From c0598b1af6885b1558ef592d6e2a5250f707e878 Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Thu, 10 Mar 2016 13:16:41 +0100

Subject: [PATCH] certdb: never use the -r option of certutil

The -r option makes certutil output certificates in DER. If there are

multiple certificates sharing the same nickname, certutil will output

them concatenated into a single blob. The blob is not a valid DER

anymore and causes failures further in the code.

Use the -a option instead to output the certificates in PEM and convert

them to DER on demand.

https://fedorahosted.org/freeipa/ticket/5117

https://fedorahosted.org/freeipa/ticket/5720

Reviewed-By: David Kupka <dkupka@redhat.com>

---

 ipapython/certdb.py | 10 +++++-----

 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py

index 5a6e494fb8a5963ae9c68c697234e83575bc89ec..63dc4580b43ec11329d2074fc9a33e55dac9cb03 100644

--- a/ipapython/certdb.py

+++ b/ipapython/certdb.py

@@ -395,15 +395,15 @@ class NSSDatabase(object):

                     "Setting trust on %s failed" % root_nickname)

     def get_cert(self, nickname, pem=False):

-        args = ['-L', '-n', nickname]

-        if pem:

-            args.append('-a')

-        else:

-            args.append('-r')

+        args = ['-L', '-n', nickname, '-a']

         try:

             cert, err, returncode = self.run_certutil(args)

         except ipautil.CalledProcessError:

             raise RuntimeError("Failed to get %s" % nickname)

+        if not pem:

+            (cert, start) = find_cert_from_txt(cert, start=0)

+            cert = x509.strip_header(cert)

+            cert = base64.b64decode(cert)

         return cert

     def has_nickname(self, nickname):

-- 

2.5.0