Create a Certificate parameter

Up until now, Bytes parameter was used for certificate parameters throughout the framework. However, the Bytes parameter does nothing special for certificates, like validation, so this had to be done for each of the parameters which were supposed to represent a certificate. This commit introduces a special Certificate parameter which takes care of certificate validation so this does not have to be done separately. It also makes sure that the certificates represented by this parameter are always converted to DER format so that we can work with them in a unified manner throughout the framework. This commit also makes it possible to pass bytes directly during instantiation of the Certificate parameter and they are still represented correctly after their conversion in the _convert_scalar() method. https://pagure.io/freeipa/issue/4985 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-07-03 17:10:34 +02:00
parent 5ff1de8490
commit 5a44ca6383
19 changed files with 178 additions and 188 deletions
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -34,6 +34,8 @@ import pwd
 from six.moves.urllib.parse import urlparse
 # pylint: enable=import-error

+from cryptography import x509 as crypto_x509
+
 import ldap
 import ldap.sasl
 import ldap.filter
@@ -41,7 +43,7 @@ from ldap.controls import SimplePagedResultsControl
 import six

 # pylint: disable=ipa-forbidden-import
-from ipalib import errors, _
+from ipalib import errors, x509, _
 from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
 # pylint: enable=ipa-forbidden-import
 from ipapython.ipautil import format_netloc, CIDict
@@ -670,6 +672,10 @@ class LDAPClient(object):
        'dnszoneidnsname': DNSName,
        'krbcanonicalname': Principal,
        'krbprincipalname': Principal,
+        'usercertificate': crypto_x509.Certificate,
+        'usercertificate;binary': crypto_x509.Certificate,
+        'cACertificate': crypto_x509.Certificate,
+        'cACertificate;binary': crypto_x509.Certificate,
        'nsds5replicalastupdatestart': unicode,
        'nsds5replicalastupdateend': unicode,
        'nsds5replicalastinitstart': unicode,
@@ -842,7 +848,7 @@ class LDAPClient(object):

    def encode(self, val):
        """
-        Encode attribute value to LDAP representation (str).
+        Encode attribute value to LDAP representation (str/bytes).
        """
        # Booleans are both an instance of bool and int, therefore
        # test for bool before int otherwise the int clause will be
@@ -869,6 +875,8 @@ class LDAPClient(object):
            return dct
        elif isinstance(val, datetime.datetime):
            return val.strftime(LDAP_GENERALIZED_TIME_FORMAT).encode('utf-8')
+        elif isinstance(val, crypto_x509.Certificate):
+            return val.public_bytes(x509.Encoding.DER)
        elif val is None:
            return None
        else:
@@ -876,7 +884,7 @@ class LDAPClient(object):

    def decode(self, val, attr):
        """
-        Decode attribute value from LDAP representation (str).
+        Decode attribute value from LDAP representation (str/bytes).
        """
        if isinstance(val, bytes):
            target_type = self.get_attribute_type(attr)
@@ -892,6 +900,8 @@ class LDAPClient(object):
                    return DNSName.from_text(val.decode('utf-8'))
                elif target_type in (DN, Principal):
                    return target_type(val.decode('utf-8'))
+                elif target_type is crypto_x509.Certificate:
+                    return x509.load_der_x509_certificate(val)
                else:
                    return target_type(val)
            except Exception: