diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-10-10 14:31:49 +1000 |
---|---|---|
committer | David Kupka <dkupka@redhat.com> | 2016-11-10 10:21:47 +0100 |
commit | 66637f766dd0ddc50888013962be2294fd8d0e9a (patch) | |
tree | 51805147aa266accc0078be8bab63930f16e29b6 /ipalib/pkcs10.py | |
parent | 9522970bfa28900abc90e959de483f59c79a3e5f (diff) | |
download | freeipa-66637f766dd0ddc50888013962be2294fd8d0e9a.tar.gz freeipa-66637f766dd0ddc50888013962be2294fd8d0e9a.tar.xz freeipa-66637f766dd0ddc50888013962be2294fd8d0e9a.zip |
pkcs10: use python-cryptography for CSR processing
Update ``ipalib.pkcs10`` module to use python-cryptography for CSR
processing instead of NSS.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Diffstat (limited to 'ipalib/pkcs10.py')
-rw-r--r-- | ipalib/pkcs10.py | 94 |
1 files changed, 16 insertions, 78 deletions
diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py index 158ebb3a2..44a529d1a 100644 --- a/ipalib/pkcs10.py +++ b/ipalib/pkcs10.py @@ -19,71 +19,12 @@ from __future__ import print_function +import binascii import sys -import base64 -import nss.nss as nss +from cryptography.hazmat.backends import default_backend +import cryptography.x509 from pyasn1.type import univ, namedtype, tag from pyasn1.codec.der import decoder -import six -from ipalib import x509 - -if six.PY3: - unicode = str - -PEM = 0 -DER = 1 - -def get_subject(csr, datatype=PEM): - """ - Given a CSR return the subject value. - - This returns an nss.DN object. - """ - request = load_certificate_request(csr, datatype) - try: - return request.subject - finally: - del request - -def get_extensions(csr, datatype=PEM): - """ - Given a CSR return OIDs of certificate extensions. - - The return value is a tuple of strings - """ - request = load_certificate_request(csr, datatype) - - # Work around a bug in python-nss where nss.oid_dotted_decimal - # errors on unrecognised OIDs - # - # https://bugzilla.redhat.com/show_bug.cgi?id=1246729 - # - def get_prefixed_oid_str(ext): - """Returns a string like 'OID.1.2...'.""" - if ext.oid_tag == 0: - return repr(ext) - else: - return nss.oid_dotted_decimal(ext.oid) - - return tuple(get_prefixed_oid_str(ext)[4:] - for ext in request.extensions) - - -def get_subjectaltname(csr, datatype=PEM): - """ - Given a CSR return the subjectaltname value, if any. - - The return value is a tuple of strings or None - """ - request = load_certificate_request(csr, datatype) - for extension in request.extensions: - if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME: - break - else: - return None - del request - - return x509.decode_generalnames(extension.value) # Unfortunately, NSS can only parse the extension request attribute, so @@ -148,31 +89,28 @@ def strip_header(csr): return csr -def load_certificate_request(csr, datatype=PEM): - """ - Given a base64-encoded certificate request, with or without the - header/footer, return a request object. + +def load_certificate_request(data): """ - if datatype == PEM: - csr = strip_header(csr) - csr = base64.b64decode(csr) + Load a PEM or base64-encoded PKCS #10 certificate request. - # A fail-safe so we can always read a CSR. python-nss/NSS will segfault - # otherwise - if not nss.nss_is_initialized(): - nss.nss_init_nodb() + :return: a python-cryptography ``Certificate`` object. + :raises: ``ValueError`` if unable to load the request - return nss.CertificateRequest(csr) + """ + data = strip_header(data) + try: + data = binascii.a2b_base64(data) + except binascii.Error as e: + raise ValueError(e) + return cryptography.x509.load_der_x509_csr(data, default_backend()) -if __name__ == '__main__': - nss.nss_init_nodb() +if __name__ == '__main__': # Read PEM request from stdin and print out its components csrlines = sys.stdin.readlines() csr = ''.join(csrlines) print(load_certificate_request(csr)) - print(get_subject(csr)) - print(get_subjectaltname(csr)) print(get_friendlyname(csr)) |