Addtional patches that need to be partly reverted that are touching csrgen

related files:

7b8a2af2197381058ca532d1ae206defb16fac88

ac6568dcf58ec8d06df5493d14a28aa41845d4ef

9c86d35a3f0af4a793fada7dfe726e9cc66782ea

9836511a2b6d7cf48b1a54cb3158e5eac674081a

b431e9b684df11c811892bd9d2a5711355f0076e

This is a collection of an existing patch to remove csrgen for 4.7.1 and

additional patches that have been added for 4.7.90 pre1.

Additional reverted csrgen patches:

852618fd6529fbdd7b03077fae37c6fbbe45b51b

0ac1d3ea62efd9751fcc59cea46bcdafe1f11c37

7633d62d858c14523a99143aa0ff36f76bb4ff68

53f87ee5cd9d19f6fb91a9a1eafc8ea798095954

395a68d20887d0ac010e480e68b225d6dfeff726

03786ad9f3bd5edc351040847b8a49c9cd9288b2

c9d710a446d10aad72795e15bf041b87102628c1

2b90c8a20e45ade9bfd27731cccc94a34cf3f61e

61dde27f70b9f8dd1b57ad1fbc3744f3c380613a

806784dbd9e69a89c7a705c89bf42ba1fd4265c9

79378c90512a1cdd5f3d5ec6482e434caea06e01

bd5a5012d24820b54cdca2955f5405b84de1178c

26ab51ddf47f421f3404709052db89f08c05adaa

a53e17830c3d4fd59a62248d4447491675c6a80e

e7588ab2dc73e7f66ebc6cdcfb99470540e37731

136c6c3e2a4f77a27f435efd4a1cd95c9e089314

5420e9cfbe7803808b6e26d2dae64f2a6a50149a

Original patch from 4.7.1:

From 468bcf90cb985e2b1eb394bd752dc39aa4b75582 Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Thu, 19 Jul 2018 18:37:18 -0400

Subject: [PATCH] Remove csrgen

This reverts commits:

* 72de679eb445c975ec70cd265d37d4927823ce5b

* 177f07e163d6d591a1e609d35e0a6f6f5347551e

* 80be18162921268be9c8981495c9e8a4de0c85cd

* 83e2c2b65eeb5a3aa4a59c0535e9177aac5e4637

* ada91c20588046bb147fc701718d3da4d2c080ca

* 4350dcdea22fd2284836315d0ae7d38733a7620e

* 39a5d9c5aae77687f67d9be02457733bdfb99ead

* a26cf0d7910dd4c0a4da08682b4be8d3d94ba520

* afd7c05d11432304bfdf183832a21d419f363689

* f1a1c6eca1b294f24174d7b0e1f78de46d9d5b05

* fc58eff6a3d7fe805e612b8b002304d8b9cd4ba9

* 10ef5947860f5098182b1f95c08c1158e2da15f9

https://bugzilla.redhat.com/show_bug.cgi?id=1432630

---

 freeipa.spec.in                                    |  14 -

 ipaclient/csrgen.py                                | 488 ---------------------

 ipaclient/csrgen/profiles/caIPAserviceCert.json    |  15 -

 ipaclient/csrgen/profiles/userCert.json            |  15 -

 ipaclient/csrgen/rules/dataDNS.json                |   8 -

 ipaclient/csrgen/rules/dataEmail.json              |   8 -

 ipaclient/csrgen/rules/dataHostCN.json             |   8 -

 ipaclient/csrgen/rules/dataSubjectBase.json        |   8 -

 ipaclient/csrgen/rules/dataUsernameCN.json         |   8 -

 ipaclient/csrgen/rules/syntaxSAN.json              |   8 -

 ipaclient/csrgen/rules/syntaxSubject.json          |   9 -

 ipaclient/csrgen/templates/openssl_base.tmpl       |  17 -

 ipaclient/csrgen/templates/openssl_macros.tmpl     |  29 --

 ipaclient/csrgen_ffi.py                            | 331 --------------

 ipaclient/plugins/cert.py                          |  80 ----

 ipaclient/plugins/csrgen.py                        | 128 ------

 ipaclient/setup.py                                 |   8 -

 .../data/test_csrgen/configs/caIPAserviceCert.conf |  16 -

 .../data/test_csrgen/configs/userCert.conf         |  16 -

 .../data/test_csrgen/profiles/profile.json         |   8 -

 .../data/test_csrgen/rules/basic.json              |   5 -

 .../data/test_csrgen/rules/options.json            |   8 -

 .../data/test_csrgen/templates/identity_base.tmpl  |   1 -

 ipatests/test_ipaclient/test_csrgen.py             | 304 -------------

 24 files changed, 1540 deletions(-)

