URL: https://github.com/freeipa/freeipa/pull/230 Author: frasertweedale Title: #230: cert-request: accept CSRs with extraneous data Action: opened
PR body: """ The cert-request command used to accept CSRs that had extra data surrounding the PEM data, e.g. commentary about the contents of the CSR. Recent commits that switch to using python-cryptography for cert and CSR handling broke this. Our acceptance tests use such CSRs, hence the tests are now failing. To avoid the issue, freshly encode the python-cryptography CertificateSigningRequest object as PEM. This avoids re-using the user-supplied data, in case it has extraneous data. Fixes: https://fedorahosted.org/freeipa/ticket/6472 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/230/head:pr230 git checkout pr230
From 8f1164724d872c8b28513bbc5985ae3a77c3405d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Thu, 10 Nov 2016 23:22:52 +1000 Subject: [PATCH] cert-request: accept CSRs with extraneous data The cert-request command used to accept CSRs that had extra data surrounding the PEM data, e.g. commentary about the contents of the CSR. Recent commits that switch to using python-cryptography for cert and CSR handling broke this. Our acceptance tests use such CSRs, hence the tests are now failing. To avoid the issue, freshly encode the python-cryptography CertificateSigningRequest object as PEM. This avoids re-using the user-supplied data, in case it has extraneous data. Fixes: https://fedorahosted.org/freeipa/ticket/6472 --- ipalib/pkcs10.py | 2 +- ipaserver/plugins/cert.py | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py index a993519..39ec95c 100644 --- a/ipalib/pkcs10.py +++ b/ipalib/pkcs10.py @@ -26,7 +26,7 @@ def strip_header(csr): """ - Remove the header and footer from a CSR. + Remove the header and footer (and surrounding material) from a CSR. """ headerlen = 40 s = csr.find("-----BEGIN NEW CERTIFICATE REQUEST-----") diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 4362d82..3571ef1 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -26,7 +26,7 @@ import os import cryptography.x509 -from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives import hashes, serialization import six from ipalib import Command, Str, Int, Flag @@ -750,8 +750,11 @@ def execute(self, csr, all=False, raw=False, **kw): # Request the certificate try: + # re-serialise to PEM, in case the user-supplied data has + # extraneous material that will cause Dogtag to freak out + csr_pem = csr_obj.public_bytes(serialization.Encoding.PEM) result = self.Backend.ra.request_certificate( - csr, profile_id, ca_id, request_type=request_type) + csr_pem, profile_id, ca_id, request_type=request_type) except errors.HTTPRequestError as e: if e.status == 409: # pylint: disable=no-member raise errors.CertificateOperationError(
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code