IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Remove pkcs10 module contents

Browse Source 
This removes pkcs10 module contents and adds a warning message
about its future removal.

https://pagure.io/freeipa/issue/7131
This commit is contained in:
Stanislav Laznicka 2017-09-25 09:18:41 +02:00
parent f350b5698a
commit 0d7daf0495
14 changed files with 28 additions and 291 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -30,7 +30,6 @@ env:
test_ipalib
test_ipapython
test_ipaserver
test_pkcs10
test_integration/test_ipalib_util.py
test_xmlrpc/test_[l-z]*.py"
- TASK_TO_RUN="run-tests"
@ -46,7 +45,6 @@ env:
test_ipalib
test_ipapython
test_ipaserver
test_pkcs10
test_integration/test_ipalib_util.py
test_xmlrpc/test_[l-uw-z]*.py"
# FIXME: add vault tests once PKI finally fixes vault

2
ipalib/parameters.py
View File

@ -123,7 +123,7 @@ from ipalib.text import Gettext, FixMe
from ipalib.util import json_serialize, validate_idna_domain
from ipalib.x509 import (
load_der_x509_certificate, IPACertificate, default_backend)
from ipalib.pkcs10 import strip_header as strip_csr_header
from ipalib.util import strip_csr_header
from ipapython import kerberos
from ipapython.dn import DN
from ipapython.dnsutil import DNSName

60
ipalib/pkcs10.py
View File

@ -1,56 +1,8 @@
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2010 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from __future__ import print_function
import sys
import binascii
from cryptography.hazmat.backends import default_backend
import cryptography.x509
def strip_header(csr):
"""
Remove the header and footer (and surrounding material) from a CSR.
"""
headerlen = 40
s = csr.find(b"-----BEGIN NEW CERTIFICATE REQUEST-----")
if s == -1:
headerlen = 36
s = csr.find(b"-----BEGIN CERTIFICATE REQUEST-----")
if s >= 0:
e = csr.find(b"-----END")
csr = csr[s + headerlen:e]
return csr
def load_certificate_request(data):
"""
Load a PEM or base64-encoded PKCS #10 certificate request.
:return: a python-cryptography ``Certificate`` object.
:raises: ``ValueError`` if unable to load the request
"""
data = strip_header(data)
try:
data = binascii.a2b_base64(data)
except binascii.Error as e:
raise ValueError(e)
return cryptography.x509.load_der_x509_csr(data, default_backend())
print(
"ipalib.pkcs10 module is deprecated and will be removed in FreeIPA 4.6. "
"To load CSRs, please, use python-cryptography instead.",
file=sys.stderr
)

17
ipalib/util.py
View File

@ -153,6 +153,23 @@ def isvalid_base64(data):
else:
return True
def strip_csr_header(csr):
"""
Remove the header and footer (and surrounding material) from a CSR.
"""
headerlen = 40
s = csr.find(b"-----BEGIN NEW CERTIFICATE REQUEST-----")
if s == -1:
headerlen = 36
s = csr.find(b"-----BEGIN CERTIFICATE REQUEST-----")
if s >= 0:
e = csr.find(b"-----END")
csr = csr[s + headerlen:e]
return csr
def validate_ipaddr(ipaddr):
"""
Check to see if the given IP address is a valid IPv4 or IPv6 address.

7
ipaserver/install/certs.py
View File

@ -40,9 +40,10 @@ from ipapython import ipautil
from ipapython.certdb import EMPTY_TRUST_FLAGS, IPA_CA_TRUST_FLAGS
from ipapython.certdb import get_ca_nickname, find_cert_from_txt, NSSDatabase
from ipapython.dn import DN
from ipalib import pkcs10, x509, api
from ipalib import x509, api
from ipalib.errors import CertificateOperationError
from ipalib.install import certstore
from ipalib.util import strip_csr_header
from ipalib.text import _
from ipaplatform.paths import paths
@ -413,7 +414,7 @@ class CertDB(object):
csr = f.read()
# We just want the CSR bits, make sure there is no thing else
csr = pkcs10.strip_header(csr).decode('utf8')
csr = strip_csr_header(csr).decode('utf8')
params = {'profileId': dogtag.DEFAULT_PROFILE,
'cert_request_type': 'pkcs10',
@ -465,7 +466,7 @@ class CertDB(object):
csr = f.read()
# We just want the CSR bits, make sure there is no thing else
csr = pkcs10.strip_header(csr).decode('utf8')
csr = strip_csr_header(csr).decode('utf8')
params = {'profileId': 'caJarSigningCert',

2
ipatests/setup.py
View File

@ -44,7 +44,6 @@ if __name__ == '__main__':
"ipatests.test_ipapython",
"ipatests.test_ipaserver",
"ipatests.test_ipaserver.test_install",
"ipatests.test_pkcs10",
"ipatests.test_webui",
"ipatests.test_xmlrpc",
"ipatests.test_xmlrpc.tracker"
@ -55,7 +54,6 @@ if __name__ == '__main__':
'ipatests.test_integration': ['scripts/*'],
'ipatests.test_ipaclient': ['data/*/*/*'],
'ipatests.test_ipalib': ['data/*'],
'ipatests.test_pkcs10': ['*.csr'],
"ipatests.test_ipaserver": ['data/*'],
'ipatests.test_xmlrpc': ['data/*'],
},

