From 688660a0545f5a29b6f4f2f06bbef23d3dbef688 Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Fri, 24 Jul 2015 09:23:07 -0400

Subject: [PATCH] Work around python-nss bug on unrecognised OIDs

A bug in python-nss causes an error to be thrown when converting an

unrecognised OID to a string.  If cert-request receives a PKCS #10

CSR with an unknown extension, the error is thrown.

Work around this error by first checking if the OID is recognised

and, if it is not, using a different method to obtain its string

representation.

Once the python-nss bug is fixed, this workaround should be

reverted.  https://bugzilla.redhat.com/show_bug.cgi?id=1246729

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

 ipalib/pkcs10.py | 15 ++++++++++++++-

 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py

index 6299dfea43b7a3f4104f0b0ec78c4f105d9daf62..64670835127e96f1d724c5f32ed7a939d37b7f16 100644

--- a/ipalib/pkcs10.py

+++ b/ipalib/pkcs10.py

@@ -53,7 +53,20 @@ def get_extensions(csr, datatype=PEM):

     The return value is a tuple of strings

     """

     request = load_certificate_request(csr, datatype)

-    return tuple(nss.oid_dotted_decimal(ext.oid_tag)[4:]

+

+    # Work around a bug in python-nss where nss.oid_dotted_decimal

+    # errors on unrecognised OIDs

+    #

+    # https://bugzilla.redhat.com/show_bug.cgi?id=1246729

+    #

+    def get_prefixed_oid_str(ext):

+        """Returns a string like 'OID.1.2...'."""

+        if ext.oid_tag == 0:

+            return repr(ext)

+        else:

+            return nss.oid_dotted_decimal(ext.oid)

+

+    return tuple(get_prefixed_oid_str(ext)[4:]

                  for ext in request.extensions)

 class _PrincipalName(univ.Sequence):

-- 

2.4.3