mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
x509: include otherName DER value in GeneralNameInfo
We want to include the whole DER value when we pretty-print unrecognised otherNames, so add a field to the GeneralNameInfo namedtuple and populate it for otherNames. Part of: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Fraser Tweedale
committed by
Jan Cholasta
Jan Cholasta
parent
e3acc3659c
commit
a381d888cd
@@ -465,7 +465,7 @@ def _decode_krb5principalname(data):
|
|||||||
|
|
||||||
|
|
||||||
GeneralNameInfo = collections.namedtuple(
|
GeneralNameInfo = collections.namedtuple(
|
||||||
'GeneralNameInfo', ('type', 'desc', 'value'))
|
'GeneralNameInfo', ('type', 'desc', 'value', 'der_value'))
|
||||||
|
|
||||||
|
|
||||||
def decode_generalnames(secitem):
|
def decode_generalnames(secitem):
|
||||||
@@ -477,8 +477,9 @@ def decode_generalnames(secitem):
|
|||||||
The input is the DER-encoded extension data, without the
|
The input is the DER-encoded extension data, without the
|
||||||
OCTET STRING header, as an nss SecItem object.
|
OCTET STRING header, as an nss SecItem object.
|
||||||
|
|
||||||
Return a list of tuples of name types (as string, suitable for
|
Return a list of ``GeneralNameInfo`` namedtuples. The
|
||||||
presentation) and names (as string, suitable for presentation).
|
``der_value`` field is set for otherNames, otherwise it is
|
||||||
|
``None``.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
nss_names = nss.x509_alt_name(secitem, repr_kind=nss.AsObject)
|
nss_names = nss.x509_alt_name(secitem, repr_kind=nss.AsObject)
|
||||||
@@ -496,14 +497,18 @@ def decode_generalnames(secitem):
|
|||||||
if nss_name.type_enum == nss.certOtherName:
|
if nss_name.type_enum == nss.certOtherName:
|
||||||
oid = str(asn1_name['otherName']['type-id'])
|
oid = str(asn1_name['otherName']['type-id'])
|
||||||
nametype = (nss_name.type_enum, oid)
|
nametype = (nss_name.type_enum, oid)
|
||||||
|
der_value = asn1_name['otherName']['value'].asOctets()
|
||||||
else:
|
else:
|
||||||
nametype = nss_name.type_enum
|
nametype = nss_name.type_enum
|
||||||
|
der_value = None
|
||||||
|
|
||||||
if nametype == (nss.certOtherName, SAN_KRB5PRINCIPALNAME):
|
if nametype == (nss.certOtherName, SAN_KRB5PRINCIPALNAME):
|
||||||
name = _decode_krb5principalname(asn1_name['otherName']['value'])
|
name = _decode_krb5principalname(asn1_name['otherName']['value'])
|
||||||
else:
|
else:
|
||||||
name = nss_name.name
|
name = nss_name.name
|
||||||
names.append(GeneralNameInfo(nametype, nss_name.type_string, name))
|
|
||||||
|
gni = GeneralNameInfo(nametype, nss_name.type_string, name, der_value)
|
||||||
|
names.append(gni)
|
||||||
|
|
||||||
return names
|
return names
|
||||||
|
|
||||||
|
|||||||
@@ -559,7 +559,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
|
|||||||
"to the 'userCertificate' attribute of entry '%s'.") % dn)
|
"to the 'userCertificate' attribute of entry '%s'.") % dn)
|
||||||
|
|
||||||
# Validate the subject alt name, if any
|
# Validate the subject alt name, if any
|
||||||
for name_type, desc, name in subjectaltname:
|
for name_type, desc, name, der_name in subjectaltname:
|
||||||
if name_type == nss.certDNSName:
|
if name_type == nss.certDNSName:
|
||||||
name = unicode(name)
|
name = unicode(name)
|
||||||
alt_principal_obj = None
|
alt_principal_obj = None
|
||||||
|
|||||||
Reference in New Issue
Block a user