Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/5117> and <https://fedorahosted.org/freeipa/ticket/5720>.


Honza

--
Jan Cholasta
From efd94957c00021f08560fd67eeb083ee2c2a260e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 10 Mar 2016 13:16:41 +0100
Subject: [PATCH] certdb: never use the -r option of certutil

The -r option makes certutil output certificates in DER. If there are
multiple certificates sharing the same nickname, certutil will output
them concatenated into a single blob. The blob is not a valid DER
anymore and causes failures further in the code.

Use the -a option instead to output the certificates in PEM and convert
them to DER on demand.

https://fedorahosted.org/freeipa/ticket/5117
https://fedorahosted.org/freeipa/ticket/5720
---
 ipapython/certdb.py | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index aea50a8..e19f712 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -425,19 +425,17 @@ class NSSDatabase(object):
                     "Setting trust on %s failed" % root_nickname)
 
     def get_cert(self, nickname, pem=False):
-        args = ['-L', '-n', nickname]
-        if pem:
-            args.append('-a')
-        else:
-            args.append('-r')
+        args = ['-L', '-n', nickname, '-a']
         try:
-            result = self.run_certutil(args, capture_output=pem)
+            result = self.run_certutil(args, capture_output=True)
         except ipautil.CalledProcessError:
             raise RuntimeError("Failed to get %s" % nickname)
-        if pem:
-            return result.output
-        else:
-            return result.raw_output
+        cert = result.output
+        if not pem:
+            (cert, start) = find_cert_from_txt(cert, start=0)
+            cert = x509.strip_header(cert)
+            cert = base64.b64decode(cert)
+        return cert
 
     def has_nickname(self, nickname):
         try:
-- 
2.5.0

From 84ce28a1e7983e5f4169be772a3f041ae64525f2 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 10 Mar 2016 13:16:41 +0100
Subject: [PATCH] certdb: never use the -r option of certutil

The -r option makes certutil output certificates in DER. If there are
multiple certificates sharing the same nickname, certutil will output
them concatenated into a single blob. The blob is not a valid DER
anymore and causes failures further in the code.

Use the -a option instead to output the certificates in PEM and convert
them to DER on demand.

https://fedorahosted.org/freeipa/ticket/5117
https://fedorahosted.org/freeipa/ticket/5720
---
 ipapython/certdb.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 5a6e494..63dc458 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -395,15 +395,15 @@ class NSSDatabase(object):
                     "Setting trust on %s failed" % root_nickname)
 
     def get_cert(self, nickname, pem=False):
-        args = ['-L', '-n', nickname]
-        if pem:
-            args.append('-a')
-        else:
-            args.append('-r')
+        args = ['-L', '-n', nickname, '-a']
         try:
             cert, err, returncode = self.run_certutil(args)
         except ipautil.CalledProcessError:
             raise RuntimeError("Failed to get %s" % nickname)
+        if not pem:
+            (cert, start) = find_cert_from_txt(cert, start=0)
+            cert = x509.strip_header(cert)
+            cert = base64.b64decode(cert)
         return cert
 
     def has_nickname(self, nickname):
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to