 delete mode 100644 ipaclient/csrgen.py

 delete mode 100644 ipaclient/csrgen/profiles/caIPAserviceCert.json

 delete mode 100644 ipaclient/csrgen/profiles/userCert.json

 delete mode 100644 ipaclient/csrgen/rules/dataDNS.json

 delete mode 100644 ipaclient/csrgen/rules/dataEmail.json

 delete mode 100644 ipaclient/csrgen/rules/dataHostCN.json

 delete mode 100644 ipaclient/csrgen/rules/dataSubjectBase.json

 delete mode 100644 ipaclient/csrgen/rules/dataUsernameCN.json

 delete mode 100644 ipaclient/csrgen/rules/syntaxSAN.json

 delete mode 100644 ipaclient/csrgen/rules/syntaxSubject.json

 delete mode 100644 ipaclient/csrgen/templates/openssl_base.tmpl

 delete mode 100644 ipaclient/csrgen/templates/openssl_macros.tmpl

 delete mode 100644 ipaclient/csrgen_ffi.py

 delete mode 100644 ipaclient/plugins/csrgen.py

 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf

 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf

 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/profiles/profile.json

 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/rules/basic.json

 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/rules/options.json

 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl

 delete mode 100644 ipatests/test_ipaclient/test_csrgen.py

diff -urN freeipa-4.8.0/freeipa.spec.in freeipa-4.8.0.removed_csrgen/freeipa.spec.in

--- freeipa-4.8.0/freeipa.spec.in	2019-06-29 10:01:30.458735813 +0200

+++ freeipa-4.8.0.removed_csrgen/freeipa.spec.in	2019-07-03 13:24:38.471222723 +0200

@@ -1247,13 +1247,6 @@

 %dir %{python3_sitelib}/ipaclient/remote_plugins/2_*

 %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py

 %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*

-%dir %{python3_sitelib}/ipaclient/csrgen

-%dir %{python3_sitelib}/ipaclient/csrgen/profiles

-%{python3_sitelib}/ipaclient/csrgen/profiles/*.json

-%dir %{python3_sitelib}/ipaclient/csrgen/rules

-%{python3_sitelib}/ipaclient/csrgen/rules/*.json

-%dir %{python3_sitelib}/ipaclient/csrgen/templates

-%{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl

 %{python3_sitelib}/ipaclient-*.egg-info

diff -urN freeipa-4.8.0/ipaclient/csrgen/profiles/caIPAserviceCert.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/caIPAserviceCert.json

--- freeipa-4.8.0/ipaclient/csrgen/profiles/caIPAserviceCert.json	2019-07-03 08:42:41.844539797 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/caIPAserviceCert.json	1970-01-01 01:00:00.000000000 +0100

@@ -1,15 +0,0 @@

-[

-    {

-        "syntax": "syntaxSubject",

-        "data": [

-            "dataHostCN",

-            "dataSubjectBase"

-        ]

-    },

-    {

-        "syntax": "syntaxSAN",

-        "data": [

-            "dataDNS"

-        ]

-    }

-]

diff -urN freeipa-4.8.0/ipaclient/csrgen/profiles/userCert.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/userCert.json

--- freeipa-4.8.0/ipaclient/csrgen/profiles/userCert.json	2019-07-03 08:42:41.848539737 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/userCert.json	1970-01-01 01:00:00.000000000 +0100

@@ -1,15 +0,0 @@

-[

-    {

-        "syntax": "syntaxSubject",

-        "data": [

-            "dataUsernameCN",

-            "dataSubjectBase"

-        ]

-    },

-    {

-        "syntax": "syntaxSAN",

-        "data": [

-            "dataEmail"

-        ]

-    }

-]

diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataDNS.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataDNS.json

--- freeipa-4.8.0/ipaclient/csrgen/rules/dataDNS.json	2019-07-03 08:42:41.853539663 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataDNS.json	1970-01-01 01:00:00.000000000 +0100

@@ -1,8 +0,0 @@

-{

-  "rule": {

-    "template": "DNS = {{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"

-  },

-  "options": {

-    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"

