From db116f73fe5fc199bb2e28103cf5e3e2a24eab4c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 13 Oct 2016 17:12:31 +1000 Subject: x509: use python-cryptography to process certs Update x509.load_certificate and related functions to return python-cryptography ``Certificate`` objects. Update the call sites accordingly, including removal of NSS initialisation code. Also update GeneralName parsing code to return python-cryptography GeneralName values, for consistency with other code that processes GeneralNames. The new function, `get_san_general_names`, and associated helper functions, can be removed when python-cryptography provides a way to deal with unrecognised critical extensions. Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta Reviewed-By: Florence Blanc-Renaud --- ipaserver/plugins/service.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'ipaserver/plugins/service.py') diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index a39ba3249..ddae37fec 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -19,6 +19,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +from cryptography.hazmat.primitives import hashes import six from ipalib import api, errors, messages @@ -49,8 +50,6 @@ from ipalib import output from ipapython import kerberos from ipapython.dn import DN -import nss.nss as nss - if six.PY3: unicode = str @@ -268,16 +267,17 @@ def set_certificate_attrs(entry_attrs): cert = entry_attrs['usercertificate'] cert = x509.normalize_certificate(cert) cert = x509.load_certificate(cert, datatype=x509.DER) - entry_attrs['subject'] = unicode(cert.subject) - entry_attrs['serial_number'] = unicode(cert.serial_number) - entry_attrs['serial_number_hex'] = u'0x%X' % cert.serial_number - entry_attrs['issuer'] = unicode(cert.issuer) - entry_attrs['valid_not_before'] = unicode(cert.valid_not_before_str) - entry_attrs['valid_not_after'] = unicode(cert.valid_not_after_str) + entry_attrs['subject'] = unicode(DN(cert.subject)) + entry_attrs['serial_number'] = unicode(cert.serial) + entry_attrs['serial_number_hex'] = u'0x%X' % cert.serial + entry_attrs['issuer'] = unicode(DN(cert.issuer)) + entry_attrs['valid_not_before'] = x509.format_datetime( + cert.not_valid_before) + entry_attrs['valid_not_after'] = x509.format_datetime(cert.not_valid_after) entry_attrs['md5_fingerprint'] = x509.to_hex_with_colons( - nss.md5_digest(cert.der_data)) + cert.fingerprint(hashes.MD5())) entry_attrs['sha1_fingerprint'] = x509.to_hex_with_colons( - nss.sha1_digest(cert.der_data)) + cert.fingerprint(hashes.SHA1())) def check_required_principal(ldap, principal): """ -- cgit