x509: use python-cryptography to process certs

Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects.  Update the call sites
accordingly, including removal of NSS initialisation code.

Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames.  The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

1 files changed, 4 insertions, 5 deletions

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 31fd36cc3..a73025099 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -60,9 +60,8 @@ def get_cert_nickname(cert):
     representation of the first RDN in the subject and subject_dn
     is a DN object.
     """
-    nsscert = x509.load_certificate(cert)
-    subject = str(nsscert.subject)
-    dn = DN(subject)
+    cert_obj = x509.load_certificate(cert)
+    dn = DN(cert_obj.subject)
 
     return (str(dn[0]), dn)
 
@@ -304,8 +303,8 @@ class CertDB(object):
             return
 
         cert = self.get_cert_from_db(nickname)
-        nsscert = x509.load_certificate(cert, dbdir=self.secdir)
-        subject = str(nsscert.subject)
+        cert_obj = x509.load_certificate(cert)
+        subject = str(DN(cert_obj.subject))
         certmonger.add_principal(request_id, principal)
         certmonger.add_subject(request_id, subject)