-  }

-}

diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataEmail.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataEmail.json

--- freeipa-4.8.0/ipaclient/csrgen/rules/dataEmail.json	2019-07-03 08:42:41.857539603 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataEmail.json	1970-01-01 01:00:00.000000000 +0100

@@ -1,8 +0,0 @@

-{

-  "rule": {

-    "template": "email = {{subject.mail.0}}"

-  },

-  "options": {

-    "data_source": "subject.mail.0"

-  }

-}

diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataHostCN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataHostCN.json

--- freeipa-4.8.0/ipaclient/csrgen/rules/dataHostCN.json	2019-07-03 08:42:41.861539544 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataHostCN.json	1970-01-01 01:00:00.000000000 +0100

@@ -1,8 +0,0 @@

-{

-  "rule": {

-    "template": "CN={{subject.krbprincipalname.0.partition('/')[2].partition('@')[0]}}"

-  },

-  "options": {

-    "data_source": "subject.krbprincipalname.0.partition('/')[2].partition('@')[0]"

-  }

-}

diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataSubjectBase.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataSubjectBase.json

--- freeipa-4.8.0/ipaclient/csrgen/rules/dataSubjectBase.json	2019-07-03 08:42:41.865539484 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataSubjectBase.json	1970-01-01 01:00:00.000000000 +0100

@@ -1,8 +0,0 @@

-{

-  "rule": {

-    "template": "{{config.ipacertificatesubjectbase.0}}"

-  },

-  "options": {

-    "data_source": "config.ipacertificatesubjectbase.0"

-  }

-}

diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/dataUsernameCN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataUsernameCN.json

--- freeipa-4.8.0/ipaclient/csrgen/rules/dataUsernameCN.json	2019-07-03 08:42:41.869539424 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/dataUsernameCN.json	1970-01-01 01:00:00.000000000 +0100

@@ -1,8 +0,0 @@

-{

-  "rule": {

-    "template": "CN={{subject.uid.0}}"

-  },

-  "options": {

-    "data_source": "subject.uid.0"

-  }

-}

diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSAN.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSAN.json

--- freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSAN.json	2019-07-03 08:42:41.874539350 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSAN.json	1970-01-01 01:00:00.000000000 +0100

@@ -1,8 +0,0 @@

-{

-  "rule": {

-    "template": "subjectAltName = @{% call openssl.section() %}{{ datarules|join('\n') }}{% endcall %}"

-  },

-  "options": {

-    "extension": true

-  }

-}

diff -urN freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSubject.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSubject.json

--- freeipa-4.8.0/ipaclient/csrgen/rules/syntaxSubject.json	2019-07-03 08:42:41.878539290 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/rules/syntaxSubject.json	1970-01-01 01:00:00.000000000 +0100

@@ -1,9 +0,0 @@

-{

-  "rule": {

-    "template": "distinguished_name = {% call openssl.section() %}{{ datarules|reverse|join('\n') }}{% endcall %}"

-  },

-  "options": {

-    "required": true,

-    "data_source_combinator": "and"

-  }

-}

diff -urN freeipa-4.8.0/ipaclient/csrgen/templates/openssl_base.tmpl freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_base.tmpl

--- freeipa-4.8.0/ipaclient/csrgen/templates/openssl_base.tmpl	2019-07-03 08:42:41.882539231 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_base.tmpl	1970-01-01 01:00:00.000000000 +0100

@@ -1,17 +0,0 @@

-{% raw -%}

-{% import "openssl_macros.tmpl" as openssl -%}

-{% endraw -%}

-[ req ]

-prompt = no

-encrypt_key = no

-

-{{ parameters|join('\n') }}

-{% raw %}{% set rendered_extensions -%}{% endraw %}

-{{ extensions|join('\n') }}

-{% raw -%}

-{%- endset -%}

-{% if rendered_extensions -%}

-req_extensions = {% call openssl.section() %}{{ rendered_extensions }}{% endcall %}

-{% endif %}

-{{ openssl.openssl_sections|join('\n\n') }}

-{%- endraw %}

diff -urN freeipa-4.8.0/ipaclient/csrgen/templates/openssl_macros.tmpl freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_macros.tmpl

--- freeipa-4.8.0/ipaclient/csrgen/templates/openssl_macros.tmpl	2019-07-03 08:42:41.886539171 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/templates/openssl_macros.tmpl	1970-01-01 01:00:00.000000000 +0100

@@ -1,29 +0,0 @@

-{# List containing rendered sections to be included at end #}

-{% set openssl_sections = [] %}

-

-{#

-List containing one entry for each section name allocated. Because of

-scoping rules, we need to use a list so that it can be a "per-render global"

-that gets updated in place. Real globals are shared by all templates with the

-same environment, and variables defined in the macro don't persist after the

-macro invocation ends.

