Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.

The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2025-02-25 18:55:28 -06:00 · 2009-11-24 16:07:44 -05:00
parent 7c2c2d6130
commit ab1667f3c1
11 changed files with 984 additions and 33 deletions
--- a/ipaserver/plugins/selfsign.py
+++ b/ipaserver/plugins/selfsign.py
@@ -36,12 +36,13 @@ if api.env.ra_plugin != 'selfsign':
    raise SkipPluginModule(reason='selfsign is not selected as RA plugin, it is %s' % api.env.ra_plugin)
 from ipalib import Backend
 from ipalib import errors
+from ipalib import x509
 import subprocess
 import os
 from ipaserver.plugins import rabase
 from ipaserver.install import certs
 import tempfile
-from OpenSSL import crypto
+from pyasn1 import error

 class ra(rabase.rabase):
    """
@@ -56,6 +57,15 @@ class ra(rabase.rabase):
        :param request_type: The request type (defaults to ``'pkcs10'``).
        """
        (csr_fd, csr_name) = tempfile.mkstemp()
+
+        # certutil wants the CSR to have have a header and footer. Add one
+        # if it isn't there.
+        s = csr.find('-----BEGIN NEW CERTIFICATE REQUEST-----')
+        if s == -1:
+            s = csr.find('-----BEGIN CERTIFICATE REQUEST-----')
+            if s == -1:
+                csr = '-----BEGIN NEW CERTIFICATE REQUEST-----\n' + csr + \
+                      '-----END NEW CERTIFICATE REQUEST-----\n'
        os.write(csr_fd, csr)
        os.close(csr_fd)
        (cert_fd, cert_name) = tempfile.mkstemp()
@@ -101,16 +111,15 @@ class ra(rabase.rabase):

        try:
            # Grab the subject, reverse it, combine it and return it
-            x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
-            sub = x509.get_subject().get_components()
+            sub = list(x509.get_subject_components(cert))
            sub.reverse()
            subject = ""
            for s in sub:
                subject = subject + "%s=%s," % (s[0], s[1])
            subject = subject[:-1]

-            serial = x509.get_serial_number()
-        except crypto.Error, e:
+            serial = x509.get_serial_number(cert)
+        except error.PyAsn1Error, e:
            raise errors.GenericError(format='Unable to decode certificate in entry: %s' % str(e))

        # To make it look like dogtag return just the base64 data.