ipa/0001-Revert-cert_find-fix-call-with-all.patch

From a44fd5a7691d263d670312e0c8e02efd868618c1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 6 Jun 2023 17:15:11 +0200
Subject: [PATCH] Revert "cert_find: fix call with --all"

This reverts commit 918b6e011795ba4854d178d18c86ad54f3cf75ab.

Revert "Use the OpenSSL certificate parser in cert-find"

This reverts commit 50dd79d1a35549034bc281fbdffea4399baed3c7.
---
 freeipa.spec.in           |  2 --
 ipaserver/plugins/cert.py | 27 +++------------------------
 2 files changed, 3 insertions(+), 26 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 3e23bbfe9d054a3a9febf468de0bcb4a6e81bb32..bec9780a82fe0d9bc5a50a93bdce8aa7e27a9f30 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -412,7 +412,6 @@ BuildRequires:  python3-pylint
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 BuildRequires:  python3-qrcode-core >= 5.0.0
-BuildRequires:  python3-pyOpenSSL
 BuildRequires:  python3-samba
 BuildRequires:  python3-six
 BuildRequires:  python3-sss
@@ -884,7 +883,6 @@ Requires: python3-netifaces >= 0.10.4
 Requires: python3-pyasn1 >= 0.3.2-2
 Requires: python3-pyasn1-modules >= 0.3.2-2
 Requires: python3-pyusb
-Requires: python3-pyOpenSSL
 Requires: python3-qrcode-core >= 5.0.0
 Requires: python3-requests
 Requires: python3-six
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 400b1b3cec0aba82e699a4a981516e121f3e0c77..36a0e8cb31b4dbdd9bff09165d1d8aa203936d37 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -30,7 +30,6 @@ import cryptography.x509
 from cryptography.hazmat.primitives import hashes, serialization
 from dns import resolver, reversename
 import six
-import sys
 
 from ipalib import Command, Str, Int, Flag, StrEnum, SerialNumber
 from ipalib import api
@@ -1618,19 +1617,7 @@ class cert_find(Search, CertMethod):
             )
 
     def _get_cert_key(self, cert):
-        # for cert-find with a certificate value
-        if isinstance(cert, x509.IPACertificate):
-            return (DN(cert.issuer), cert.serial_number)
-
-        issuer = []
-        for oid, value in cert.get_issuer().get_components():
-            issuer.append(
-                '{}={}'.format(oid.decode('utf-8'), value.decode('utf-8'))
-            )
-        issuer = ','.join(issuer)
-        # Use this to flip from OpenSSL reverse to X500 ordering
-        issuer = DN(issuer).x500_text()
-        return (DN(issuer), cert.get_serial_number())
+        return (DN(cert.issuer), cert.serial_number)
 
     def _cert_search(self, pkey_only, **options):
         result = collections.OrderedDict()
@@ -1750,11 +1737,6 @@ class cert_find(Search, CertMethod):
         return result, False, complete
 
     def _ldap_search(self, all, pkey_only, no_members, **options):
-        # defer import of the OpenSSL module to not affect the requests
-        # module which will use pyopenssl if this is available.
-        if sys.modules.get('OpenSSL.SSL', False) is None:
-            del sys.modules["OpenSSL.SSL"]
-        import OpenSSL.crypto
         ldap = self.api.Backend.ldap2
 
         filters = []
@@ -1813,21 +1795,18 @@ class cert_find(Search, CertMethod):
         ca_enabled = getattr(context, 'ca_enabled')
         for entry in entries:
             for attr in ('usercertificate', 'usercertificate;binary'):
-                for der in entry.raw.get(attr, []):
-                    cert = OpenSSL.crypto.load_certificate(
-                        OpenSSL.crypto.FILETYPE_ASN1, der)
+                for cert in entry.get(attr, []):
                     cert_key = self._get_cert_key(cert)
                     try:
                         obj = result[cert_key]
                     except KeyError:
-                        obj = {'serial_number': cert.get_serial_number()}
+                        obj = {'serial_number': cert.serial_number}
                         if not pkey_only and (all or not ca_enabled):
                             # Retrieving certificate details is now deferred
                             # until after all certificates are collected.
                             # For the case of CA-less we need to keep
                             # the certificate because getting it again later
                             # would require unnecessary LDAP searches.
-                            cert = cert.to_cryptography()
                             obj['certificate'] = (
                                 base64.b64encode(
                                     cert.public_bytes(x509.Encoding.DER))
-- 
2.40.1
ipa-4.10.2-1 - Resolves: rhbz#2196426 [Rebase] Rebase ipa to latest 4.10.x release for RHEL 9.3 - Resolves: rhbz#2192969 Better handling of the command line and web UI cert search and/or list features - Resolves: rhbz#2192625 Better catch of the IPA web UI event "IPA Error 4301:CertificateOperationError", and IPA httpd error CertificateOperationError - Resolves: rhbz#2188567 IPA client Kerberos configuration incompatible with java - Resolves: rhbz#2182683 Tolerate absence of PAC ticket signature depending of domain and servers capabilities [rhel-9] - Resolves: rhbz#2180914 Sequence processing failures for group_add using server context - Resolves: rhbz#2165880 Add RBCD support to IPA - Resolves: rhbz#2160399 get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> 2023-06-06 14:15:50 +00:00			`From a44fd5a7691d263d670312e0c8e02efd868618c1 Mon Sep 17 00:00:00 2001`
			`From: Florence Blanc-Renaud <flo@redhat.com>`
			`Date: Tue, 6 Jun 2023 17:15:11 +0200`
			`Subject: [PATCH] Revert "cert_find: fix call with --all"`

