From c7ea56c049ec8ab1a5500852eca6faf750b1479f Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 16 Aug 2016 13:16:58 +1000 Subject: Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Jan Cholasta Reviewed-By: Tomas Krizek --- ipalib/x509.py | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'ipalib') diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c386705..851af5a74 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -49,6 +49,14 @@ from ipalib import api from ipalib import util from ipalib import errors from ipapython.dn import DN +from ipapython import ipautil + +try: + from ipaplatform.paths import paths +except ImportError: + OPENSSL = '/usr/bin/openssl' +else: + OPENSSL = paths.OPENSSL if six.PY3: unicode = str @@ -56,7 +64,9 @@ if six.PY3: PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-----BEGIN CERTIFICATE-----).*?(?=-----END CERTIFICATE-----)', re.DOTALL) +PEM_REGEX = re.compile( + r'-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----', + re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +155,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): + """ + Extract certificates from a PKCS #7 object. + + Return a ``list`` of X.509 PEM strings. + + May throw ``ipautil.CalledProcessError`` on invalid data. + + """ + cmd = [ + OPENSSL, "pkcs7", "-print_certs", + "-inform", "PEM" if datatype == PEM else "DER", + ] + result = ipautil.run(cmd, stdin=data, capture_output=True) + return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject -- cgit