-#}

-{% set openssl_section_num = [] %}

-

-{% macro section() -%}

-{% set name -%}

-sec{{ openssl_section_num|length -}}

-{% endset -%}

-{% do openssl_section_num.append('') -%}

-{% set contents %}{{ caller() }}{% endset -%}

-{% if contents -%}

-{% set sectiondata = formatsection(name, contents) -%}

-{% do openssl_sections.append(sectiondata) -%}

-{% endif -%}

-{{ name -}}

-{% endmacro %}

-

-{% macro formatsection(name, contents) -%}

-[ {{ name }} ]

-{{ contents -}}

-{% endmacro %}

diff -urN freeipa-4.8.0/ipaclient/csrgen_ffi.py freeipa-4.8.0.removed_csrgen/ipaclient/csrgen_ffi.py

--- freeipa-4.8.0/ipaclient/csrgen_ffi.py	2019-07-03 08:42:41.816540214 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen_ffi.py	1970-01-01 01:00:00.000000000 +0100

@@ -1,387 +0,0 @@

-from cffi import FFI

-import ctypes.util

-

-from ipalib import errors

-

-_ffi = FFI()

-

-_ffi.cdef('''

-/* libcrypto/crypto.h */

-unsigned long OpenSSL_version_num(void);

-unsigned long SSLeay(void);

-const char * OpenSSL_version(int t);

-const char * SSLeay_version(int t);

-

-#define OPENSSL_VERSION 0

-''')

-

-_libcrypto = _ffi.dlopen(ctypes.util.find_library('crypto'))

-

-# SSLeay_version has been renamed with OpenSSL_version in OpenSSL 1.1.0

-# LibreSSL has OpenSSL_version since 2.7.0

-try:

-    OpenSSL_version = _libcrypto.OpenSSL_version

-except AttributeError:

-    OpenSSL_version = _libcrypto.SSLeay_version

-

-_version = OpenSSL_version(_libcrypto.OPENSSL_VERSION)

-_version = _ffi.string(_version).decode('utf-8')

-LIBRESSL = _version.startswith('LibreSSL')

-if not _version.startswith("OpenSSL") and not LIBRESSL:

-    raise ImportError("Only LibreSSL and OpenSSL are supported")

-

-# SSLeay has been renamed with OpenSSL_version_num in OpenSSL 1.1.0

-# LibreSSL has OpenSSL_version_num since 2.7.0

-try:

-    OpenSSL_version_num = _libcrypto.OpenSSL_version_num

-except AttributeError:

-    OpenSSL_version_num = _libcrypto.SSLeay

-

-# OpenSSL_version_num()/SSLeay() returns the value of OPENSSL_VERSION_NUMBER

-#

-# OPENSSL_VERSION_NUMBER is a numeric release version identifier:

-# MNNFFPPS: major minor fix patch status

-# For example,

-# 0x000906000 == 0.9.6 dev

-# 0x000906023 == 0.9.6b beta 3

-# 0x00090605f == 0.9.6e release

-_openssl_version = OpenSSL_version_num()

-

-_ffi.cdef('''

-typedef ... CONF;

-typedef ... CONF_METHOD;

-typedef ... BIO;

-typedef ... ipa_STACK_OF_CONF_VALUE;

-

-/* openssl/conf.h */

-typedef struct {

-    char *section;

-    char *name;

-    char *value;

-} CONF_VALUE;

-

-CONF *NCONF_new(CONF_METHOD *meth);

-void NCONF_free(CONF *conf);

-int NCONF_load_bio(CONF *conf, BIO *bp, long *eline);

-ipa_STACK_OF_CONF_VALUE *NCONF_get_section(const CONF *conf,

-                                        const char *section);

-char *NCONF_get_string(const CONF *conf, const char *group, const char *name);

-

-/* openssl/safestack.h */

-// int sk_CONF_VALUE_num(ipa_STACK_OF_CONF_VALUE *);

-// CONF_VALUE *sk_CONF_VALUE_value(ipa_STACK_OF_CONF_VALUE *, int);

