certmonger: finish refactoring for request script

The recent certificate refactoring assures that ipaldap operations
are able to work with IPACertificate values when communication with
the LDAP server. Use these capabilities and prevent possible bugs.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Stanislav Laznicka 2017-08-16 15:07:28 +02:00 committed by Pavel Vomacka
parent 32be3ef622
commit 0412625a2b

View File

@ -281,8 +281,7 @@ def store_cert(**kwargs):
cert = os.environ.get('CERTMONGER_CERTIFICATE') cert = os.environ.get('CERTMONGER_CERTIFICATE')
if not cert: if not cert:
return (REJECTED, "New certificate requests not supported") return (REJECTED, "New certificate requests not supported")
cert = x509.load_pem_x509_certificate(fix_pem(cert)) cert = x509.load_pem_x509_certificate(fix_pem(cert.encode('ascii')))
dercert = cert.public_bytes(x509.Encoding.DER)
dn = DN(('cn', nickname), ('cn', 'ca_renewal'), dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
@ -290,14 +289,14 @@ def store_cert(**kwargs):
with ldap_connect() as conn: with ldap_connect() as conn:
try: try:
entry = conn.get_entry(dn, ['usercertificate']) entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [dercert] entry['usercertificate'] = [cert]
conn.update_entry(entry) conn.update_entry(entry)
except errors.NotFound: except errors.NotFound:
entry = conn.make_entry( entry = conn.make_entry(
dn, dn,
objectclass=['top', 'pkiuser', 'nscontainer'], objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[nickname], cn=[nickname],
usercertificate=[dercert]) usercertificate=[cert])
conn.add_entry(entry) conn.add_entry(entry)
except errors.EmptyModlist: except errors.EmptyModlist:
pass pass
@ -394,8 +393,7 @@ def retrieve_or_reuse_cert(**kwargs):
except errors.NotFound: except errors.NotFound:
pass pass
else: else:
cert = x509.load_der_x509_certificate( cert = entry.single_value['usercertificate']
entry.single_value['usercertificate'])
return (ISSUED, cert.public_bytes(x509.Encoding.PEM)) return (ISSUED, cert.public_bytes(x509.Encoding.PEM))