#3003 x509 certs use different DN type
Opened 7 years ago by jdennis. Modified 2 years ago

ipalib.x509 using python-nss to load certificates. The nss.nss.Certificate class has properties to return various pieces of information about the certificate including the subject and issuer. However the object class returned by the subject and issuer nss.nss.Certificate properties is python-nss's own DN class, e.g. nss.nss.DN, not the ipapython.DN class we use in IPA.

This creates some ugliness and problems. For example:

my_subject = DN(subject)
cert = x509.load_certificate_from_file(cert_file)
if my_subject != cert.subject:

This will fail because you can't compare a ipapython.DN object to a nss.nss.DN object because they don't know anything about each other (they are on different sides of API boundaries).

But you could convert the nss.nss.DN to a ipapython.DN:

if my_subject != DN(str(cert.subject))

Note, you first have to convert the nss.nss.DN object to a string in order for the DN constructor to accept it.

This is ugly, awkward and prone to errors.

We can do one of two things:

  1. subclass nss.nss.Certificate and override the subject and issuer properties so it returns an IPA DN object.
  2. Allow the ipapython.DN constructor to convert unknown types to a string, which it can then process.

First thoughts are that option 1 is preferred because we have a rule that inside IPA items which are supposed to be dn's are ipapython.DN objects 100% of the time and the conversion is supposed to occur at API boundaries.

Metadata Update from @jdennis:
- Issue assigned to someone
- Issue set to the milestone: Ticket Backlog

2 years ago

Login to comment on this ticket.