-

-/* openssl/stack.h */

-typedef ... _STACK;

-

-int OPENSSL_sk_num(const _STACK *);

-void *OPENSSL_sk_value(const _STACK *, int);

-

-int sk_num(const _STACK *);

-void *sk_value(const _STACK *, int);

-

-/* openssl/bio.h */

-BIO *BIO_new_mem_buf(const void *buf, int len);

-int BIO_free(BIO *a);

-

-/* openssl/asn1.h */

-typedef struct ASN1_ENCODING_st {

-    unsigned char *enc;         /* DER encoding */

-    long len;                   /* Length of encoding */

-    int modified;               /* set to 1 if 'enc' is invalid */

-} ASN1_ENCODING;

-

-/* openssl/evp.h */

-typedef ... EVP_PKEY;

-

-void EVP_PKEY_free(EVP_PKEY *pkey);

-

-/* openssl/x509.h */

-typedef ... ASN1_INTEGER;

-typedef ... ASN1_BIT_STRING;

-typedef ... ASN1_OBJECT;

-typedef ... X509;

-typedef ... X509_CRL;

-typedef ... X509_NAME;

-typedef ... X509_PUBKEY;

-typedef ... ipa_STACK_OF_X509_ATTRIBUTE;

-

-typedef struct X509_req_info_st {

-    ASN1_ENCODING enc;

-    ASN1_INTEGER *version;

-    X509_NAME *subject;

-    X509_PUBKEY *pubkey;

-    /*  d=2 hl=2 l=  0 cons: cont: 00 */

-    ipa_STACK_OF_X509_ATTRIBUTE *attributes; /* [ 0 ] */

-} X509_REQ_INFO;

-''')

-

-# since OpenSSL 1.1.0 req_info field is no longer pointer to X509_REQ_INFO

-if _openssl_version >= 0x10100000 and not LIBRESSL:

-    _ffi.cdef('''

-    typedef struct X509_req_st {

-        X509_REQ_INFO req_info;

-    } X509_REQ;

-    ''')

-else:

-    _ffi.cdef('''

-    typedef struct X509_req_st {

-        X509_REQ_INFO *req_info;

-    } X509_REQ;

-    ''')

-

-_ffi.cdef('''

-X509_REQ *X509_REQ_new(void);

-void X509_REQ_free(X509_REQ *);

-EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);

-int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);

-int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type,

-                               const unsigned char *bytes, int len, int loc,

-                               int set);

-int X509_NAME_entry_count(X509_NAME *name);

-int i2d_X509_REQ_INFO(X509_REQ_INFO *a, unsigned char **out);

-

-/* openssl/objects.h */

-ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name);

-

-/* openssl/x509v3.h */

-typedef ... X509V3_CONF_METHOD;

-

-typedef struct v3_ext_ctx {

-    int flags;

-    X509 *issuer_cert;

-    X509 *subject_cert;

-    X509_REQ *subject_req;

-    X509_CRL *crl;

-    X509V3_CONF_METHOD *db_meth;

-    void *db;

-} X509V3_CTX;

-

-void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,

-                    X509_REQ *req, X509_CRL *crl, int flags);

-void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);

-int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,

-                             X509_REQ *req);

-

-/* openssl/x509v3.h */

-unsigned long ERR_get_error(void);

-char *ERR_error_string(unsigned long e, char *buf);

-''')  # noqa: E501

-

-NULL = _ffi.NULL

-# openssl/conf.h

-NCONF_new = _libcrypto.NCONF_new

-NCONF_free = _libcrypto.NCONF_free

-NCONF_load_bio = _libcrypto.NCONF_load_bio

-NCONF_get_section = _libcrypto.NCONF_get_section

-NCONF_get_string = _libcrypto.NCONF_get_string

-

-# openssl/stack.h

-try:

-    sk_num = _libcrypto.OPENSSL_sk_num

-    sk_value = _libcrypto.OPENSSL_sk_value

-except AttributeError:

-    sk_num = _libcrypto.sk_num

-    sk_value = _libcrypto.sk_value

-

-

-def sk_CONF_VALUE_num(sk):

-    return sk_num(_ffi.cast("_STACK *", sk))

-

-

-def sk_CONF_VALUE_value(sk, i):

-    return _ffi.cast("CONF_VALUE *", sk_value(_ffi.cast("_STACK *", sk), i))

