108 lines
4.5 KiB
Diff
108 lines
4.5 KiB
Diff
|
From a44fd5a7691d263d670312e0c8e02efd868618c1 Mon Sep 17 00:00:00 2001
|
||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||
|
Date: Tue, 6 Jun 2023 17:15:11 +0200
|
||
|
Subject: [PATCH] Revert "cert_find: fix call with --all"
|
||
|
|
||
|
This reverts commit 918b6e011795ba4854d178d18c86ad54f3cf75ab.
|
||
|
|
||
|
Revert "Use the OpenSSL certificate parser in cert-find"
|
||
|
|
||
|
This reverts commit 50dd79d1a35549034bc281fbdffea4399baed3c7.
|
||
|
---
|
||
|
freeipa.spec.in | 2 --
|
||
|
ipaserver/plugins/cert.py | 27 +++------------------------
|
||
|
2 files changed, 3 insertions(+), 26 deletions(-)
|
||
|
|
||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||
|
index 3e23bbfe9d054a3a9febf468de0bcb4a6e81bb32..bec9780a82fe0d9bc5a50a93bdce8aa7e27a9f30 100755
|
||
|
--- a/freeipa.spec.in
|
||
|
+++ b/freeipa.spec.in
|
||
|
@@ -412,7 +412,6 @@ BuildRequires: python3-pylint
|
||
|
BuildRequires: python3-pytest-multihost
|
||
|
BuildRequires: python3-pytest-sourceorder
|
||
|
BuildRequires: python3-qrcode-core >= 5.0.0
|
||
|
-BuildRequires: python3-pyOpenSSL
|
||
|
BuildRequires: python3-samba
|
||
|
BuildRequires: python3-six
|
||
|
BuildRequires: python3-sss
|
||
|
@@ -884,7 +883,6 @@ Requires: python3-netifaces >= 0.10.4
|
||
|
Requires: python3-pyasn1 >= 0.3.2-2
|
||
|
Requires: python3-pyasn1-modules >= 0.3.2-2
|
||
|
Requires: python3-pyusb
|
||
|
-Requires: python3-pyOpenSSL
|
||
|
Requires: python3-qrcode-core >= 5.0.0
|
||
|
Requires: python3-requests
|
||
|
Requires: python3-six
|
||
|
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
|
||
|
index 400b1b3cec0aba82e699a4a981516e121f3e0c77..36a0e8cb31b4dbdd9bff09165d1d8aa203936d37 100644
|
||
|
--- a/ipaserver/plugins/cert.py
|
||
|
+++ b/ipaserver/plugins/cert.py
|
||
|
@@ -30,7 +30,6 @@ import cryptography.x509
|
||
|
from cryptography.hazmat.primitives import hashes, serialization
|
||
|
from dns import resolver, reversename
|
||
|
import six
|
||
|
-import sys
|
||
|
|
||
|
from ipalib import Command, Str, Int, Flag, StrEnum, SerialNumber
|
||
|
from ipalib import api
|
||
|
@@ -1618,19 +1617,7 @@ class cert_find(Search, CertMethod):
|
||
|
)
|
||
|
|
||
|
def _get_cert_key(self, cert):
|
||
|
- # for cert-find with a certificate value
|
||
|
- if isinstance(cert, x509.IPACertificate):
|
||
|
- return (DN(cert.issuer), cert.serial_number)
|
||
|
-
|
||
|
- issuer = []
|
||
|
- for oid, value in cert.get_issuer().get_components():
|
||
|
- issuer.append(
|
||
|
- '{}={}'.format(oid.decode('utf-8'), value.decode('utf-8'))
|
||
|
- )
|
||
|
- issuer = ','.join(issuer)
|
||
|
- # Use this to flip from OpenSSL reverse to X500 ordering
|
||
|
- issuer = DN(issuer).x500_text()
|
||
|
- return (DN(issuer), cert.get_serial_number())
|
||
|
+ return (DN(cert.issuer), cert.serial_number)
|
||
|
|
||
|
def _cert_search(self, pkey_only, **options):
|
||
|
result = collections.OrderedDict()
|
||
|
@@ -1750,11 +1737,6 @@ class cert_find(Search, CertMethod):
|
||
|
return result, False, complete
|
||
|
|
||
|
def _ldap_search(self, all, pkey_only, no_members, **options):
|
||
|
- # defer import of the OpenSSL module to not affect the requests
|
||
|
- # module which will use pyopenssl if this is available.
|
||
|
- if sys.modules.get('OpenSSL.SSL', False) is None:
|
||
|
- del sys.modules["OpenSSL.SSL"]
|
||
|
- import OpenSSL.crypto
|
||
|
ldap = self.api.Backend.ldap2
|
||
|
|
||
|
filters = []
|
||
|
@@ -1813,21 +1795,18 @@ class cert_find(Search, CertMethod):
|
||
|
ca_enabled = getattr(context, 'ca_enabled')
|
||
|
for entry in entries:
|
||
|
for attr in ('usercertificate', 'usercertificate;binary'):
|
||
|
- for der in entry.raw.get(attr, []):
|
||
|
- cert = OpenSSL.crypto.load_certificate(
|
||
|
- OpenSSL.crypto.FILETYPE_ASN1, der)
|
||
|
+ for cert in entry.get(attr, []):
|
||
|
cert_key = self._get_cert_key(cert)
|
||
|
try:
|
||
|
obj = result[cert_key]
|
||
|
except KeyError:
|
||
|
- obj = {'serial_number': cert.get_serial_number()}
|
||
|
+ obj = {'serial_number': cert.serial_number}
|
||
|
if not pkey_only and (all or not ca_enabled):
|
||
|
# Retrieving certificate details is now deferred
|
||
|
# until after all certificates are collected.
|
||
|
# For the case of CA-less we need to keep
|
||
|
# the certificate because getting it again later
|
||
|
# would require unnecessary LDAP searches.
|
||
|
- cert = cert.to_cryptography()
|
||
|
obj['certificate'] = (
|
||
|
base64.b64encode(
|
||
|
cert.public_bytes(x509.Encoding.DER))
|
||
|
--
|
||
|
2.40.1
|
||
|
|