			`This reverts commit 918b6e011795ba4854d178d18c86ad54f3cf75ab.`

			`Revert "Use the OpenSSL certificate parser in cert-find"`

			`This reverts commit 50dd79d1a35549034bc281fbdffea4399baed3c7.`
			`---`
			`freeipa.spec.in \| 2 --`
			`ipaserver/plugins/cert.py \| 27 +++------------------------`
			`2 files changed, 3 insertions(+), 26 deletions(-)`

			`diff --git a/freeipa.spec.in b/freeipa.spec.in`
			`index 3e23bbfe9d054a3a9febf468de0bcb4a6e81bb32..bec9780a82fe0d9bc5a50a93bdce8aa7e27a9f30 100755`
			`--- a/freeipa.spec.in`
			`+++ b/freeipa.spec.in`
			`@@ -412,7 +412,6 @@ BuildRequires: python3-pylint`
			`BuildRequires: python3-pytest-multihost`
			`BuildRequires: python3-pytest-sourceorder`
			`BuildRequires: python3-qrcode-core >= 5.0.0`
			`-BuildRequires: python3-pyOpenSSL`
			`BuildRequires: python3-samba`
			`BuildRequires: python3-six`
			`BuildRequires: python3-sss`
			`@@ -884,7 +883,6 @@ Requires: python3-netifaces >= 0.10.4`
			`Requires: python3-pyasn1 >= 0.3.2-2`
			`Requires: python3-pyasn1-modules >= 0.3.2-2`
			`Requires: python3-pyusb`
			`-Requires: python3-pyOpenSSL`
			`Requires: python3-qrcode-core >= 5.0.0`
			`Requires: python3-requests`
			`Requires: python3-six`
			`diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py`
			`index 400b1b3cec0aba82e699a4a981516e121f3e0c77..36a0e8cb31b4dbdd9bff09165d1d8aa203936d37 100644`
			`--- a/ipaserver/plugins/cert.py`
			`+++ b/ipaserver/plugins/cert.py`
			`@@ -30,7 +30,6 @@ import cryptography.x509`
			`from cryptography.hazmat.primitives import hashes, serialization`
			`from dns import resolver, reversename`
			`import six`
			`-import sys`

			`from ipalib import Command, Str, Int, Flag, StrEnum, SerialNumber`
			`from ipalib import api`
			`@@ -1618,19 +1617,7 @@ class cert_find(Search, CertMethod):`
			`)`

			`def _get_cert_key(self, cert):`
			`- # for cert-find with a certificate value`
			`- if isinstance(cert, x509.IPACertificate):`
			`- return (DN(cert.issuer), cert.serial_number)`
			`-`
			`- issuer = []`
			`- for oid, value in cert.get_issuer().get_components():`
			`- issuer.append(`
			`- '{}={}'.format(oid.decode('utf-8'), value.decode('utf-8'))`
			`- )`
			`- issuer = ','.join(issuer)`
			`- # Use this to flip from OpenSSL reverse to X500 ordering`
			`- issuer = DN(issuer).x500_text()`
			`- return (DN(issuer), cert.get_serial_number())`
			`+ return (DN(cert.issuer), cert.serial_number)`

			`def _cert_search(self, pkey_only, **options):`
			`result = collections.OrderedDict()`
			`@@ -1750,11 +1737,6 @@ class cert_find(Search, CertMethod):`
			`return result, False, complete`

			`def _ldap_search(self, all, pkey_only, no_members, **options):`
			`- # defer import of the OpenSSL module to not affect the requests`
			`- # module which will use pyopenssl if this is available.`
			`- if sys.modules.get('OpenSSL.SSL', False) is None:`
			`- del sys.modules["OpenSSL.SSL"]`
			`- import OpenSSL.crypto`
			`ldap = self.api.Backend.ldap2`

			`filters = []`
			`@@ -1813,21 +1795,18 @@ class cert_find(Search, CertMethod):`
			`ca_enabled = getattr(context, 'ca_enabled')`
			`for entry in entries:`
			`for attr in ('usercertificate', 'usercertificate;binary'):`
			`- for der in entry.raw.get(attr, []):`
			`- cert = OpenSSL.crypto.load_certificate(`
			`- OpenSSL.crypto.FILETYPE_ASN1, der)`
			`+ for cert in entry.get(attr, []):`
			`cert_key = self._get_cert_key(cert)`
			`try:`
			`obj = result[cert_key]`
			`except KeyError:`
			`- obj = {'serial_number': cert.get_serial_number()}`
			`+ obj = {'serial_number': cert.serial_number}`
			`if not pkey_only and (all or not ca_enabled):`
			`# Retrieving certificate details is now deferred`
			`# until after all certificates are collected.`
			`# For the case of CA-less we need to keep`
			`# the certificate because getting it again later`
			`# would require unnecessary LDAP searches.`
			`- cert = cert.to_cryptography()`
			`obj['certificate'] = (`
			`base64.b64encode(`
			`cert.public_bytes(x509.Encoding.DER))`
			`--`
			`2.40.1`