mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Workaround for certmonger's "Subject" representations
If an OpenSSL certificate is requested in Certmonger (CERT_STORAGE == "FILE") the "Subject" field of such Certificate is ordered as received. However, when an NSS certificate is requested, the "Subject" field takes the LDAP order (components get reversed). This is a workaround so that the behavior stays the same. The workaround should be removed when https://pagure.io/certmonger/issue/62 gets fixed. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
parent
76e8d7b35d
commit
595f9b64e3
@ -35,6 +35,9 @@ import base64
|
||||
import contextlib
|
||||
import json
|
||||
|
||||
from cryptography import x509 as crypto_x509
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
|
||||
import six
|
||||
|
||||
from ipapython import ipautil
|
||||
@ -64,8 +67,15 @@ if six.PY3:
|
||||
|
||||
IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca'
|
||||
|
||||
|
||||
def get_nickname():
|
||||
subject = os.environ.get('CERTMONGER_REQ_SUBJECT')
|
||||
# we need to get the subject from a CSR in case we are requesting
|
||||
# an OpenSSL certificate for which we have to reverse the order of its DN
|
||||
# components thus changing the CERTMONGER_REQ_SUBJECT
|
||||
# https://pagure.io/certmonger/issue/62
|
||||
csr = os.environ.get('CERTMONGER_CSR')
|
||||
csr_obj = crypto_x509.load_pem_x509_csr(csr, default_backend())
|
||||
subject = csr_obj.subject
|
||||
if not subject:
|
||||
return None
|
||||
|
||||
|
@ -32,6 +32,7 @@ import subprocess
|
||||
import tempfile
|
||||
from ipalib import api
|
||||
from ipapython.ipa_log_manager import root_logger
|
||||
from ipapython.dn import DN
|
||||
from ipaplatform.paths import paths
|
||||
from ipaplatform import services
|
||||
|
||||
@ -329,6 +330,10 @@ def request_cert(
|
||||
"""
|
||||
if storage == 'FILE':
|
||||
certfile, keyfile = certpath
|
||||
# This is a workaround for certmonger having different Subject
|
||||
# representation with NSS and OpenSSL
|
||||
# https://pagure.io/certmonger/issue/62
|
||||
subject = str(DN(*reversed(DN(subject))))
|
||||
else:
|
||||
certfile = certpath
|
||||
keyfile = certpath
|
||||
|
Loading…
Reference in New Issue
Block a user