-

-

-# openssl/bio.h

-BIO_new_mem_buf = _libcrypto.BIO_new_mem_buf

-BIO_free = _libcrypto.BIO_free

-

-# openssl/x509.h

-X509_REQ_new = _libcrypto.X509_REQ_new

-X509_REQ_free = _libcrypto.X509_REQ_free

-X509_REQ_set_pubkey = _libcrypto.X509_REQ_set_pubkey

-d2i_PUBKEY_bio = _libcrypto.d2i_PUBKEY_bio

-i2d_X509_REQ_INFO = _libcrypto.i2d_X509_REQ_INFO

-X509_NAME_add_entry_by_OBJ = _libcrypto.X509_NAME_add_entry_by_OBJ

-X509_NAME_entry_count = _libcrypto.X509_NAME_entry_count

-

-

-def X509_REQ_get_subject_name(req):

-    return req.req_info.subject

-

-

-# openssl/objects.h

-OBJ_txt2obj = _libcrypto.OBJ_txt2obj

-

-# openssl/evp.h

-EVP_PKEY_free = _libcrypto.EVP_PKEY_free

-

-# openssl/asn1.h

-MBSTRING_UTF8 = 0x1000

-

-# openssl/x509v3.h

-X509V3_set_ctx = _libcrypto.X509V3_set_ctx

-X509V3_set_nconf = _libcrypto.X509V3_set_nconf

-X509V3_EXT_REQ_add_nconf = _libcrypto.X509V3_EXT_REQ_add_nconf

-

-# openssl/err.h

-ERR_get_error = _libcrypto.ERR_get_error

-ERR_error_string = _libcrypto.ERR_error_string

-

-

-def _raise_openssl_errors():

-    msgs = []

-

-    code = ERR_get_error()

-    while code != 0:

-        msg = _ffi.string(ERR_error_string(code, NULL))

-        try:

-            strmsg = msg.decode('utf-8')

-        except UnicodeDecodeError:

-            strmsg = repr(msg)

-        msgs.append(strmsg)

-        code = ERR_get_error()

-

-    raise errors.CSRTemplateError(reason='\n'.join(msgs))

-

-

-def _parse_dn_section(subj, dn_sk):

-    for i in range(sk_CONF_VALUE_num(dn_sk)):

-        v = sk_CONF_VALUE_value(dn_sk, i)

-        rdn_type = _ffi.string(v.name)

-

-        # Skip past any leading X. X: X, etc to allow for multiple instances

-        for idx, c in enumerate(rdn_type):

-            if c in b':,.':

-                if idx+1 < len(rdn_type):

-                    rdn_type = rdn_type[idx+1:]

-                break

-        if rdn_type.startswith(b'+'):

-            rdn_type = rdn_type[1:]

-            mval = -1

-        else:

-            mval = 0

-

-        # convert rdn_type to an OID

-        #

-        # OpenSSL is fussy about the case of the string.  For example,

-        # lower-case 'o' (for "organization name") is not recognised.

-        # Therefore, try to convert the given string into an OID.  If

-        # that fails, convert it upper case and try again.

-        #

-        oid = OBJ_txt2obj(rdn_type, 0)

-        if oid == NULL:

-            oid = OBJ_txt2obj(rdn_type.upper(), 0)

-        if oid == NULL:

-            raise errors.CSRTemplateError(

-                reason='unrecognised attribute type: {}'

-                .format(rdn_type.decode('utf-8')))

-

-        if not X509_NAME_add_entry_by_OBJ(

-                subj, oid, MBSTRING_UTF8,

-                _ffi.cast("unsigned char *", v.value), -1, -1, mval):

-            _raise_openssl_errors()

-

-    if not X509_NAME_entry_count(subj):

-        raise errors.CSRTemplateError(

-            reason='error, subject in config file is empty')

-

-

-def build_requestinfo(config, public_key_info):

-    '''

-    Return a cffi buffer containing a DER-encoded CertificationRequestInfo.

-

-    The returned object implements the buffer protocol.

