IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Remove pkcs10 module contents

Browse Source 
This removes pkcs10 module contents and adds a warning message
about its future removal.

https://pagure.io/freeipa/issue/7131
This commit is contained in:
Stanislav Laznicka 2017-09-25 09:18:41 +02:00
parent f350b5698a
commit 0d7daf0495
14 changed files with 28 additions and 291 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -30,7 +30,6 @@ env:
test_ipalib test_ipalib
test_ipapython test_ipapython
test_ipaserver test_ipaserver
test_pkcs10
test_integration/test_ipalib_util.py test_integration/test_ipalib_util.py
test_xmlrpc/test_[l-z]*.py" test_xmlrpc/test_[l-z]*.py"
- TASK_TO_RUN="run-tests" - TASK_TO_RUN="run-tests"
@ -46,7 +45,6 @@ env:
test_ipalib test_ipalib
test_ipapython test_ipapython
test_ipaserver test_ipaserver
test_pkcs10
test_integration/test_ipalib_util.py test_integration/test_ipalib_util.py
test_xmlrpc/test_[l-uw-z]*.py" test_xmlrpc/test_[l-uw-z]*.py"
# FIXME: add vault tests once PKI finally fixes vault # FIXME: add vault tests once PKI finally fixes vault

2
ipalib/parameters.py
View File

@ -123,7 +123,7 @@ from ipalib.text import Gettext, FixMe
from ipalib.util import json_serialize, validate_idna_domain from ipalib.util import json_serialize, validate_idna_domain
from ipalib.x509 import ( from ipalib.x509 import (
load_der_x509_certificate, IPACertificate, default_backend) load_der_x509_certificate, IPACertificate, default_backend)
from ipalib.pkcs10 import strip_header as strip_csr_header from ipalib.util import strip_csr_header
from ipapython import kerberos from ipapython import kerberos
from ipapython.dn import DN from ipapython.dn import DN
from ipapython.dnsutil import DNSName from ipapython.dnsutil import DNSName

60
ipalib/pkcs10.py
View File

@ -1,56 +1,8 @@
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2010 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function from __future__ import print_function
import sys
import binascii print(
from cryptography.hazmat.backends import default_backend "ipalib.pkcs10 module is deprecated and will be removed in FreeIPA 4.6. "
import cryptography.x509 "To load CSRs, please, use python-cryptography instead.",
file=sys.stderr
)
def strip_header(csr):
"""
Remove the header and footer (and surrounding material) from a CSR.
"""
headerlen = 40
s = csr.find(b"-----BEGIN NEW CERTIFICATE REQUEST-----")
if s == -1:
headerlen = 36
s = csr.find(b"-----BEGIN CERTIFICATE REQUEST-----")
if s >= 0:
e = csr.find(b"-----END")
csr = csr[s + headerlen:e]
return csr
def load_certificate_request(data):
"""
Load a PEM or base64-encoded PKCS #10 certificate request.
:return: a python-cryptography ``Certificate`` object.
:raises: ``ValueError`` if unable to load the request
"""
data = strip_header(data)
try:
data = binascii.a2b_base64(data)
except binascii.Error as e:
raise ValueError(e)
return cryptography.x509.load_der_x509_csr(data, default_backend())

17
ipalib/util.py
View File

@ -153,6 +153,23 @@ def isvalid_base64(data):
else: else:
return True return True
def strip_csr_header(csr):
"""
Remove the header and footer (and surrounding material) from a CSR.
"""
headerlen = 40
s = csr.find(b"-----BEGIN NEW CERTIFICATE REQUEST-----")
if s == -1:
headerlen = 36
s = csr.find(b"-----BEGIN CERTIFICATE REQUEST-----")
if s >= 0:
e = csr.find(b"-----END")
csr = csr[s + headerlen:e]
return csr
def validate_ipaddr(ipaddr): def validate_ipaddr(ipaddr):
""" """
Check to see if the given IP address is a valid IPv4 or IPv6 address. Check to see if the given IP address is a valid IPv4 or IPv6 address.

