diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-10-13 17:12:31 +1000 |
|---|---|---|
| committer | David Kupka <dkupka@redhat.com> | 2016-11-10 10:21:47 +0100 |
| commit | db116f73fe5fc199bb2e28103cf5e3e2a24eab4c (patch) | |
| tree | ff1a043b376ec4d98b6399040a868e8b45725ee0 /install/tools | |
| parent | c57dc890b2bf447ab575f2e91249179bce3f05d5 (diff) | |
| download | freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.tar.gz freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.tar.xz freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.zip | |
x509: use python-cryptography to process certs
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects. Update the call sites
accordingly, including removal of NSS initialisation code.
Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames. The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Diffstat (limited to 'install/tools')
| -rwxr-xr-x | install/tools/ipa-replica-conncheck | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 067afb7b0..4045e41df 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -21,6 +21,7 @@ from __future__ import print_function from ipapython.config import IPAOptionParser +from ipapython.dn import DN from ipapython import version from ipapython import ipautil, certdb from ipalib import api, errors, x509 @@ -40,7 +41,7 @@ from socket import SOCK_STREAM, SOCK_DGRAM import distutils.spawn from ipaplatform.paths import paths import gssapi -from nss import nss +from cryptography.hazmat.primitives import serialization CONNECT_TIMEOUT = 5 RESPONDERS = [ ] @@ -121,16 +122,12 @@ def parse_options(): raise OptionValueError( "%s option '%s' is not an absolute file path" % (opt, value)) - initialized = nss.nss_is_initialized() try: x509.load_certificate_list_from_file(value) except Exception: raise OptionValueError( "%s option '%s' is not a valid certificate file" % (opt, value)) - finally: - if not initialized: - nss.nss_shutdown() parser.values.ca_cert_file = value @@ -472,12 +469,12 @@ def main(): nss_db.create_db(password_file.name) ca_certs = x509.load_certificate_list_from_file( - options.ca_cert_file, dbdir=nss_db.secdir) + options.ca_cert_file) for ca_cert in ca_certs: + data = ca_cert.public_bytes( + serialization.Encoding.DER) nss_db.add_cert( - ca_cert.der_data, str(ca_cert.subject), 'C,,') - del ca_cert - del ca_certs + data, str(DN(ca_cert.subject)), 'C,,') else: nss_dir = None |