Base64 encode the cert returned from the Dogtag plugin

Also, add the missing headers for the intermediates, and make the algorithm match case insensitive to make the supports() method more robust. Change-Id: I728846494e8f60ca37640d9753081deefd6cb8e4 Closes-Bug: 1453636
2015-05-10 22:22:29 -04:00 · 2015-05-10 22:22:29 -04:00 · a42e35885e
commit a42e35885e
parent 2005344253
2 changed files with 50 additions and 9 deletions
--- a/barbican/plugin/dogtag.py
+++ b/barbican/plugin/dogtag.py
@ -66,6 +66,9 @@ dogtag_plugin_opts = [
 CONF.register_group(dogtag_plugin_group)
 CONF.register_opts(dogtag_plugin_opts, group=dogtag_plugin_group)

+CERT_HEADER = "-----BEGIN CERTIFICATE-----"
+CERT_FOOTER = "-----END CERTIFICATE-----"
+

 def setup_nss_db(conf, subsystem):
    crypto = None
@ -497,20 +500,23 @@ class DogtagKRAPlugin(sstore.SecretStoreBase):

        Note that only algorithms supported by Dogtag will be mapped.
        """
-        if algorithm == sstore.KeyAlgorithm.AES:
+        if algorithm is None:
+            return None
+
+        if algorithm.lower() == sstore.KeyAlgorithm.AES.lower():
            return key.KeyClient.AES_ALGORITHM
-        elif algorithm == sstore.KeyAlgorithm.DES:
+        elif algorithm.lower() == sstore.KeyAlgorithm.DES.lower():
            return key.KeyClient.DES_ALGORITHM
-        elif algorithm == sstore.KeyAlgorithm.DESEDE:
+        elif algorithm.lower() == sstore.KeyAlgorithm.DESEDE.lower():
            return key.KeyClient.DES3_ALGORITHM
-        elif algorithm == sstore.KeyAlgorithm.DSA:
+        elif algorithm.lower() == sstore.KeyAlgorithm.DSA.lower():
            return key.KeyClient.DSA_ALGORITHM
-        elif algorithm == sstore.KeyAlgorithm.RSA:
+        elif algorithm.lower() == sstore.KeyAlgorithm.RSA.lower():
            return key.KeyClient.RSA_ALGORITHM
-        elif algorithm == sstore.KeyAlgorithm.DIFFIE_HELLMAN:
+        elif algorithm.lower() == sstore.KeyAlgorithm.DIFFIE_HELLMAN.lower():
            # may be supported, needs to be tested
            return None
-        elif algorithm == sstore.KeyAlgorithm.EC:
+        elif algorithm.lower() == sstore.KeyAlgorithm.EC.lower():
            # asymmetric keys not yet supported
            return None
        else:
@ -949,9 +955,22 @@ class DogtagCAPlugin(cm.CertificatePluginBase):
        dto = None
        if request_status == pki.cert.CertRequestStatus.COMPLETE:
            if cert is not None:
+                # Barbican is expecting base 64 encoded PEM, so we base64
+                # encode below.
+                #
+                # Currently there is an inconsistency in what Dogtag returns
+                # for certificates and intermediates.  For certs, we return
+                # PEM, whereas for intermediates, we return headerless PEM.
+                # This is being addressed in Dogtag ticket:
+                # https://fedorahosted.org/pki/ticket/1374
+                #
+                # Until this is addressed, simply add the missing headers
+                cert_chain = (CERT_HEADER + "\r\n" + cert.pkcs7_cert_chain +
+                              CERT_FOOTER)
+
                dto = cm.ResultDTO(cm.CertificateStatus.CERTIFICATE_GENERATED,
-                                   certificate=cert.encoded,
-                                   intermediates=cert.pkcs7_cert_chain)
+                                   certificate=base64.b64encode(cert.encoded),
+                                   intermediates=base64.b64encode(cert_chain))
            else:
                raise cm.CertificateGeneralException(
                    u._("request_id {req_id} returns COMPLETE but no cert "
--- a/functionaltests/api/v1/functional/test_certificate_orders.py
+++ b/functionaltests/api/v1/functional/test_certificate_orders.py
@ -234,9 +234,31 @@ class CertificatesTestCase(base.TestCase):
            if secret.name == 'certificate':
                contains_cert = True
                self.assertIsNotNone(secret.secret_ref)
+                self.verify_valid_cert(secret.secret_ref)
+            if secret.name == 'intermediates':
+                self.assertIsNotNone(secret.secret_ref)
+                self.verify_valid_intermediates(secret.secret_ref)

        self.assertTrue(contains_cert)

+    def verify_valid_cert(self, secret_ref):
+        secret_resp = self.secret_behaviors.get_secret(
+            secret_ref,
+            "application/pkix-cert")
+        self.assertIsNotNone(secret_resp)
+        self.assertIsNotNone(secret_resp.content)
+        cert = secret_resp.content
+        crypto.load_certificate(crypto.FILETYPE_PEM, cert)
+
+    def verify_valid_intermediates(self, secret_ref):
+        secret_resp = self.secret_behaviors.get_secret(
+            secret_ref,
+            "application/pkix-cert")
+        self.assertIsNotNone(secret_resp)
+        self.assertIsNotNone(secret_resp.content)
+        cert_chain = secret_resp.content
+        crypto.load_pkcs7_data(crypto.FILETYPE_PEM, cert_chain)
+
    def verify_pending_waiting_for_ca(self, order_resp):
        self.assertEqual('PENDING', order_resp.model.status)
        self.assertEqual(cert_res.ORDER_STATUS_REQUEST_PENDING.id,