From a381d888cd6effc480c373f19f6a0ecbf00c4182 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Aug 26 2016 07:09:45 +0000
Subject: x509: include otherName DER value in GeneralNameInfo


We want to include the whole DER value when we pretty-print
unrecognised otherNames, so add a field to the GeneralNameInfo
namedtuple and populate it for otherNames.

Part of: https://fedorahosted.org/freeipa/ticket/6022

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

---

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 541609f..e986a97 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -465,7 +465,7 @@ def _decode_krb5principalname(data):
 
 
 GeneralNameInfo = collections.namedtuple(
-        'GeneralNameInfo', ('type', 'desc', 'value'))
+        'GeneralNameInfo', ('type', 'desc', 'value', 'der_value'))
 
 
 def decode_generalnames(secitem):
@@ -477,8 +477,9 @@ def decode_generalnames(secitem):
       The input is the DER-encoded extension data, without the
       OCTET STRING header, as an nss SecItem object.
 
-    Return a list of tuples of name types (as string, suitable for
-    presentation) and names (as string, suitable for presentation).
+    Return a list of ``GeneralNameInfo`` namedtuples.  The
+    ``der_value`` field is set for otherNames, otherwise it is
+    ``None``.
 
     """
     nss_names = nss.x509_alt_name(secitem, repr_kind=nss.AsObject)
@@ -496,14 +497,18 @@ def decode_generalnames(secitem):
         if nss_name.type_enum == nss.certOtherName:
             oid = str(asn1_name['otherName']['type-id'])
             nametype = (nss_name.type_enum, oid)
+            der_value = asn1_name['otherName']['value'].asOctets()
         else:
             nametype = nss_name.type_enum
+            der_value = None
 
         if nametype == (nss.certOtherName, SAN_KRB5PRINCIPALNAME):
             name = _decode_krb5principalname(asn1_name['otherName']['value'])
         else:
             name = nss_name.name
-        names.append(GeneralNameInfo(nametype, nss_name.type_string, name))
+
+        gni = GeneralNameInfo(nametype, nss_name.type_string, name, der_value)
+        names.append(gni)
 
     return names
 
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 3e9eda5..9ee0b38 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -559,7 +559,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
                 "to the 'userCertificate' attribute of entry '%s'.") % dn)
 
         # Validate the subject alt name, if any
-        for name_type, desc, name in subjectaltname:
+        for name_type, desc, name, der_name in subjectaltname:
             if name_type == nss.certDNSName:
                 name = unicode(name)
                 alt_principal_obj = None