IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

x509: Make certificates represented as objects

Browse Source 
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Stanislav Laznicka
2017-06-16 10:18:07 +02:00
committed by Pavel Vomacka
parent 4375ef860f
commit b5732efda6
33 changed files with 537 additions and 477 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ipaserver/plugins/ca.py
View File

@@ -181,8 +181,8 @@ def set_certificate_attrs(entry, options, want_cert=True):
if want_chain or full:
pkcs7_der = ca_api.read_ca_chain(ca_id)
pems = x509.pkcs7_to_pems(pkcs7_der, x509.DER)
ders = [x509.normalize_certificate(pem) for pem in pems]
certs = x509.pkcs7_to_certs(pkcs7_der, x509.DER)
ders = [cert.public_bytes(x509.Encoding.DER) for cert in certs]
entry['certificate_chain'] = ders

13
ipaserver/plugins/cert.py
View File

@@ -490,7 +490,8 @@ class BaseCertObject(Object):
"""
if 'certificate' in obj:
cert = x509.load_pem_x509_certificate(obj['certificate'])
cert = x509.load_der_x509_certificate(
base64.b64decode(obj['certificate']))
obj['subject'] = DN(cert.subject)
obj['issuer'] = DN(cert.issuer)
obj['serial_number'] = cert.serial_number
@@ -505,7 +506,7 @@ class BaseCertObject(Object):
cert.fingerprint(hashes.SHA256()))
general_names = x509.process_othernames(
x509.get_san_general_names(cert))
cert.san_general_names)
for gn in general_names:
try:
@@ -911,7 +912,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
profile = api.Command['certprofile_show'](profile_id)
store = profile['result']['ipacertprofilestoreissued'][0] == 'TRUE'
if store and 'certificate' in result:
cert = str(result.get('certificate'))
cert = result.get('certificate')
kwargs = dict(addattr=u'usercertificate={}'.format(cert))
# note: we call different commands for the different
# principal types because handling of 'userCertificate'
@@ -927,7 +928,8 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
"used for krbtgt certificates")
if 'certificate_chain' in ca_obj:
cert = x509.load_pem_x509_certificate(result['certificate'])
cert = x509.load_der_x509_certificate(
base64.b64decode(result['certificate']))
cert = cert.public_bytes(serialization.Encoding.DER)
result['certificate_chain'] = [cert] + ca_obj['certificate_chain']
@@ -1191,7 +1193,8 @@ class cert_show(Retrieve, CertMethod, VirtualCommand):
# we don't tell Dogtag the issuer (but we check the cert after).
#
result = self.Backend.ra.get_certificate(str(serial_number))
cert = x509.load_pem_x509_certificate(result['certificate'])
cert = x509.load_der_x509_certificate(
base64.b64decode(result['certificate']))
try:
self.check_access()

7
ipaserver/plugins/certmap.py
View File

@@ -17,7 +17,6 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import base64
import logging
import dbus
@@ -439,12 +438,14 @@ class _sssd(object):
:raise RemoteRetrieveError: if DBus error occurs
"""
try:
pem = x509.make_pem(base64.b64encode(cert))
cert_obj = x509.load_der_x509_certificate(cert)
# bug 3306 in sssd returns 0 entry when max_entries = 0
# Temp workaround is to use a non-null value, not too high
# to avoid reserving unneeded memory
max_entries = dbus.UInt32(100)
user_paths = self._users_iface.ListByCertificate(pem, max_entries)
user_paths = self._users_iface.ListByCertificate(
cert_obj.public_bytes(x509.Encoding.PEM),
max_entries)
users = dict()
for user_path in user_paths:
user_obj = self._bus.get_object(DBUS_SSSD_NAME, user_path)