certdb: never use the -r option of certutil

The -r option makes certutil output certificates in DER. If there are
multiple certificates sharing the same nickname, certutil will output
them concatenated into a single blob. The blob is not a valid DER
anymore and causes failures further in the code.

Use the -a option instead to output the certificates in PEM and convert
them to DER on demand.

https://fedorahosted.org/freeipa/ticket/5117
https://fedorahosted.org/freeipa/ticket/5720

Reviewed-By: David Kupka <dkupka@redhat.com>

1 files changed, 8 insertions, 10 deletions

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index aea50a81f..e19f712d8 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -425,19 +425,17 @@ class NSSDatabase(object):
                     "Setting trust on %s failed" % root_nickname)
 
     def get_cert(self, nickname, pem=False):
-        args = ['-L', '-n', nickname]
-        if pem:
-            args.append('-a')
-        else:
-            args.append('-r')
+        args = ['-L', '-n', nickname, '-a']
         try:
-            result = self.run_certutil(args, capture_output=pem)
+            result = self.run_certutil(args, capture_output=True)
         except ipautil.CalledProcessError:
             raise RuntimeError("Failed to get %s" % nickname)
-        if pem:
-            return result.output
-        else:
-            return result.raw_output
+        cert = result.output
+        if not pem:
+            (cert, start) = find_cert_from_txt(cert, start=0)
+            cert = x509.strip_header(cert)
+            cert = base64.b64decode(cert)
+        return cert
 
     def has_nickname(self, nickname):
         try: