diff options
author | Jan Cholasta <jcholast@redhat.com> | 2016-03-10 13:16:41 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-03-16 09:35:44 +0100 |
commit | 54a59475f301267c7263a649df1b992e9b3e08aa (patch) | |
tree | c931e984b7e3317227d87ecbd0867d949939700b /ipapython/certdb.py | |
parent | fb3a5d5a9cad4355c3d7db5a789d1f6342cccaa0 (diff) | |
download | freeipa-54a59475f301267c7263a649df1b992e9b3e08aa.tar.gz freeipa-54a59475f301267c7263a649df1b992e9b3e08aa.tar.xz freeipa-54a59475f301267c7263a649df1b992e9b3e08aa.zip |
certdb: never use the -r option of certutil
The -r option makes certutil output certificates in DER. If there are
multiple certificates sharing the same nickname, certutil will output
them concatenated into a single blob. The blob is not a valid DER
anymore and causes failures further in the code.
Use the -a option instead to output the certificates in PEM and convert
them to DER on demand.
https://fedorahosted.org/freeipa/ticket/5117
https://fedorahosted.org/freeipa/ticket/5720
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipapython/certdb.py')
-rw-r--r-- | ipapython/certdb.py | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/ipapython/certdb.py b/ipapython/certdb.py index aea50a81f..e19f712d8 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -425,19 +425,17 @@ class NSSDatabase(object): "Setting trust on %s failed" % root_nickname) def get_cert(self, nickname, pem=False): - args = ['-L', '-n', nickname] - if pem: - args.append('-a') - else: - args.append('-r') + args = ['-L', '-n', nickname, '-a'] try: - result = self.run_certutil(args, capture_output=pem) + result = self.run_certutil(args, capture_output=True) except ipautil.CalledProcessError: raise RuntimeError("Failed to get %s" % nickname) - if pem: - return result.output - else: - return result.raw_output + cert = result.output + if not pem: + (cert, start) = find_cert_from_txt(cert, start=0) + cert = x509.strip_header(cert) + cert = base64.b64decode(cert) + return cert def has_nickname(self, nickname): try: |