7
ipaserver/install/certs.py
View File

@ -40,9 +40,10 @@ from ipapython import ipautil
from ipapython.certdb import EMPTY_TRUST_FLAGS, IPA_CA_TRUST_FLAGS from ipapython.certdb import EMPTY_TRUST_FLAGS, IPA_CA_TRUST_FLAGS
from ipapython.certdb import get_ca_nickname, find_cert_from_txt, NSSDatabase from ipapython.certdb import get_ca_nickname, find_cert_from_txt, NSSDatabase
from ipapython.dn import DN from ipapython.dn import DN
from ipalib import pkcs10, x509, api from ipalib import x509, api
from ipalib.errors import CertificateOperationError from ipalib.errors import CertificateOperationError
from ipalib.install import certstore from ipalib.install import certstore
from ipalib.util import strip_csr_header
from ipalib.text import _ from ipalib.text import _
from ipaplatform.paths import paths from ipaplatform.paths import paths
@ -413,7 +414,7 @@ class CertDB(object):
csr = f.read() csr = f.read()
# We just want the CSR bits, make sure there is no thing else # We just want the CSR bits, make sure there is no thing else
csr = pkcs10.strip_header(csr).decode('utf8') csr = strip_csr_header(csr).decode('utf8')
params = {'profileId': dogtag.DEFAULT_PROFILE, params = {'profileId': dogtag.DEFAULT_PROFILE,
'cert_request_type': 'pkcs10', 'cert_request_type': 'pkcs10',
@ -465,7 +466,7 @@ class CertDB(object):
csr = f.read() csr = f.read()
# We just want the CSR bits, make sure there is no thing else # We just want the CSR bits, make sure there is no thing else
csr = pkcs10.strip_header(csr).decode('utf8') csr = strip_csr_header(csr).decode('utf8')
params = {'profileId': 'caJarSigningCert', params = {'profileId': 'caJarSigningCert',

2
ipatests/setup.py
View File

@ -44,7 +44,6 @@ if __name__ == '__main__':
"ipatests.test_ipapython", "ipatests.test_ipapython",
"ipatests.test_ipaserver", "ipatests.test_ipaserver",
"ipatests.test_ipaserver.test_install", "ipatests.test_ipaserver.test_install",
"ipatests.test_pkcs10",
"ipatests.test_webui", "ipatests.test_webui",
"ipatests.test_xmlrpc", "ipatests.test_xmlrpc",
"ipatests.test_xmlrpc.tracker" "ipatests.test_xmlrpc.tracker"
@ -55,7 +54,6 @@ if __name__ == '__main__':
'ipatests.test_integration': ['scripts/*'], 'ipatests.test_integration': ['scripts/*'],
'ipatests.test_ipaclient': ['data/*/*/*'], 'ipatests.test_ipaclient': ['data/*/*/*'],
'ipatests.test_ipalib': ['data/*'], 'ipatests.test_ipalib': ['data/*'],
'ipatests.test_pkcs10': ['*.csr'],
"ipatests.test_ipaserver": ['data/*'], "ipatests.test_ipaserver": ['data/*'],
'ipatests.test_xmlrpc': ['data/*'], 'ipatests.test_xmlrpc': ['data/*'],
}, },

22
ipatests/test_pkcs10/__init__.py
View File

@ -1,22 +0,0 @@
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Sub-package containing unit tests for `pkcs10` package.
"""

12
ipatests/test_pkcs10/test0.csr
View File

@ -1,12 +0,0 @@
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBjjCB+AIBADBPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEQ
MA4GA1UEChMHRXhhbXBsZTEZMBcGA1UEAxMQdGVzdC5leGFtcGxlLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyxsN5dmvyKiw+5nyrcO3a61sivZRg+ja
kyNIyUo+tIUiYwTdpPESAHTWRlk0XhydauAkWfOIN7pR3a5Z+kQw8W7F+DuZze2M
6wRNmN+NTrTlqnKOiMHBXhIM0Qxrx68GDctYqtnKTVT94FvvLl9XYVdUEi2ePTc2
Nyfr1z66+W0CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIf3r+Y6WHrFnttUqDow
9/UCHtCeQlQoJqjjxi5wcjbkGwTgHbx/BPOd/8OVaHElboMXLGaZx+L/eFO6E9Yg
mDOYv3OsibDFGaEhJrU8EnfuFZKnbrGeSC9Hkqrq+3OjqacaPla5N7MHKbfLY377
ddbOHKzR0sURZ+ro4z3fATW2
-----END NEW CERTIFICATE REQUEST-----

