[Freeipa-devel] [PATCH] 0029 Work around python-nss bug on unrecognised OIDs
Fraser Tweedale
ftweedal at redhat.com
Thu Jul 30 04:09:04 UTC 2015
The attached patch works around a bug in python-nss triggered by
unrecognised PKCS#10 request extensions. It is needed for
https://fedorahosted.org/freeipa/ticket/4752 but can be reverted
once the python-nss bug is fixed.
Thanks,
Fraser
-------------- next part --------------
From b1846bd1130bb403334cdef0aaf994b45c66d4d7 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 24 Jul 2015 09:23:07 -0400
Subject: [PATCH] Work around python-nss bug on unrecognised OIDs
A bug in python-nss causes an error to be thrown when converting an
unrecognised OID to a string. If cert-request receives a PKCS #10
CSR with an unknown extension, the error is thrown.
Work around this error by first checking if the OID is recognised
and, if it is not, using a different method to obtain its string
representation.
Once the python-nss bug is fixed, this workaround should be
reverted. https://bugzilla.redhat.com/show_bug.cgi?id=1246729
---
ipalib/pkcs10.py | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py
index 6299dfea43b7a3f4104f0b0ec78c4f105d9daf62..64670835127e96f1d724c5f32ed7a939d37b7f16 100644
--- a/ipalib/pkcs10.py
+++ b/ipalib/pkcs10.py
@@ -53,7 +53,20 @@ def get_extensions(csr, datatype=PEM):
The return value is a tuple of strings
"""
request = load_certificate_request(csr, datatype)
- return tuple(nss.oid_dotted_decimal(ext.oid_tag)[4:]
+
+ # Work around a bug in python-nss where nss.oid_dotted_decimal
+ # errors on unrecognised OIDs
+ #
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1246729
+ #
+ def get_prefixed_oid_str(ext):
+ """Returns a string like 'OID.1.2...'."""
+ if ext.oid_tag == 0:
+ return repr(ext)
+ else:
+ return nss.oid_dotted_decimal(ext.oid)
+
+ return tuple(get_prefixed_oid_str(ext)[4:]
for ext in request.extensions)
class _PrincipalName(univ.Sequence):
--
2.4.3
More information about the Freeipa-devel
mailing list