From db116f73fe5fc199bb2e28103cf5e3e2a24eab4c Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 13 Oct 2016 17:12:31 +1000
Subject: x509: use python-cryptography to process certs

Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects.  Update the call sites
accordingly, including removal of NSS initialisation code.

Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames.  The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 install/tools/ipa-replica-conncheck | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

(limited to 'install/tools')

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 067afb7b0..4045e41df 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -21,6 +21,7 @@
 from __future__ import print_function
 
 from ipapython.config import IPAOptionParser
+from ipapython.dn import DN
 from ipapython import version
 from ipapython import ipautil, certdb
 from ipalib import api, errors, x509
@@ -40,7 +41,7 @@ from socket import SOCK_STREAM, SOCK_DGRAM
 import distutils.spawn
 from ipaplatform.paths import paths
 import gssapi
-from nss import nss
+from cryptography.hazmat.primitives import serialization
 
 CONNECT_TIMEOUT = 5
 RESPONDERS = [ ]
@@ -121,16 +122,12 @@ def parse_options():
             raise OptionValueError(
                 "%s option '%s' is not an absolute file path" % (opt, value))
 
-        initialized = nss.nss_is_initialized()
         try:
             x509.load_certificate_list_from_file(value)
         except Exception:
             raise OptionValueError(
                 "%s option '%s' is not a valid certificate file" %
                 (opt, value))
-        finally:
-            if not initialized:
-                nss.nss_shutdown()
 
         parser.values.ca_cert_file = value
 
@@ -472,12 +469,12 @@ def main():
                         nss_db.create_db(password_file.name)
 
                         ca_certs = x509.load_certificate_list_from_file(
-                            options.ca_cert_file, dbdir=nss_db.secdir)
+                            options.ca_cert_file)
                         for ca_cert in ca_certs:
+                            data = ca_cert.public_bytes(
+                                serialization.Encoding.DER)
                             nss_db.add_cert(
-                                ca_cert.der_data, str(ca_cert.subject), 'C,,')
-                            del ca_cert
-                        del ca_certs
+                                data, str(DN(ca_cert.subject)), 'C,,')
                     else:
                         nss_dir = None
 
-- 
cgit