Work around python-nss bug on unrecognised OIDs

A bug in python-nss causes an error to be thrown when converting an
unrecognised OID to a string.  If cert-request receives a PKCS #10
CSR with an unknown extension, the error is thrown.

Work around this error by first checking if the OID is recognised
and, if it is not, using a different method to obtain its string
representation.

Once the python-nss bug is fixed, this workaround should be
reverted.  https://bugzilla.redhat.com/show_bug.cgi?id=1246729

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Fraser Tweedale 2015-07-24 09:23:07 -04:00 committed by Jan Cholasta
parent 812ab600a3
commit e92f25bd50

View File

@ -53,7 +53,20 @@ def get_extensions(csr, datatype=PEM):
The return value is a tuple of strings The return value is a tuple of strings
""" """
request = load_certificate_request(csr, datatype) request = load_certificate_request(csr, datatype)
return tuple(nss.oid_dotted_decimal(ext.oid_tag)[4:]
# Work around a bug in python-nss where nss.oid_dotted_decimal
# errors on unrecognised OIDs
#
# https://bugzilla.redhat.com/show_bug.cgi?id=1246729
#
def get_prefixed_oid_str(ext):
"""Returns a string like 'OID.1.2...'."""
if ext.oid_tag == 0:
return repr(ext)
else:
return nss.oid_dotted_decimal(ext.oid)
return tuple(get_prefixed_oid_str(ext)[4:]
for ext in request.extensions) for ext in request.extensions)
class _PrincipalName(univ.Sequence): class _PrincipalName(univ.Sequence):