Introduce load_unknown_x509_certificate()

load_unknown_x509_certificate() serves for the cases where we can't be sure what the format of its input certificate is. This is the case for installers, it should not be used anywhere else. https://pagure.io/freeipa/issue/4985 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-06-22 13:53:14 +02:00 · 2017-06-22 13:53:14 +02:00 · 43c74d3333
commit 43c74d3333
parent b5732efda6
2 changed files with 16 additions and 1 deletions
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@ -421,6 +421,20 @@ def load_der_x509_certificate(data):
    )


+def load_unknown_x509_certificate(data):
+    """
+    Only use this function when you can't be sure what kind of format does
+    your certificate have, e.g. input certificate files in installers
+
+    :returns: a ``IPACertificate`` object.
+    :raises: ``ValueError`` if unable to load the certificate.
+    """
+    try:
+        return load_pem_x509_certificate(data)
+    except ValueError:
+        return load_der_x509_certificate(data)
+
+
 def load_certificate_from_file(filename, dbdir=None):
    """
    Load a certificate from a PEM file.
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -582,7 +582,8 @@ class CAInstance(DogtagInstance):
        elif self.external == 2:
            cert_file = tempfile.NamedTemporaryFile()
            with open(self.cert_file) as f:
-                x509.write_certificate(f.read(), cert_file.name)
+                ext_cert = x509.load_unknown_x509_certificate(f.read())
+            cert_file.write(ext_cert.public_bytes(x509.Encoding.PEM))
            cert_file.flush()

            result = ipautil.run(