diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-08-16 13:16:58 +1000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-12-12 13:03:15 +0100 |
commit | c7ea56c049ec8ab1a5500852eca6faf750b1479f (patch) | |
tree | 2362e63154921dd460db8dfb5643a1d4d774315a /ipalib | |
parent | 95e602598a481f9c4a3b69ce8a861bf3816aa8ba (diff) | |
download | freeipa-c7ea56c049ec8ab1a5500852eca6faf750b1479f.tar.gz freeipa-c7ea56c049ec8ab1a5500852eca6faf750b1479f.tar.xz freeipa-c7ea56c049ec8ab1a5500852eca6faf750b1479f.zip |
Add function for extracting PEM certs from PKCS #7
Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to
use the new function.
Part of: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/x509.py | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c386705..851af5a74 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -49,6 +49,14 @@ from ipalib import api from ipalib import util from ipalib import errors from ipapython.dn import DN +from ipapython import ipautil + +try: + from ipaplatform.paths import paths +except ImportError: + OPENSSL = '/usr/bin/openssl' +else: + OPENSSL = paths.OPENSSL if six.PY3: unicode = str @@ -56,7 +64,9 @@ if six.PY3: PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)', re.DOTALL) +PEM_REGEX = re.compile( + r'-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----', + re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +155,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): + """ + Extract certificates from a PKCS #7 object. + + Return a ``list`` of X.509 PEM strings. + + May throw ``ipautil.CalledProcessError`` on invalid data. + + """ + cmd = [ + OPENSSL, "pkcs7", "-print_certs", + "-inform", "PEM" if datatype == PEM else "DER", + ] + result = ipautil.run(cmd, stdin=data, capture_output=True) + return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject |