diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-07-22 12:05:13 +1000 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2016-08-26 09:09:45 +0200 |
| commit | dae82b25bdfbec44e5db27a6fc353a46739ed8f5 (patch) | |
| tree | 6174c2ffb82b892fabac7197bdda2f1b8aa68fbc /ipalib | |
| parent | 0245d2aadf8b38ba68aeacf70761bd09ad927951 (diff) | |
| download | freeipa-dae82b25bdfbec44e5db27a6fc353a46739ed8f5.tar.gz freeipa-dae82b25bdfbec44e5db27a6fc353a46739ed8f5.tar.xz freeipa-dae82b25bdfbec44e5db27a6fc353a46739ed8f5.zip | |
x509: fix SAN directoryName parsing
The subjectAltName extension parsing code in ipalib.x509 fails on
directoryName values because the Choice structure is not endowed
with an inner type. Implement the Name structure, whose inner type
is a CHOICE { SEQUENCE OF RelativeDistinguishedName }, to resolve.
Note that the structure still does not get fully parsed; only enough
to recognise the SequenceOf tag and not fail.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/x509.py | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/ipalib/x509.py b/ipalib/x509.py index 15168de08..2dc67441c 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -196,6 +196,12 @@ def is_self_signed(certificate, datatype=PEM, dbdir=None): del nsscert return self_signed +class _Name(univ.Choice): + componentType = namedtype.NamedTypes( + namedtype.NamedType('rdnSequence', + univ.SequenceOf()), + ) + class _TBSCertificate(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.NamedType( @@ -204,9 +210,9 @@ class _TBSCertificate(univ.Sequence): tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.NamedType('serialNumber', univ.Integer()), namedtype.NamedType('signature', univ.Sequence()), - namedtype.NamedType('issuer', univ.Sequence()), + namedtype.NamedType('issuer', _Name()), namedtype.NamedType('validity', univ.Sequence()), - namedtype.NamedType('subject', univ.Sequence()), + namedtype.NamedType('subject', _Name()), namedtype.NamedType('subjectPublicKeyInfo', univ.Sequence()), namedtype.OptionalNamedType( 'issuerUniquedID', @@ -403,7 +409,7 @@ class _GeneralName(univ.Choice): namedtype.NamedType('x400Address', univ.Sequence().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3)) ), - namedtype.NamedType('directoryName', univ.Choice().subtype( + namedtype.NamedType('directoryName', _Name().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4)) ), namedtype.NamedType('ediPartyName', univ.Sequence().subtype( |