cert-request: accept CSRs with extraneous data

The cert-request command used to accept CSRs that had extra data
surrounding the PEM data, e.g. commentary about the contents of the
CSR.  Recent commits that switch to using python-cryptography for
cert and CSR handling broke this.  Our acceptance tests use such
CSRs, hence the tests are now failing.

To avoid the issue, freshly encode the python-cryptography
CertificateSigningRequest object as PEM.  This avoids re-using the
user-supplied data, in case it has extraneous data.

Fixes: https://fedorahosted.org/freeipa/ticket/6472
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Fraser Tweedale 2016-11-10 23:22:52 +10:00 committed by Martin Babinsky
parent f183f70e01
commit e1df2e0792
2 changed files with 6 additions and 3 deletions

View File

@ -26,7 +26,7 @@ import cryptography.x509
def strip_header(csr):
"""
Remove the header and footer from a CSR.
Remove the header and footer (and surrounding material) from a CSR.
"""
headerlen = 40
s = csr.find("-----BEGIN NEW CERTIFICATE REQUEST-----")

View File

@ -26,7 +26,7 @@ from operator import attrgetter
import os
import cryptography.x509
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import hashes, serialization
import six
from ipalib import Command, Str, Int, Flag
@ -750,8 +750,11 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
# Request the certificate
try:
# re-serialise to PEM, in case the user-supplied data has
# extraneous material that will cause Dogtag to freak out
csr_pem = csr_obj.public_bytes(serialization.Encoding.PEM)
result = self.Backend.ra.request_certificate(
csr, profile_id, ca_id, request_type=request_type)
csr_pem, profile_id, ca_id, request_type=request_type)
except errors.HTTPRequestError as e:
if e.status == 409: # pylint: disable=no-member
raise errors.CertificateOperationError(