[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 9fc99100221906cf304493877f3c1885c3f8da87 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 29 ++- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 49 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..851af5a 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -49,6 +49,14 @@ from ipalib import util from ipalib import errors from ipapython.dn import DN +from ipapython import ipautil + +try: +from ipaplatform.paths import paths +except ImportError: +OPENSSL = '/usr/bin/openssl' +else: +OPENSSL = paths.OPENSSL if six.PY3: unicode = str @@ -56,7 +64,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +155,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index af98a77..6599a69 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -239,13 +239,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -257,7 +252,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index bf79821..29acd7e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -749,44 +749,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 727acdf3948788dec389473a3bf0c940def84428 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 43 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..caf0ddc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -48,7 +48,9 @@ from ipalib import api from ipalib import util from ipalib import errors +from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil if six.PY3: unicode = str @@ -56,7 +58,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +paths.OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index af98a77..6599a69 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -239,13 +239,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -257,7 +252,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index bf79821..29acd7e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -749,44 +749,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -(_rdn, subject_dn) =
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 6cd841134829dc51b7698752897e184f9ea462c8 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 43 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..caf0ddc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -48,7 +48,9 @@ from ipalib import api from ipalib import util from ipalib import errors +from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil if six.PY3: unicode = str @@ -56,7 +58,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +paths.OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index af98a77..6599a69 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -239,13 +239,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -257,7 +252,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index bf79821..29acd7e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -749,44 +749,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -(_rdn, subject_dn) =
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 074d38a611ee4d4edc2afa857563cf0e09527115 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 43 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..caf0ddc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -48,7 +48,9 @@ from ipalib import api from ipalib import util from ipalib import errors +from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil if six.PY3: unicode = str @@ -56,7 +58,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +paths.OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 5344e37..9b989ef 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -237,13 +237,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -255,7 +250,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 505232c..a3751d1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -745,44 +745,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -(_rdn, subject_dn) =
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 074d38a611ee4d4edc2afa857563cf0e09527115 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 43 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..caf0ddc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -48,7 +48,9 @@ from ipalib import api from ipalib import util from ipalib import errors +from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil if six.PY3: unicode = str @@ -56,7 +58,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +paths.OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 5344e37..9b989ef 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -237,13 +237,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -255,7 +250,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 505232c..a3751d1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -745,44 +745,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -(_rdn, subject_dn) =
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 074d38a611ee4d4edc2afa857563cf0e09527115 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 43 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..caf0ddc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -48,7 +48,9 @@ from ipalib import api from ipalib import util from ipalib import errors +from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil if six.PY3: unicode = str @@ -56,7 +58,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +paths.OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 5344e37..9b989ef 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -237,13 +237,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -255,7 +250,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 505232c..a3751d1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -745,44 +745,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -(_rdn, subject_dn) =
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 773304e4f3b68da29251fd0f4971aee936d93020 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 43 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..caf0ddc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -48,7 +48,9 @@ from ipalib import api from ipalib import util from ipalib import errors +from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil if six.PY3: unicode = str @@ -56,7 +58,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +paths.OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index c2fe599..a3c8e95 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -272,13 +272,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -paths.OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -290,7 +285,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 26755ee..a7c740d 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -743,44 +743,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -(_rdn, subject_dn) =
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From d9e479582a581b6b345c518bd64f0972f2e2fb3f Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 43 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..caf0ddc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -48,7 +48,9 @@ from ipalib import api from ipalib import util from ipalib import errors +from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil if six.PY3: unicode = str @@ -56,7 +58,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +paths.OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index c2fe599..a3c8e95 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -272,13 +272,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -paths.OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -290,7 +285,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c7a117d..ea0f49e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -743,44 +743,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -(_rdn, subject_dn) =
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 759b7a6dd15f9f9f08220175614ae9f8030de54c Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/2] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 22 - ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 42 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..75eedff 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -49,6 +49,7 @@ from ipalib import util from ipalib import errors from ipapython.dn import DN +from ipapython import ipautil if six.PY3: unicode = str @@ -56,7 +57,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +148,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +paths.OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index c2fe599..a3c8e95 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -272,13 +272,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -paths.OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -290,7 +285,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 7b26e74..6adeb8d 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -847,44 +847,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -(_rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) -if subject_dn
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 7b9618966398748a448af51b42c86826d8e73a06 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/2] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 43 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e986a97..0461553 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -51,11 +51,14 @@ from ipalib import errors from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -148,6 +151,24 @@ def load_certificate_list(data, dbdir=None): certs = [load_certificate(cert, PEM, dbdir) for cert in certs] return certs + +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +paths.OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def load_certificate_list_from_file(filename, dbdir=None): """ Load a certificate list from a PEM file. diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 0c0..49c2613 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -270,13 +270,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -paths.OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -288,7 +283,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 384abc3..7d6a956 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -847,44 +847,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -(_rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25]) -if subject_dn == ca_dn: -