From a44fd5a7691d263d670312e0c8e02efd868618c1 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 6 Jun 2023 17:15:11 +0200 Subject: [PATCH] Revert "cert_find: fix call with --all" This reverts commit 918b6e011795ba4854d178d18c86ad54f3cf75ab. Revert "Use the OpenSSL certificate parser in cert-find" This reverts commit 50dd79d1a35549034bc281fbdffea4399baed3c7. --- freeipa.spec.in | 2 -- ipaserver/plugins/cert.py | 27 +++------------------------ 2 files changed, 3 insertions(+), 26 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 3e23bbfe9d054a3a9febf468de0bcb4a6e81bb32..bec9780a82fe0d9bc5a50a93bdce8aa7e27a9f30 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -412,7 +412,6 @@ BuildRequires: python3-pylint BuildRequires: python3-pytest-multihost BuildRequires: python3-pytest-sourceorder BuildRequires: python3-qrcode-core >= 5.0.0 -BuildRequires: python3-pyOpenSSL BuildRequires: python3-samba BuildRequires: python3-six BuildRequires: python3-sss @@ -884,7 +883,6 @@ Requires: python3-netifaces >= 0.10.4 Requires: python3-pyasn1 >= 0.3.2-2 Requires: python3-pyasn1-modules >= 0.3.2-2 Requires: python3-pyusb -Requires: python3-pyOpenSSL Requires: python3-qrcode-core >= 5.0.0 Requires: python3-requests Requires: python3-six diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 400b1b3cec0aba82e699a4a981516e121f3e0c77..36a0e8cb31b4dbdd9bff09165d1d8aa203936d37 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -30,7 +30,6 @@ import cryptography.x509 from cryptography.hazmat.primitives import hashes, serialization from dns import resolver, reversename import six -import sys from ipalib import Command, Str, Int, Flag, StrEnum, SerialNumber from ipalib import api @@ -1618,19 +1617,7 @@ class cert_find(Search, CertMethod): ) def _get_cert_key(self, cert): - # for cert-find with a certificate value - if isinstance(cert, x509.IPACertificate): - return (DN(cert.issuer), cert.serial_number) - - issuer = [] - for oid, value in cert.get_issuer().get_components(): - issuer.append( - '{}={}'.format(oid.decode('utf-8'), value.decode('utf-8')) - ) - issuer = ','.join(issuer) - # Use this to flip from OpenSSL reverse to X500 ordering - issuer = DN(issuer).x500_text() - return (DN(issuer), cert.get_serial_number()) + return (DN(cert.issuer), cert.serial_number) def _cert_search(self, pkey_only, **options): result = collections.OrderedDict() @@ -1750,11 +1737,6 @@ class cert_find(Search, CertMethod): return result, False, complete def _ldap_search(self, all, pkey_only, no_members, **options): - # defer import of the OpenSSL module to not affect the requests - # module which will use pyopenssl if this is available. - if sys.modules.get('OpenSSL.SSL', False) is None: - del sys.modules["OpenSSL.SSL"] - import OpenSSL.crypto ldap = self.api.Backend.ldap2 filters = [] @@ -1813,21 +1795,18 @@ class cert_find(Search, CertMethod): ca_enabled = getattr(context, 'ca_enabled') for entry in entries: for attr in ('usercertificate', 'usercertificate;binary'): - for der in entry.raw.get(attr, []): - cert = OpenSSL.crypto.load_certificate( - OpenSSL.crypto.FILETYPE_ASN1, der) + for cert in entry.get(attr, []): cert_key = self._get_cert_key(cert) try: obj = result[cert_key] except KeyError: - obj = {'serial_number': cert.get_serial_number()} + obj = {'serial_number': cert.serial_number} if not pkey_only and (all or not ca_enabled): # Retrieving certificate details is now deferred # until after all certificates are collected. # For the case of CA-less we need to keep # the certificate because getting it again later # would require unnecessary LDAP searches. - cert = cert.to_cryptography() obj['certificate'] = ( base64.b64encode( cert.public_bytes(x509.Encoding.DER)) -- 2.40.1