13
ipatests/test_pkcs10/test1.csr
View File

@ -1,13 +0,0 @@
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBwDCCASkCAQAwTzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
EDAOBgNVBAoTB0V4YW1wbGUxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMK+3uy1CGwek8jutw4UO62YTpkmStlw
cKPEjTER7Ra1a1wyWJTo1mMnPhVia0GODeq8ERPgcIckCVogBu8+gL6g8NevaBNv
ij1XWU08BEQqmoqAkrFiI8EdDckKYrSoXo2cg1fiTGzlG8AWtr5eT0op5jBBo0J6
qXX5Sf6e+n+nAgMBAAGgMTAvBgkqhkiG9w0BCQ4xIjAgMB4GA1UdEQQXMBWCE3Rl
c3Rsb3cuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEAwRDa7ZOaym9mAUH7
hudbvsRkqXHehgf51uMUq0OC9hQ6vPLWqUMAod05lxn3Tnvq6a/fVK0ybgCH5Ld7
qpAcUruYdj7YxkFfuBc1dpAK6h94rVsJXFCWIMEZm9Fe7n5RERjhO6h2IRSXBHFz
QIszvqBamm/W1ONKdQSM2g+M4BQ=
-----END NEW CERTIFICATE REQUEST-----

15
ipatests/test_pkcs10/test2.csr
View File

@ -1,15 +0,0 @@
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICETCCAXoCAQAwTzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
EDAOBgNVBAoTB0V4YW1wbGUxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOXfP8LeiU7g6wLCclgkT1lVskK+Lxm1
6ijE4LmEQBk5nn2P46im+E/UOgTddbDo5cdJlkoCnqXkO4RkqJckXYDxfI34KL3C
CRFPvOa5Sg02m1x5Rg3boZfS6NciP62lRp0SI+0TCt3F16wYZxMahVIOXjbJ6Lu5
mGjNn7XaWJhFAgMBAAGggYEwfwYJKoZIhvcNAQkOMXIwcDAeBgNVHREEFzAVghN0
ZXN0bG93LmV4YW1wbGUuY29tME4GA1UdHwRHMEUwQ6BBoD+GHGh0dHA6Ly9jYS5l
eGFtcGxlLmNvbS9teS5jcmyGH2h0dHA6Ly9vdGhlci5leGFtcGxlLmNvbS9teS5j
cmwwDQYJKoZIhvcNAQEFBQADgYEAkv8pppcgGhX7erJmvg9r2UHrRriuKaOYgKZQ
lf/eBt2N0L2mV4QvCY82H7HWuE+7T3mra9ikfvz0nYkPJQe2gntjZzECE0Jt5LWR
UZOFwX8N6wrX11U2xu0NlvsbjU6siWd6OZjZ1p5/V330lzut/q3CNzaAcW1Fx3wL
sV5SXSw=
-----END NEW CERTIFICATE REQUEST-----

3
ipatests/test_pkcs10/test3.csr
View File

@ -1,3 +0,0 @@
-----BEGIN NEW CERTIFICATE REQUEST-----
VGhpcyBpcyBhbiBpbnZhbGlkIENTUg==
-----END NEW CERTIFICATE REQUEST-----

4
ipatests/test_pkcs10/test4.csr
View File

@ -1,4 +0,0 @@
-----BEGIN NEW CERTIFICATE REQUEST-----
Invalidate data
-----END NEW CERTIFICATE REQUEST-----

20
ipatests/test_pkcs10/test5.csr
View File

@ -1,20 +0,0 @@
Certificate request generated by Netscape certutil
Phone: (not specified)
Common Name: test.example.com
Email: (not specified)
Organization: IPA
State: (not specified)
Country: (not specified)
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBaDCB0gIBADApMQwwCgYDVQQKEwNJUEExGTAXBgNVBAMTEHRlc3QuZXhhbXBs
ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPnSCLwl7IytP2HC7+zv
nI2fe6oRCE/J8K1jIoiqS9engx3Yfe4kaXWWzcwmuUV57VhUmWDEQIbSREPdrVSi
tWC55ilGmPOAEw+mP4qg6Ctb+d8Egmy1JVrpIYCLNXvEd3dAaimB0J+K3hKFRyHI
2MzrIuFqqohRijkDLwB8oVVdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQACt37K
j+RMEbqG8s0Uxs3FhcfiAx8Do99CDizY/b7hZEgMyG4dLmm+vSCBbxBrG5oMlxJD
dxnpk0PQSknNkJVrCS/J1OTpOPRTi4VKATT3tHJAfDbWZTwcSelUCLQ4lREiuT3D
WP4vKrLIxDJDb+/mwuV7WWo34E6MD9iTB1xINg==
-----END NEW CERTIFICATE REQUEST-----

