Commit Graph

18 Commits

Author SHA1 Message Date
Fraser Tweedale
e1df2e0792 cert-request: accept CSRs with extraneous data
The cert-request command used to accept CSRs that had extra data
surrounding the PEM data, e.g. commentary about the contents of the
CSR.  Recent commits that switch to using python-cryptography for
cert and CSR handling broke this.  Our acceptance tests use such
CSRs, hence the tests are now failing.

To avoid the issue, freshly encode the python-cryptography
CertificateSigningRequest object as PEM.  This avoids re-using the
user-supplied data, in case it has extraneous data.

Fixes: https://fedorahosted.org/freeipa/ticket/6472
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-11 15:42:26 +01:00
Fraser Tweedale
b0430b67dc Remove __main__ code from ipalib.x509 and ipalib.pkcs10
This code was presumably once used for testing, but has been
subsumed by the actual test suite.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
85487281cd pkcs10: remove pyasn1 PKCS #10 spec
In the dogtag-ipa-ca-renew-agent-submit certmonger renewal helper,
we currently use our hand-rolled PKCS #10 pyasn1 specification to
parse the friendlyName out of CSRs generated by certmonger (it
contains the NSSDB nickname of the cert).

Use other information from the renewal helper process environment to
determine the nickname and remove our PKCS #10 pyasn1 spec.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
66637f766d pkcs10: use python-cryptography for CSR processing
Update ``ipalib.pkcs10`` module to use python-cryptography for CSR
processing instead of NSS.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
0245d2aadf Move GeneralName parsing code to ipalib.x509
GeneralName parsing code is primarily relevant to X.509.  An
upcoming change will add SAN parsing to the cert-show command, so
first move the GeneralName parsing code from ipalib.pkcs10 to
ipalib.x509.

Part of: https://fedorahosted.org/freeipa/ticket/6022

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-26 09:09:45 +02:00
Martin Basti
e4075b1fe2 Remove unused imports
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Jan Cholasta
23507e6124 Alias "unicode" to "str" under Python 3
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2015-09-17 11:08:43 +02:00
Petr Viktorin
8de13bd7dd Use the print function
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Fraser Tweedale
e92f25bd50 Work around python-nss bug on unrecognised OIDs
A bug in python-nss causes an error to be thrown when converting an
unrecognised OID to a string.  If cert-request receives a PKCS #10
CSR with an unknown extension, the error is thrown.

Work around this error by first checking if the OID is recognised
and, if it is not, using a different method to obtain its string
representation.

Once the python-nss bug is fixed, this workaround should be
reverted.  https://bugzilla.redhat.com/show_bug.cgi?id=1246729

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 15:28:28 +02:00
Fraser Tweedale
a931d3edc0 Update cert-request to support user certs and profiles
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4938

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Jan Cholasta
d6fb110b77 Support requests with SAN in cert-request.
For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.

https://fedorahosted.org/freeipa/ticket/3977

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 12:10:01 +02:00
Jan Cholasta
fcf6a1e77c Add function for parsing friendly name from certificate requests.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
d5e35f92a5 Update pkcs10 module functions to always load CSRs and allow selecting format.
This change makes the pkcs10 module more consistent with the x509 module.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jakub Hrozek
ab2ca8022e Fix assorted bugs found by pylint 2011-01-25 14:01:36 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Rob Crittenden
b7ca3d68c2 Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
2010-07-29 10:50:10 -04:00
Rob Crittenden
3ea044fb59 Handle CSRs whether they have NEW in the header or not
Also consolidate some duplicate code
2010-05-03 17:58:08 -06:00
Rob Crittenden
ab1667f3c1 Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.

Subject alt names are only allowed if:
  - the host for the alt name exists in IPA
  - if binding as host principal, the host is in the services managedBy attr
2009-11-30 18:10:09 -07:00