22
ipatests/test_pkcs10/__init__.py
View File

@ -1,22 +0,0 @@
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Sub-package containing unit tests for `pkcs10` package.
"""

12
ipatests/test_pkcs10/test0.csr
View File

@ -1,12 +0,0 @@
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBjjCB+AIBADBPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEQ
MA4GA1UEChMHRXhhbXBsZTEZMBcGA1UEAxMQdGVzdC5leGFtcGxlLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyxsN5dmvyKiw+5nyrcO3a61sivZRg+ja
kyNIyUo+tIUiYwTdpPESAHTWRlk0XhydauAkWfOIN7pR3a5Z+kQw8W7F+DuZze2M
6wRNmN+NTrTlqnKOiMHBXhIM0Qxrx68GDctYqtnKTVT94FvvLl9XYVdUEi2ePTc2
Nyfr1z66+W0CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIf3r+Y6WHrFnttUqDow
9/UCHtCeQlQoJqjjxi5wcjbkGwTgHbx/BPOd/8OVaHElboMXLGaZx+L/eFO6E9Yg
mDOYv3OsibDFGaEhJrU8EnfuFZKnbrGeSC9Hkqrq+3OjqacaPla5N7MHKbfLY377
ddbOHKzR0sURZ+ro4z3fATW2
-----END NEW CERTIFICATE REQUEST-----

13
ipatests/test_pkcs10/test1.csr
View File

@ -1,13 +0,0 @@
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBwDCCASkCAQAwTzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
EDAOBgNVBAoTB0V4YW1wbGUxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMK+3uy1CGwek8jutw4UO62YTpkmStlw
cKPEjTER7Ra1a1wyWJTo1mMnPhVia0GODeq8ERPgcIckCVogBu8+gL6g8NevaBNv
ij1XWU08BEQqmoqAkrFiI8EdDckKYrSoXo2cg1fiTGzlG8AWtr5eT0op5jBBo0J6
qXX5Sf6e+n+nAgMBAAGgMTAvBgkqhkiG9w0BCQ4xIjAgMB4GA1UdEQQXMBWCE3Rl
c3Rsb3cuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQEFBQADgYEAwRDa7ZOaym9mAUH7
hudbvsRkqXHehgf51uMUq0OC9hQ6vPLWqUMAod05lxn3Tnvq6a/fVK0ybgCH5Ld7
qpAcUruYdj7YxkFfuBc1dpAK6h94rVsJXFCWIMEZm9Fe7n5RERjhO6h2IRSXBHFz
QIszvqBamm/W1ONKdQSM2g+M4BQ=
-----END NEW CERTIFICATE REQUEST-----

15
ipatests/test_pkcs10/test2.csr
View File

@ -1,15 +0,0 @@
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICETCCAXoCAQAwTzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
EDAOBgNVBAoTB0V4YW1wbGUxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOXfP8LeiU7g6wLCclgkT1lVskK+Lxm1
6ijE4LmEQBk5nn2P46im+E/UOgTddbDo5cdJlkoCnqXkO4RkqJckXYDxfI34KL3C
CRFPvOa5Sg02m1x5Rg3boZfS6NciP62lRp0SI+0TCt3F16wYZxMahVIOXjbJ6Lu5
mGjNn7XaWJhFAgMBAAGggYEwfwYJKoZIhvcNAQkOMXIwcDAeBgNVHREEFzAVghN0
ZXN0bG93LmV4YW1wbGUuY29tME4GA1UdHwRHMEUwQ6BBoD+GHGh0dHA6Ly9jYS5l
eGFtcGxlLmNvbS9teS5jcmyGH2h0dHA6Ly9vdGhlci5leGFtcGxlLmNvbS9teS5j
cmwwDQYJKoZIhvcNAQEFBQADgYEAkv8pppcgGhX7erJmvg9r2UHrRriuKaOYgKZQ
lf/eBt2N0L2mV4QvCY82H7HWuE+7T3mra9ikfvz0nYkPJQe2gntjZzECE0Jt5LWR
UZOFwX8N6wrX11U2xu0NlvsbjU6siWd6OZjZ1p5/V330lzut/q3CNzaAcW1Fx3wL
sV5SXSw=
-----END NEW CERTIFICATE REQUEST-----

3
ipatests/test_pkcs10/test3.csr
View File

@ -1,3 +0,0 @@
-----BEGIN NEW CERTIFICATE REQUEST-----
VGhpcyBpcyBhbiBpbnZhbGlkIENTUg==
-----END NEW CERTIFICATE REQUEST-----

4
ipatests/test_pkcs10/test4.csr
View File

@ -1,4 +0,0 @@
-----BEGIN NEW CERTIFICATE REQUEST-----
Invalidate data
-----END NEW CERTIFICATE REQUEST-----