140
ipatests/test_pkcs10/test_pkcs10.py
View File

@ -1,140 +0,0 @@
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Test the `pkcs10.py` module.
"""
import nose
from ipalib import pkcs10
import pytest
import os
import cryptography.x509
@pytest.mark.tier0
class test_update(object):
"""
Test the PKCS#10 Parser.
"""
def setup(self):
self.testdir = os.path.abspath(os.path.dirname(__file__))
if not os.path.isfile(os.path.join(self.testdir,
"test0.csr")):
raise nose.SkipTest("Unable to find test update files")
def read_file(self, filename):
with open(os.path.join(self.testdir, filename), "r") as fp:
data = fp.read()
return data
def test_0(self):
"""
Test simple CSR with no attributes
"""
csr = pkcs10.load_certificate_request(self.read_file("test0.csr"))
subject = csr.subject
cn = subject.get_attributes_for_oid(
cryptography.x509.NameOID.COMMON_NAME)[-1].value
assert(cn == 'test.example.com')
st = subject.get_attributes_for_oid(
cryptography.x509.NameOID.STATE_OR_PROVINCE_NAME)[-1].value
assert(st == 'California')
c = subject.get_attributes_for_oid(
cryptography.x509.NameOID.COUNTRY_NAME)[-1].value
assert(c == 'US')
def test_1(self):
"""
Test CSR with subject alt name
"""
csr = self.read_file("test1.csr")
request = pkcs10.load_certificate_request(csr)
subject = request.subject
cn = subject.get_attributes_for_oid(
cryptography.x509.NameOID.COMMON_NAME)[-1].value
assert(cn == 'test.example.com')
st = subject.get_attributes_for_oid(
cryptography.x509.NameOID.STATE_OR_PROVINCE_NAME)[-1].value
assert(st == 'California')
c = subject.get_attributes_for_oid(
cryptography.x509.NameOID.COUNTRY_NAME)[-1].value
assert(c == 'US')
san = request.extensions.get_extension_for_oid(
cryptography.x509.ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value
dns = san.get_values_for_type(cryptography.x509.DNSName)
assert dns[0] == 'testlow.example.com'
def test_2(self):
"""
Test CSR with subject alt name and a list of CRL distribution points
"""
csr = self.read_file("test2.csr")
request = pkcs10.load_certificate_request(csr)
subject = request.subject
cn = subject.get_attributes_for_oid(
cryptography.x509.NameOID.COMMON_NAME)[-1].value
assert(cn == 'test.example.com')
st = subject.get_attributes_for_oid(
cryptography.x509.NameOID.STATE_OR_PROVINCE_NAME)[-1].value
assert(st == 'California')
c = subject.get_attributes_for_oid(
cryptography.x509.NameOID.COUNTRY_NAME)[-1].value
assert(c == 'US')
san = request.extensions.get_extension_for_oid(
cryptography.x509.ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value
dns = san.get_values_for_type(cryptography.x509.DNSName)
assert dns[0] == 'testlow.example.com'
crldps = request.extensions.get_extension_for_oid(
cryptography.x509.ExtensionOID.CRL_DISTRIBUTION_POINTS).value
gns = []
for crldp in crldps:
gns.extend(crldp.full_name)
uris = [
u'http://ca.example.com/my.crl',
u'http://other.example.com/my.crl',
]
for uri in uris:
assert cryptography.x509.UniformResourceIdentifier(uri) in gns
def test_3(self):
"""
Test CSR with base64-encoded bogus data
"""
csr = self.read_file("test3.csr")
with pytest.raises(ValueError):
pkcs10.load_certificate_request(csr)
def test_4(self):
"""
Test CSR with badly formatted base64-encoded data
"""
csr = self.read_file("test4.csr")
with pytest.raises(ValueError):
pkcs10.load_certificate_request(csr)