mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Revert "Use the OpenSSL certificate parser in cert-find"
This reverts commit 191880bc9f
.
The problem isn't with python-cryptography, it is with the
IPACertificate class which does way more work on a certificate
than is necessary in cert-find.
Related: https://pagure.io/freeipa/issue/9331
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
parent
d7a27a24b9
commit
2a605c5d07
@ -412,7 +412,6 @@ BuildRequires: python3-pylint
|
||||
BuildRequires: python3-pytest-multihost
|
||||
BuildRequires: python3-pytest-sourceorder
|
||||
BuildRequires: python3-qrcode-core >= 5.0.0
|
||||
BuildRequires: python3-pyOpenSSL
|
||||
BuildRequires: python3-samba
|
||||
BuildRequires: python3-six
|
||||
BuildRequires: python3-sss
|
||||
@ -887,7 +886,6 @@ Requires: python3-netifaces >= 0.10.4
|
||||
Requires: python3-pyasn1 >= 0.3.2-2
|
||||
Requires: python3-pyasn1-modules >= 0.3.2-2
|
||||
Requires: python3-pyusb
|
||||
Requires: python3-pyOpenSSL
|
||||
Requires: python3-qrcode-core >= 5.0.0
|
||||
Requires: python3-requests
|
||||
Requires: python3-six
|
||||
|
@ -30,7 +30,6 @@ import cryptography.x509
|
||||
from cryptography.hazmat.primitives import hashes, serialization
|
||||
from dns import resolver, reversename
|
||||
import six
|
||||
import sys
|
||||
|
||||
from ipalib import Command, Str, Int, Flag, StrEnum, SerialNumber
|
||||
from ipalib import api
|
||||
@ -1618,19 +1617,7 @@ class cert_find(Search, CertMethod):
|
||||
)
|
||||
|
||||
def _get_cert_key(self, cert):
|
||||
# for cert-find with a certificate value
|
||||
if isinstance(cert, x509.IPACertificate):
|
||||
return (DN(cert.issuer), cert.serial_number)
|
||||
|
||||
issuer = []
|
||||
for oid, value in cert.get_issuer().get_components():
|
||||
issuer.append(
|
||||
'{}={}'.format(oid.decode('utf-8'), value.decode('utf-8'))
|
||||
)
|
||||
issuer = ','.join(issuer)
|
||||
# Use this to flip from OpenSSL reverse to X500 ordering
|
||||
issuer = DN(issuer).x500_text()
|
||||
return (DN(issuer), cert.get_serial_number())
|
||||
return (DN(cert.issuer), cert.serial_number)
|
||||
|
||||
def _cert_search(self, pkey_only, **options):
|
||||
result = collections.OrderedDict()
|
||||
@ -1750,11 +1737,6 @@ class cert_find(Search, CertMethod):
|
||||
return result, False, complete
|
||||
|
||||
def _ldap_search(self, all, pkey_only, no_members, **options):
|
||||
# defer import of the OpenSSL module to not affect the requests
|
||||
# module which will use pyopenssl if this is available.
|
||||
if sys.modules.get('OpenSSL.SSL', False) is None:
|
||||
del sys.modules["OpenSSL.SSL"]
|
||||
import OpenSSL.crypto
|
||||
ldap = self.api.Backend.ldap2
|
||||
|
||||
filters = []
|
||||
@ -1813,14 +1795,12 @@ class cert_find(Search, CertMethod):
|
||||
ca_enabled = getattr(context, 'ca_enabled')
|
||||
for entry in entries:
|
||||
for attr in ('usercertificate', 'usercertificate;binary'):
|
||||
for der in entry.raw.get(attr, []):
|
||||
cert = OpenSSL.crypto.load_certificate(
|
||||
OpenSSL.crypto.FILETYPE_ASN1, der)
|
||||
for cert in entry.get(attr, []):
|
||||
cert_key = self._get_cert_key(cert)
|
||||
try:
|
||||
obj = result[cert_key]
|
||||
except KeyError:
|
||||
obj = {'serial_number': cert.get_serial_number()}
|
||||
obj = {'serial_number': cert.serial_number}
|
||||
if not pkey_only and (all or not ca_enabled):
|
||||
# Retrieving certificate details is now deferred
|
||||
# until after all certificates are collected.
|
||||
|
Loading…
Reference in New Issue
Block a user