[Freeipa-devel] [PATCH] 0029 Work around python-nss bug on unrecognised OIDs

Fraser Tweedale ftweedal at redhat.com
Thu Jul 30 04:09:04 UTC 2015 

The attached patch works around a bug in python-nss triggered by
unrecognised PKCS#10 request extensions.  It is needed for
https://fedorahosted.org/freeipa/ticket/4752 but can be reverted
once the python-nss bug is fixed.

Thanks,
Fraser
-------------- next part --------------
From b1846bd1130bb403334cdef0aaf994b45c66d4d7 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 24 Jul 2015 09:23:07 -0400
Subject: [PATCH] Work around python-nss bug on unrecognised OIDs

A bug in python-nss causes an error to be thrown when converting an
unrecognised OID to a string.  If cert-request receives a PKCS #10
CSR with an unknown extension, the error is thrown.

Work around this error by first checking if the OID is recognised
and, if it is not, using a different method to obtain its string
representation.

Once the python-nss bug is fixed, this workaround should be
reverted.  https://bugzilla.redhat.com/show_bug.cgi?id=1246729
---
 ipalib/pkcs10.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py
index 6299dfea43b7a3f4104f0b0ec78c4f105d9daf62..64670835127e96f1d724c5f32ed7a939d37b7f16 100644
--- a/ipalib/pkcs10.py
+++ b/ipalib/pkcs10.py
@@ -53,7 +53,20 @@ def get_extensions(csr, datatype=PEM):
     The return value is a tuple of strings
     """
     request = load_certificate_request(csr, datatype)
-    return tuple(nss.oid_dotted_decimal(ext.oid_tag)[4:]
+
+    # Work around a bug in python-nss where nss.oid_dotted_decimal
+    # errors on unrecognised OIDs
+    #
+    # https://bugzilla.redhat.com/show_bug.cgi?id=1246729
+    #
+    def get_prefixed_oid_str(ext):
+        """Returns a string like 'OID.1.2...'."""
+        if ext.oid_tag == 0:
+            return repr(ext)
+        else:
+            return nss.oid_dotted_decimal(ext.oid)
+
+    return tuple(get_prefixed_oid_str(ext)[4:]
                  for ext in request.extensions)
 
 class _PrincipalName(univ.Sequence):
-- 
2.4.3

More information about the Freeipa-devel mailing list