diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-10-13 17:12:31 +1000 |
---|---|---|
committer | David Kupka <dkupka@redhat.com> | 2016-11-10 10:21:47 +0100 |
commit | db116f73fe5fc199bb2e28103cf5e3e2a24eab4c (patch) | |
tree | ff1a043b376ec4d98b6399040a868e8b45725ee0 /client | |
parent | c57dc890b2bf447ab575f2e91249179bce3f05d5 (diff) | |
download | freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.tar.gz freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.tar.xz freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.zip |
x509: use python-cryptography to process certs
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects. Update the call sites
accordingly, including removal of NSS initialisation code.
Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames. The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Diffstat (limited to 'client')
-rwxr-xr-x | client/ipa-client-install | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/client/ipa-client-install b/client/ipa-client-install index 639810b62..c228ea3ce 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -35,9 +35,9 @@ try: import gssapi import netifaces - import nss.nss as nss import SSSDConfig from six.moves.urllib.parse import urlparse, urlunparse + from cryptography.hazmat.primitives import serialization from ipapython.ipa_log_manager import standard_logging_setup, root_logger from ipaclient import ipadiscovery @@ -92,15 +92,10 @@ def parse_options(): if not os.path.isabs(value): raise OptionValueError("%s option '%s' is not an absolute file path" % (opt, value)) - initialized = nss.nss_is_initialized() try: - cert = x509.load_certificate_from_file(value) + x509.load_certificate_from_file(value) except Exception: raise OptionValueError("%s option '%s' is not a valid certificate file" % (opt, value)) - else: - del(cert) - if not initialized: - nss.nss_shutdown() parser.values.ca_cert_file = value @@ -300,10 +295,10 @@ def cert_summary(msg, certs, indent=' '): else: s = '' for cert in certs: - s += '%sSubject: %s\n' % (indent, cert.subject) - s += '%sIssuer: %s\n' % (indent, cert.issuer) - s += '%sValid From: %s\n' % (indent, cert.valid_not_before_str) - s += '%sValid Until: %s\n' % (indent, cert.valid_not_after_str) + s += '%sSubject: %s\n' % (indent, DN(cert.subject)) + s += '%sIssuer: %s\n' % (indent, DN(cert.issuer)) + s += '%sValid From: %s\n' % (indent, cert.not_valid_before) + s += '%sValid Until: %s\n' % (indent, cert.not_valid_after) s += '\n' s = s[:-1] @@ -2148,7 +2143,10 @@ def get_ca_certs(fstore, options, server, basedn, realm): if ca_certs is not None: try: - ca_certs = [cert.der_data for cert in ca_certs] + ca_certs = [ + cert.public_bytes(serialization.Encoding.DER) + for cert in ca_certs + ] x509.write_certificate_list(ca_certs, ca_file) except Exception as e: if os.path.exists(ca_file): @@ -2815,7 +2813,10 @@ def install(options, env, fstore, statestore): # Add CA certs to a temporary NSS database ca_certs = x509.load_certificate_list_from_file(CACERT) - ca_certs = [cert.der_data for cert in ca_certs] + ca_certs = [ + cert.public_bytes(serialization.Encoding.DER) + for cert in ca_certs + ] try: pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password()) tmp_db.create_db(pwd_file.name) |