwise it is + ``None``. """ nss_names = nss.x509_alt_name(secitem, repr_kind=nss.AsObject) @@ -496,14 +497,18 @@ def decode_generalnames(secitem): if nss_name.type_enum == nss.certOtherName: oid = str(asn1_name['otherName']['type-id']) nametype = (nss_name.type_enum, oid) + der_value = asn1_name['otherName']['value'].asOctets() else: nametype = nss_name.type_enum + der_value = None if nametype == (nss.certOtherName, SAN_KRB5PRINCIPALNAME): name = _decode_krb5principalname(asn1_name['otherName']['value']) else: name = nss_name.name - names.append(GeneralNameInfo(nametype, nss_name.type_string, name)) + + gni = GeneralNameInfo(nametype, nss_name.type_string, name, der_value) + names.append(gni) return names diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 3e9eda504..9ee0b38c0 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -559,7 +559,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): "to the 'userCertificate' attribute of entry '%s'.") % dn) # Validate the subject alt name, if any - for name_type, desc, name in subjectaltname: + for name_type, desc, name, der_name in subjectaltname: if name_type == nss.certDNSName: name = unicode(name) alt_principal_obj = None |