From 308c790ee90f00e0bc2c40abf51c30e5250631e9 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Feb 07 2017 12:58:48 +0000
Subject: ipalib.x509: Handle missing SAN gracefully


When extension is not present None is returned instead of empty iterable
or exception thrown.

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 60a947b..f65cf81 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -435,8 +435,12 @@ def get_san_general_names(cert):
         asn1Spec=rfc2459.TBSCertificate()
     )[0]
     OID_SAN = univ.ObjectIdentifier('2.5.29.17')
+    # One would expect KeyError or empty iterable when the key ('extensions'
+    # in this particular case) is not pressent in the certificate but pyasn1
+    # returns None here
+    extensions = tbs['extensions'] or []
     gns = []
-    for ext in tbs['extensions']:
+    for ext in extensions:
         if ext['extnID'] == OID_SAN:
             der = decoder.decode(
                 ext['extnValue'], asn1Spec=univ.OctetString())[0]