mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
0245d2aadf
GeneralName parsing code is primarily relevant to X.509. An upcoming change will add SAN parsing to the cert-show command, so first move the GeneralName parsing code from ipalib.pkcs10 to ipalib.x509. Part of: https://fedorahosted.org/freeipa/ticket/6022 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
179 lines
5.2 KiB
Python
179 lines
5.2 KiB
Python
# Authors:
|
|
# Rob Crittenden <rcritten@redhat.com>
|
|
#
|
|
# Copyright (C) 2010 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
from __future__ import print_function
|
|
|
|
import sys
|
|
import base64
|
|
import nss.nss as nss
|
|
from pyasn1.type import univ, namedtype, tag
|
|
from pyasn1.codec.der import decoder
|
|
import six
|
|
from ipalib import x509
|
|
|
|
if six.PY3:
|
|
unicode = str
|
|
|
|
PEM = 0
|
|
DER = 1
|
|
|
|
def get_subject(csr, datatype=PEM):
|
|
"""
|
|
Given a CSR return the subject value.
|
|
|
|
This returns an nss.DN object.
|
|
"""
|
|
request = load_certificate_request(csr, datatype)
|
|
try:
|
|
return request.subject
|
|
finally:
|
|
del request
|
|
|
|
def get_extensions(csr, datatype=PEM):
|
|
"""
|
|
Given a CSR return OIDs of certificate extensions.
|
|
|
|
The return value is a tuple of strings
|
|
"""
|
|
request = load_certificate_request(csr, datatype)
|
|
|
|
# Work around a bug in python-nss where nss.oid_dotted_decimal
|
|
# errors on unrecognised OIDs
|
|
#
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1246729
|
|
#
|
|
def get_prefixed_oid_str(ext):
|
|
"""Returns a string like 'OID.1.2...'."""
|
|
if ext.oid_tag == 0:
|
|
return repr(ext)
|
|
else:
|
|
return nss.oid_dotted_decimal(ext.oid)
|
|
|
|
return tuple(get_prefixed_oid_str(ext)[4:]
|
|
for ext in request.extensions)
|
|
|
|
|
|
def get_subjectaltname(csr, datatype=PEM):
|
|
"""
|
|
Given a CSR return the subjectaltname value, if any.
|
|
|
|
The return value is a tuple of strings or None
|
|
"""
|
|
request = load_certificate_request(csr, datatype)
|
|
for extension in request.extensions:
|
|
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
|
|
break
|
|
else:
|
|
return None
|
|
del request
|
|
|
|
return x509.decode_generalnames(extension.value)
|
|
|
|
|
|
# Unfortunately, NSS can only parse the extension request attribute, so
|
|
# we have to parse friendly name ourselves (see RFC 2986)
|
|
class _Attribute(univ.Sequence):
|
|
componentType = namedtype.NamedTypes(
|
|
namedtype.NamedType('type', univ.ObjectIdentifier()),
|
|
namedtype.NamedType('values', univ.Set()),
|
|
)
|
|
|
|
class _Attributes(univ.SetOf):
|
|
componentType = _Attribute()
|
|
|
|
class _CertificationRequestInfo(univ.Sequence):
|
|
componentType = namedtype.NamedTypes(
|
|
namedtype.NamedType('version', univ.Integer()),
|
|
namedtype.NamedType('subject', univ.Sequence()),
|
|
namedtype.NamedType('subjectPublicKeyInfo', univ.Sequence()),
|
|
namedtype.OptionalNamedType('attributes', _Attributes().subtype(
|
|
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
|
|
)
|
|
|
|
class _CertificationRequest(univ.Sequence):
|
|
componentType = namedtype.NamedTypes(
|
|
namedtype.NamedType('certificationRequestInfo',
|
|
_CertificationRequestInfo()),
|
|
namedtype.NamedType('signatureAlgorithm', univ.Sequence()),
|
|
namedtype.NamedType('signatureValue', univ.BitString()),
|
|
)
|
|
|
|
_FRIENDLYNAME = univ.ObjectIdentifier('1.2.840.113549.1.9.20')
|
|
|
|
def get_friendlyname(csr, datatype=PEM):
|
|
"""
|
|
Given a CSR return the value of the friendlyname attribute, if any.
|
|
|
|
The return value is a string.
|
|
"""
|
|
if datatype == PEM:
|
|
csr = strip_header(csr)
|
|
csr = base64.b64decode(csr)
|
|
|
|
csr = decoder.decode(csr, asn1Spec=_CertificationRequest())[0]
|
|
for attribute in csr['certificationRequestInfo']['attributes']:
|
|
if attribute['type'] == _FRIENDLYNAME:
|
|
return unicode(attribute['values'][0])
|
|
|
|
return None
|
|
|
|
def strip_header(csr):
|
|
"""
|
|
Remove the header and footer from a CSR.
|
|
"""
|
|
headerlen = 40
|
|
s = csr.find("-----BEGIN NEW CERTIFICATE REQUEST-----")
|
|
if s == -1:
|
|
headerlen = 36
|
|
s = csr.find("-----BEGIN CERTIFICATE REQUEST-----")
|
|
if s >= 0:
|
|
e = csr.find("-----END")
|
|
csr = csr[s+headerlen:e]
|
|
|
|
return csr
|
|
|
|
def load_certificate_request(csr, datatype=PEM):
|
|
"""
|
|
Given a base64-encoded certificate request, with or without the
|
|
header/footer, return a request object.
|
|
"""
|
|
if datatype == PEM:
|
|
csr = strip_header(csr)
|
|
csr = base64.b64decode(csr)
|
|
|
|
# A fail-safe so we can always read a CSR. python-nss/NSS will segfault
|
|
# otherwise
|
|
if not nss.nss_is_initialized():
|
|
nss.nss_init_nodb()
|
|
|
|
return nss.CertificateRequest(csr)
|
|
|
|
if __name__ == '__main__':
|
|
nss.nss_init_nodb()
|
|
|
|
# Read PEM request from stdin and print out its components
|
|
|
|
csrlines = sys.stdin.readlines()
|
|
csr = ''.join(csrlines)
|
|
|
|
print(load_certificate_request(csr))
|
|
print(get_subject(csr))
|
|
print(get_subjectaltname(csr))
|
|
print(get_friendlyname(csr))
|