-

-    '''

-    reqdata = NULL

-    req = NULL

-    nconf_bio = NULL

-    pubkey_bio = NULL

-    pubkey = NULL

-

-    try:

-        reqdata = NCONF_new(NULL)

-        if reqdata == NULL:

-            _raise_openssl_errors()

-

-        nconf_bio = BIO_new_mem_buf(config, len(config))

-        errorline = _ffi.new('long[1]', [-1])

-        i = NCONF_load_bio(reqdata, nconf_bio, errorline)

-        if i < 0:

-            if errorline[0] < 0:

-                raise errors.CSRTemplateError(reason="Can't load config file")

-            else:

-                raise errors.CSRTemplateError(

-                    reason='Error on line %d of config file' % errorline[0])

-

-        dn_sect = NCONF_get_string(reqdata, b'req', b'distinguished_name')

-        if dn_sect == NULL:

-            raise errors.CSRTemplateError(

-                reason='Unable to find "distinguished_name" key in config')

-

-        dn_sk = NCONF_get_section(reqdata, dn_sect)

-        if dn_sk == NULL:

-            raise errors.CSRTemplateError(

-                reason='Unable to find "%s" section in config' %

-                _ffi.string(dn_sect))

-

-        pubkey_bio = BIO_new_mem_buf(public_key_info, len(public_key_info))

-        pubkey = d2i_PUBKEY_bio(pubkey_bio, NULL)

-        if pubkey == NULL:

-            _raise_openssl_errors()

-

-        req = X509_REQ_new()

-        if req == NULL:

-            _raise_openssl_errors()

-

-        subject = X509_REQ_get_subject_name(req)

-

-        _parse_dn_section(subject, dn_sk)

-

-        if not X509_REQ_set_pubkey(req, pubkey):

-            _raise_openssl_errors()

-

-        ext_ctx = _ffi.new("X509V3_CTX[1]")

-        X509V3_set_ctx(ext_ctx, NULL, NULL, req, NULL, 0)

-        X509V3_set_nconf(ext_ctx, reqdata)

-

-        extn_section = NCONF_get_string(reqdata, b"req", b"req_extensions")

-        if extn_section != NULL:

-            if not X509V3_EXT_REQ_add_nconf(

-                    reqdata, ext_ctx, extn_section, req):

-                _raise_openssl_errors()

-

-        if _openssl_version < 0x10100000 or LIBRESSL:

-            der_len = i2d_X509_REQ_INFO(req.req_info, NULL)

-        else:

-            req_info = _ffi.new("X509_REQ_INFO *", req.req_info)

-            der_len = i2d_X509_REQ_INFO(req_info, NULL)

-            req.req_info = req_info[0]

-        if der_len < 0:

-            _raise_openssl_errors()

-

-        der_buf = _ffi.new("unsigned char[%d]" % der_len)

-        der_out = _ffi.new("unsigned char **", der_buf)

-        if _openssl_version < 0x10100000 or LIBRESSL:

-            der_len = i2d_X509_REQ_INFO(req.req_info, der_out)

-        else:

-            der_len = i2d_X509_REQ_INFO(req_info, der_out)

-            req.req_info = req_info[0]

-        if der_len < 0:

-            _raise_openssl_errors()

-

-        return _ffi.buffer(der_buf, der_len)

-

-    finally:

-        if reqdata != NULL:

-            NCONF_free(reqdata)

-        if req != NULL:

-            X509_REQ_free(req)

-        if nconf_bio != NULL:

-            BIO_free(nconf_bio)

-        if pubkey_bio != NULL:

-            BIO_free(pubkey_bio)

-        if pubkey != NULL:

-            EVP_PKEY_free(pubkey)

diff -urN freeipa-4.8.0/ipaclient/csrgen.py freeipa-4.8.0.removed_csrgen/ipaclient/csrgen.py

--- freeipa-4.8.0/ipaclient/csrgen.py	2019-07-03 08:42:41.811540288 +0200

+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen.py	1970-01-01 01:00:00.000000000 +0100

@@ -1,488 +0,0 @@

-#

-# Copyright (C) 2016  FreeIPA Contributors see COPYING for license

-#

-

-import base64

-import collections

-import errno

-import json

-import logging

-import os

-import os.path

-import pipes

-import subprocess

-import traceback

-import codecs

-

-import pkg_resources

-

-from cryptography.hazmat.backends import default_backend

-from cryptography.hazmat.primitives.asymmetric import padding

-from cryptography.hazmat.primitives import hashes

-from cryptography.hazmat.primitives.serialization import (

-    load_pem_private_key, Encoding, PublicFormat)

-from cryptography.x509 import load_pem_x509_certificate

-import jinja2

-import jinja2.ext

-import jinja2.sandbox

-from pyasn1.codec.der import decoder, encoder