From c0598b1af6885b1558ef592d6e2a5250f707e878 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 10 Mar 2016 13:16:41 +0100
Subject: [PATCH] certdb: never use the -r option of certutil

The -r option makes certutil output certificates in DER. If there are
multiple certificates sharing the same nickname, certutil will output
them concatenated into a single blob. The blob is not a valid DER
anymore and causes failures further in the code.

Use the -a option instead to output the certificates in PEM and convert
them to DER on demand.

https://fedorahosted.org/freeipa/ticket/5117
https://fedorahosted.org/freeipa/ticket/5720

Reviewed-By: David Kupka <dkupka@redhat.com>
---
 ipapython/certdb.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 5a6e494fb8a5963ae9c68c697234e83575bc89ec..63dc4580b43ec11329d2074fc9a33e55dac9cb03 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -395,15 +395,15 @@ class NSSDatabase(object):
                     "Setting trust on %s failed" % root_nickname)
 
     def get_cert(self, nickname, pem=False):
-        args = ['-L', '-n', nickname]
-        if pem:
-            args.append('-a')
-        else:
-            args.append('-r')
+        args = ['-L', '-n', nickname, '-a']
         try:
             cert, err, returncode = self.run_certutil(args)
         except ipautil.CalledProcessError:
             raise RuntimeError("Failed to get %s" % nickname)
+        if not pem:
+            (cert, start) = find_cert_from_txt(cert, start=0)
+            cert = x509.strip_header(cert)
+            cert = base64.b64decode(cert)
         return cert
 
     def has_nickname(self, nickname):
-- 
2.5.0