20
ipatests/test_pkcs10/test5.csr
View File

@ -1,20 +0,0 @@
Certificate request generated by Netscape certutil
Phone: (not specified)
Common Name: test.example.com
Email: (not specified)
Organization: IPA
State: (not specified)
Country: (not specified)
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBaDCB0gIBADApMQwwCgYDVQQKEwNJUEExGTAXBgNVBAMTEHRlc3QuZXhhbXBs
ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPnSCLwl7IytP2HC7+zv
nI2fe6oRCE/J8K1jIoiqS9engx3Yfe4kaXWWzcwmuUV57VhUmWDEQIbSREPdrVSi
tWC55ilGmPOAEw+mP4qg6Ctb+d8Egmy1JVrpIYCLNXvEd3dAaimB0J+K3hKFRyHI
2MzrIuFqqohRijkDLwB8oVVdAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQACt37K
j+RMEbqG8s0Uxs3FhcfiAx8Do99CDizY/b7hZEgMyG4dLmm+vSCBbxBrG5oMlxJD
dxnpk0PQSknNkJVrCS/J1OTpOPRTi4VKATT3tHJAfDbWZTwcSelUCLQ4lREiuT3D
WP4vKrLIxDJDb+/mwuV7WWo34E6MD9iTB1xINg==
-----END NEW CERTIFICATE REQUEST-----

140
ipatests/test_pkcs10/test_pkcs10.py
View File

@ -1,140 +0,0 @@
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Test the `pkcs10.py` module.
"""
import nose
from ipalib import pkcs10
import pytest
import os
import cryptography.x509
@pytest.mark.tier0
class test_update(object):
"""
Test the PKCS#10 Parser.
"""
def setup(self):
self.testdir = os.path.abspath(os.path.dirname(__file__))
if not os.path.isfile(os.path.join(self.testdir,
"test0.csr")):
raise nose.SkipTest("Unable to find test update files")
def read_file(self, filename):
with open(os.path.join(self.testdir, filename), "r") as fp:
data = fp.read()
return data
def test_0(self):
"""
Test simple CSR with no attributes
"""
csr = pkcs10.load_certificate_request(self.read_file("test0.csr"))
subject = csr.subject
cn = subject.get_attributes_for_oid(
cryptography.x509.NameOID.COMMON_NAME)[-1].value
assert(cn == 'test.example.com')
st = subject.get_attributes_for_oid(
cryptography.x509.NameOID.STATE_OR_PROVINCE_NAME)[-1].value
assert(st == 'California')
c = subject.get_attributes_for_oid(
cryptography.x509.NameOID.COUNTRY_NAME)[-1].value
assert(c == 'US')
def test_1(self):
"""
Test CSR with subject alt name
"""
csr = self.read_file("test1.csr")
request = pkcs10.load_certificate_request(csr)
subject = request.subject
cn = subject.get_attributes_for_oid(
cryptography.x509.NameOID.COMMON_NAME)[-1].value
assert(cn == 'test.example.com')
st = subject.get_attributes_for_oid(
cryptography.x509.NameOID.STATE_OR_PROVINCE_NAME)[-1].value
assert(st == 'California')
c = subject.get_attributes_for_oid(
cryptography.x509.NameOID.COUNTRY_NAME)[-1].value
assert(c == 'US')
san = request.extensions.get_extension_for_oid(
cryptography.x509.ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value
dns = san.get_values_for_type(cryptography.x509.DNSName)
assert dns[0] == 'testlow.example.com'
def test_2(self):
"""
Test CSR with subject alt name and a list of CRL distribution points
"""
csr = self.read_file("test2.csr")
request = pkcs10.load_certificate_request(csr)
subject = request.subject
cn = subject.get_attributes_for_oid(
cryptography.x509.NameOID.COMMON_NAME)[-1].value
assert(cn == 'test.example.com')
st = subject.get_attributes_for_oid(
cryptography.x509.NameOID.STATE_OR_PROVINCE_NAME)[-1].value
assert(st == 'California')
c = subject.get_attributes_for_oid(
cryptography.x509.NameOID.COUNTRY_NAME)[-1].value
assert(c == 'US')
san = request.extensions.get_extension_for_oid(
cryptography.x509.ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value
dns = san.get_values_for_type(cryptography.x509.DNSName)
assert dns[0] == 'testlow.example.com'
crldps = request.extensions.get_extension_for_oid(
cryptography.x509.ExtensionOID.CRL_DISTRIBUTION_POINTS).value
gns = []
for crldp in crldps:
gns.extend(crldp.full_name)
uris = [
u'http://ca.example.com/my.crl',
u'http://other.example.com/my.crl',
]
for uri in uris:
assert cryptography.x509.UniformResourceIdentifier(uri) in gns
def test_3(self):
"""
Test CSR with base64-encoded bogus data
"""
csr = self.read_file("test3.csr")
with pytest.raises(ValueError):
pkcs10.load_certificate_request(csr)
def test_4(self):
"""
Test CSR with badly formatted base64-encoded data
"""
csr = self.read_file("test4.csr")
with pytest.raises(ValueError):
pkcs10.load_certificate_request(csr)