Be more careful when base64-decoding certificates

Only decode certs that have a BEGIN/END block, otherwise assume it is in DER format.
2025-02-25 18:55:28 -06:00 · 2010-02-01 14:00:28 -05:00
parent 8ca97cdf35
commit dc55240fe8
4 changed files with 9 additions and 16 deletions
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -28,6 +28,7 @@ from ipalib import Str, Flag, Bytes
 from ipalib.plugins.baseldap import *
 from ipalib import x509
 from pyasn1.error import PyAsn1Error
+from ipalib import _, ngettext


 def get_serial(certificate):
@@ -37,16 +38,12 @@ def get_serial(certificate):
    """
    if type(certificate) in (list, tuple):
        certificate = certificate[0]
-    try:
-        certificate = base64.b64decode(certificate)
-    except Exception:
-        pass

    try:
        serial = x509.get_serial_number(certificate, type=x509.DER)
-    except PyAsn1Error:
+    except PyAsn1Error, e:
        raise errors.GenericError(
-            format='Unable to decode certificate in entry'
+            format='Unable to decode certificate in entry: %s' % e
        )
    return serial

--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -476,11 +476,6 @@ class CertDB(object):
        os.unlink(self.certreq_fname)
        os.unlink(self.certder_fname)

-        # On the off-chance the certificate is base64-encoded
-        try:
-            dercert = base64.b64decode(dercert)
-        except:
-            pass
        return dercert

    def create_signing_cert(self, nickname, hostname, other_certdb=None, subject=None):
@@ -593,11 +588,11 @@ class CertDB(object):
                doc.unlink()
                conn.close()

-            # base64-decode the result
+            # base64-decode the result for uniformity
            cert = base64.b64decode(cert)

            # Write the certificate to a file. It will be imported in a later
-            # step.
+            # step. This file will be read later to be imported.
            f = open(cert_fname, "w")
            f.write(cert)
            f.close()
@@ -682,9 +677,11 @@ class CertDB(object):
            doc.unlink()
            conn.close()

-            # base64-decode the cert
+            # base64-decode the cert for uniformity
            cert = base64.b64decode(cert)

+            # Write the certificate to a file. It will be imported in a later
+            # step. This file will be read later to be imported.
            f = open(cert_fname, "w")
            f.write(cert)
            f.close()
--- a/ipaserver/plugins/selfsign.py
+++ b/ipaserver/plugins/selfsign.py
@@ -48,7 +48,6 @@ import tempfile
 from pyasn1 import error
 from ipalib.request import ugettext as _
 from pyasn1.codec.der import encoder
-import base64
 from ipalib.plugins.cert import get_csr_hostname

 class ra(rabase.rabase):