diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-10-13 17:12:31 +1000 |
|---|---|---|
| committer | David Kupka <dkupka@redhat.com> | 2016-11-10 10:21:47 +0100 |
| commit | db116f73fe5fc199bb2e28103cf5e3e2a24eab4c (patch) | |
| tree | ff1a043b376ec4d98b6399040a868e8b45725ee0 /ipalib/certstore.py | |
| parent | c57dc890b2bf447ab575f2e91249179bce3f05d5 (diff) | |
| download | freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.tar.gz freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.tar.xz freeipa-db116f73fe5fc199bb2e28103cf5e3e2a24eab4c.zip | |
x509: use python-cryptography to process certs
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects. Update the call sites
accordingly, including removal of NSS initialisation code.
Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames. The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Diffstat (limited to 'ipalib/certstore.py')
| -rw-r--r-- | ipalib/certstore.py | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/ipalib/certstore.py b/ipalib/certstore.py index d17cb2baa..70ae94210 100644 --- a/ipalib/certstore.py +++ b/ipalib/certstore.py @@ -22,7 +22,6 @@ LDAP shared certificate store. """ -from nss.error import NSPRError from pyasn1.error import PyAsn1Error from ipapython.dn import DN @@ -31,11 +30,12 @@ from ipalib import errors, x509 def _parse_cert(dercert): try: - subject = x509.get_subject(dercert, x509.DER) - issuer = x509.get_issuer(dercert, x509.DER) - serial_number = x509.get_serial_number(dercert, x509.DER) + cert = x509.load_certificate(dercert, x509.DER) + subject = DN(cert.subject) + issuer = DN(cert.issuer) + serial_number = cert.serial public_key_info = x509.get_der_public_key_info(dercert, x509.DER) - except (NSPRError, PyAsn1Error) as e: + except (ValueError, PyAsn1Error) as e: raise ValueError("failed to decode certificate: %s" % e) subject = str(subject).replace('\\;', '\\3b') @@ -54,7 +54,7 @@ def init_ca_entry(entry, dercert, nickname, trusted, ext_key_usage): if ext_key_usage is not None: try: cert_eku = x509.get_ext_key_usage(dercert, x509.DER) - except NSPRError as e: + except ValueError as e: raise ValueError("failed to decode certificate: %s" % e) if cert_eku is not None: cert_eku -= {x509.EKU_SERVER_AUTH, x509.EKU_CLIENT_AUTH, |