ipalib.x509: Handle missing SAN gracefully

When extension is not present None is returned instead of empty iterable or exception thrown. Reviewed-By: Martin Basti <mbasti@redhat.com>
author: David Kupka <dkupka@redhat.com> 2017-01-23 10:38:34 +0100
committer: Martin Basti <mbasti@redhat.com> 2017-02-07 13:58:48 +0100
commit: 308c790ee90f00e0bc2c40abf51c30e5250631e9 (patch)
tree: 8c6ef39585ff3e205b9454d5e3162a2f6acd30f0 /ipalib
parent: 7e2d185ba09382a815e9b0530aeae3d56f9378d1 (diff)
download: freeipa-308c790ee90f00e0bc2c40abf51c30e5250631e9.tar.gz
freeipa-308c790ee90f00e0bc2c40abf51c30e5250631e9.tar.xz
freeipa-308c790ee90f00e0bc2c40abf51c30e5250631e9.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 60a947b68..f65cf816c 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -435,8 +435,12 @@ def get_san_general_names(cert):
         asn1Spec=rfc2459.TBSCertificate()
     )[0]
     OID_SAN = univ.ObjectIdentifier('2.5.29.17')
+    # One would expect KeyError or empty iterable when the key ('extensions'
+    # in this particular case) is not pressent in the certificate but pyasn1
+    # returns None here
+    extensions = tbs['extensions'] or []
     gns = []
-    for ext in tbs['extensions']:
+    for ext in extensions:
         if ext['extnID'] == OID_SAN:
             der = decoder.decode(
                 ext['extnValue'], asn1Spec=univ.OctetString())[0]
author	David Kupka <dkupka@redhat.com>	2017-01-23 10:38:34 +0100
committer	Martin Basti <mbasti@redhat.com>	2017-02-07 13:58:48 +0100
commit	308c790ee90f00e0bc2c40abf51c30e5250631e9 (patch)
tree	8c6ef39585ff3e205b9454d5e3162a2f6acd30f0 /ipalib
parent	7e2d185ba09382a815e9b0530aeae3d56f9378d1 (diff)
download	freeipa-308c790ee90f00e0bc2c40abf51c30e5250631e9.tar.gz freeipa-308c790ee90f00e0bc2c40abf51c30e5250631e9.tar.xz freeipa-308c790ee90f00e0bc2c40abf51c30e5250631e9.zip