mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 16:31:08 -06:00
b7ca3d68c2
This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
96 lines
2.5 KiB
Python
96 lines
2.5 KiB
Python
# Authors:
|
|
# Rob Crittenden <rcritten@redhat.com>
|
|
#
|
|
# Copyright (C) 2010 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
# published by the Free Software Foundation; version 2 only
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
import os
|
|
import sys
|
|
import base64
|
|
import nss.nss as nss
|
|
from ipapython import ipautil
|
|
from ipalib import api
|
|
|
|
PEM = 0
|
|
DER = 1
|
|
|
|
def get_subjectaltname(request):
|
|
"""
|
|
Given a CSR return the subjectaltname value, if any.
|
|
|
|
The return value is a tuple of strings or None
|
|
"""
|
|
for extension in request.extensions:
|
|
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
|
|
return nss.x509_alt_name(extension.value)
|
|
return None
|
|
|
|
def get_subject(request):
|
|
"""
|
|
Given a CSR return the subject value.
|
|
|
|
This returns an nss.DN object.
|
|
"""
|
|
return request.subject
|
|
|
|
def strip_header(csr):
|
|
"""
|
|
Remove the header and footer from a CSR.
|
|
"""
|
|
headerlen = 40
|
|
s = csr.find("-----BEGIN NEW CERTIFICATE REQUEST-----")
|
|
if s == -1:
|
|
headerlen = 36
|
|
s = csr.find("-----BEGIN CERTIFICATE REQUEST-----")
|
|
if s >= 0:
|
|
e = csr.find("-----END")
|
|
csr = csr[s+headerlen:e]
|
|
|
|
return csr
|
|
|
|
def load_certificate_request(csr):
|
|
"""
|
|
Given a base64-encoded certificate request, with or without the
|
|
header/footer, return a request object.
|
|
"""
|
|
csr = strip_header(csr)
|
|
|
|
substrate = base64.b64decode(csr)
|
|
|
|
# A fail-safe so we can always read a CSR. python-nss/NSS will segfault
|
|
# otherwise
|
|
if not nss.nss_is_initialized():
|
|
nss.nss_init_nodb()
|
|
|
|
return nss.CertificateRequest(substrate)
|
|
|
|
if __name__ == '__main__':
|
|
nss.nss_init_nodb()
|
|
|
|
# Read PEM request from stdin and print out its components
|
|
|
|
csrlines = sys.stdin.readlines()
|
|
csrlines = fp.readlines()
|
|
fp.close()
|
|
csr = ''.join(csrlines)
|
|
|
|
csr = load_certificate_request(csr)
|
|
|
|
print csr
|
|
|
|
print get_subject(csr)
|
|
print get_subjectaltname(csr)
|