Update pkcs10 module functions to always load CSRs and allow selecting format.

This change makes the pkcs10 module more consistent with the x509 module.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

2 files changed, 28 insertions, 25 deletions

diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py
index 29f9b3520..12db78377 100644
--- a/ipalib/pkcs10.py
+++ b/ipalib/pkcs10.py
@@ -27,24 +27,32 @@ from ipalib import api
 PEM = 0
 DER = 1
 
-def get_subjectaltname(request):
+def get_subject(csr, datatype=PEM):
     """
-    Given a CSR return the subjectaltname value, if any.
+    Given a CSR return the subject value.
 
-    The return value is a tuple of strings or None
+    This returns an nss.DN object.
     """
-    for extension in request.extensions:
-        if extension.oid_tag  == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
-            return nss.x509_alt_name(extension.value)
-    return None
+    request = load_certificate_request(csr, datatype)
+    try:
+        return request.subject
+    finally:
+        del request
 
-def get_subject(request):
+def get_subjectaltname(csr, datatype=PEM):
     """
-    Given a CSR return the subject value.
+    Given a CSR return the subjectaltname value, if any.
 
-    This returns an nss.DN object.
+    The return value is a tuple of strings or None
     """
-    return request.subject
+    request = load_certificate_request(csr, datatype)
+    try:
+        for extension in request.extensions:
+            if extension.oid_tag  == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
+                return nss.x509_alt_name(extension.value)
+    finally:
+        del request
+    return None
 
 def strip_header(csr):
     """
@@ -61,21 +69,21 @@ def strip_header(csr):
 
     return csr
 
-def load_certificate_request(csr):
+def load_certificate_request(csr, datatype=PEM):
     """
     Given a base64-encoded certificate request, with or without the
     header/footer, return a request object.
     """
-    csr = strip_header(csr)
-
-    substrate = base64.b64decode(csr)
+    if datatype == PEM:
+        csr = strip_header(csr)
+        csr = base64.b64decode(csr)
 
     # A fail-safe so we can always read a CSR. python-nss/NSS will segfault
     # otherwise
     if not nss.nss_is_initialized():
         nss.nss_init_nodb()
 
-    return nss.CertificateRequest(substrate)
+    return nss.CertificateRequest(csr)
 
 if __name__ == '__main__':
     nss.nss_init_nodb()
@@ -85,9 +93,6 @@ if __name__ == '__main__':
     csrlines = sys.stdin.readlines()
     csr = ''.join(csrlines)
 
-    csr = load_certificate_request(csr)
-
-    print csr
-
+    print load_certificate_request(csr)
     print get_subject(csr)
     print get_subjectaltname(csr)
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 5fa9206d5..90d450504 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -138,9 +138,8 @@ def get_csr_hostname(csr):
     Return the value of CN in the subject of the request or None
     """
     try:
-        request = pkcs10.load_certificate_request(csr)
-        subject = pkcs10.get_subject(request)
-        return subject.common_name
+        subject = pkcs10.get_subject(csr)
+        return subject.common_name  #pylint: disable=E1101
     except NSPRError, nsprerr:
         raise errors.CertificateOperationError(
             error=_('Failure decoding Certificate Signing Request: %s') % nsprerr)
@@ -368,8 +367,7 @@ class cert_request(VirtualCommand):
                 "to the 'userCertificate' attribute of entry '%s'.") % dn)
 
         # Validate the subject alt name, if any
-        request = pkcs10.load_certificate_request(csr)
-        subjectaltname = pkcs10.get_subjectaltname(request)
+        subjectaltname = pkcs10.get_subjectaltname(csr)
         if subjectaltname is not None:
             for name in subjectaltname:
                 name = unicode(name)