URL: https://github.com/freeipa/freeipa/pull/230
Author: frasertweedale
 Title: #230: cert-request: accept CSRs with extraneous data
Action: opened

PR body:
"""
The cert-request command used to accept CSRs that had extra data
surrounding the PEM data, e.g. commentary about the contents of the
CSR.  Recent commits that switch to using python-cryptography for
cert and CSR handling broke this.  Our acceptance tests use such
CSRs, hence the tests are now failing.

To avoid the issue, freshly encode the python-cryptography
CertificateSigningRequest object as PEM.  This avoids re-using the
user-supplied data, in case it has extraneous data.

Fixes: https://fedorahosted.org/freeipa/ticket/6472
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/230/head:pr230
git checkout pr230
From 8f1164724d872c8b28513bbc5985ae3a77c3405d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 10 Nov 2016 23:22:52 +1000
Subject: [PATCH] cert-request: accept CSRs with extraneous data

The cert-request command used to accept CSRs that had extra data
surrounding the PEM data, e.g. commentary about the contents of the
CSR.  Recent commits that switch to using python-cryptography for
cert and CSR handling broke this.  Our acceptance tests use such
CSRs, hence the tests are now failing.

To avoid the issue, freshly encode the python-cryptography
CertificateSigningRequest object as PEM.  This avoids re-using the
user-supplied data, in case it has extraneous data.

Fixes: https://fedorahosted.org/freeipa/ticket/6472
---
 ipalib/pkcs10.py          | 2 +-
 ipaserver/plugins/cert.py | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py
index a993519..39ec95c 100644
--- a/ipalib/pkcs10.py
+++ b/ipalib/pkcs10.py
@@ -26,7 +26,7 @@
 
 def strip_header(csr):
     """
-    Remove the header and footer from a CSR.
+    Remove the header and footer (and surrounding material) from a CSR.
     """
     headerlen = 40
     s = csr.find("-----BEGIN NEW CERTIFICATE REQUEST-----")
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 4362d82..3571ef1 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -26,7 +26,7 @@
 import os
 
 import cryptography.x509
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
 import six
 
 from ipalib import Command, Str, Int, Flag
@@ -750,8 +750,11 @@ def execute(self, csr, all=False, raw=False, **kw):
 
         # Request the certificate
         try:
+            # re-serialise to PEM, in case the user-supplied data has
+            # extraneous material that will cause Dogtag to freak out
+            csr_pem = csr_obj.public_bytes(serialization.Encoding.PEM)
             result = self.Backend.ra.request_certificate(
-                csr, profile_id, ca_id, request_type=request_type)
+                csr_pem, profile_id, ca_id, request_type=request_type)
         except errors.HTTPRequestError as e:
             if e.status == 409:  # pylint: disable=no-member
                 raise errors.CertificateOperationError(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to