Add NotImplementedError type so CA plugins can return client-friendly errors

Ignore NotImplementedError when revoking a certificate as this isn't
implemented in the selfsign plugin.

Also use the new type argument in x509.load_certificate(). Certificates
are coming out of LDAP as binary instead of base64-encoding.

ipalib/errors.py

@@ -746,6 +746,14 @@ class PasswordMismatch(InvocationError):
     errno = 3011
     format = _('Passwords do not match')
 
+class NotImplementedError(InvocationError):
+    """
+    **3012** Raise when a function hasn't been implemented.
+    """
+
+    errno = 3012
+    format = _('Command not implemented')
+
 
 ##############################################################################
 # 4000 - 4999: Execution errors

ipalib/plugins/service.py

@@ -27,15 +27,18 @@ from ipalib import api, errors
 from ipalib import Str, Flag, Bytes
 from ipalib.plugins.baseldap import *
 from ipalib import x509
+from pyasn1.error import PyAsn1Error
 
 
 def get_serial(certificate):
     """
     Given a certificate, return the serial number in that cert.
     """
+    if type(certificate) in (list, tuple):
+        certificate = certificate[0]
     try:
-        serial = str(x509.get_serial_number(certificate))
+        serial = str(x509.get_serial_number(certificate, type=x509.DER))
-    except crypto.Error:
+    except PyAsn1Error:
         raise errors.GenericError(
             format='Unable to decode certificate in entry'
         )
@@ -186,7 +189,11 @@ class service_del(LDAPDelete):
             cert = entry_attrs.get('usercertificate')
             if cert:
                 serial = unicode(get_serial(cert))
-                self.api.Command['cert_revoke'](serial, revocation_reason=5)
+                try:
+                    self.api.Command['cert_revoke'](serial, revocation_reason=5)
+                except errors.NotImplementedError:
+                    # selfsign CA doesn't do revocation
+                    pass
         return dn
 
 api.register(service_del)