[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [PATCH] 008 Wrap CertData.pkcs7_cert_chain in BEGIN/END CERTIFICATE



Hello,

the patch fixes #1374. It feels wrong to fix the bug in Python space. I
have addressed my concerns in
https://fedorahosted.org/pki/ticket/1374#comment:8

According to ​https://www.openssl.org/docs/apps/pkcs7.html a PEM PKCS7
message can be wrapped in either BEGIN PKCS7/END PKCS7 or in BEGIN
CERTIFICATE/END CERTIFICATE. Barbican uses BEGIN CERTIFICATE in the file
​
https://github.com/openstack/barbican/blob/master/barbican/plugin/dogtag.py.
Let's do that, too.

A fix for pki.cert.CertData is trivial. However I'm not sure if that is
the best place to add the wrapping header and footer. It may be a better
idea to fix it once and for all at the root in
org.dogtagpki.server.ca.rest.CertService.getCertChainData().
From 33996f5da70aeb9f864133d6addfdf25c4c0ace5 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes redhat com>
Date: Wed, 1 Jul 2015 14:41:15 +0200
Subject: [PATCH] Wrap CertData.pkcs7_cert_chain in BEGIN/END CERTIFICATE

CertData.pkcs7_cert_chain is a base64 encoded PKCS#7 message without the
usual BEGIN/END CERTIFICATE or BEGIN/END PKCS7 header and footer.
CertService.getCertChainData() doesn't wrap the data.

https://fedorahosted.org/pki/ticket/1374
---
 base/common/python/pki/cert.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/base/common/python/pki/cert.py b/base/common/python/pki/cert.py
index 1fe323f24058a73bd205c8868a2194e8b4cde02e..46e99927f14591ed6df551b793c1b7f0beed0aaf 100644
--- a/base/common/python/pki/cert.py
+++ b/base/common/python/pki/cert.py
@@ -85,6 +85,11 @@ class CertData(object):
         if 'Link' in attr_list:
             cert_data.link = pki.Link.from_json(attr_list['Link'])
 
+        if not cert_data.pkcs7_cert_chain.startswith('='):
+            cert_data.pkcs7_cert_chain = '\n'.join(
+                [pki.CERT_HEADER, cert_data.pkcs7_cert_chain.rstrip(), pki.CERT_FOOTER]
+            )
+
         return cert_data
 
 
-- 
2.4.3

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]