From 6dba94a3ab0e1e5bebeaaac0a9f9498146414a75 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Wed, 16 Aug 2023 12:20:11 +0300 Subject: [PATCH] gp: Convert CA certificates to base64 I don't know whether this applies universally, but in our case the contents of `es['cACertificate'][0]` are binary, so cleanly converting to a string fails with the following: 'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte We found a fix to be encoding the certificate to base64 when constructing the CA list. Section 4.4.5.2 of MS-CAESO also suggests that the content of `cACertificate` is binary (OCTET string). Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder (cherry picked from commit 157335ee93eb866f9b6a47486a5668d6e76aced5) --- python/samba/gp/gp_cert_auto_enroll_ext.py | 5 ++--- selftest/knownfail.d/gpo | 13 ------------- 2 files changed, 2 insertions(+), 16 deletions(-) delete mode 100644 selftest/knownfail.d/gpo diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py index c562722906b..c8b5368c16a 100644 --- a/python/samba/gp/gp_cert_auto_enroll_ext.py +++ b/python/samba/gp/gp_cert_auto_enroll_ext.py @@ -158,7 +158,7 @@ def fetch_certification_authorities(ldb): for es in res: data = { 'name': get_string(es['cn'][0]), 'hostname': get_string(es['dNSHostName'][0]), - 'cACertificate': get_string(es['cACertificate'][0]) + 'cACertificate': get_string(base64.b64encode(es['cACertificate'][0])) } result.append(data) return result @@ -176,8 +176,7 @@ def fetch_template_attrs(ldb, name, attrs=None): return {'msPKI-Minimal-Key-Size': ['2048']} def format_root_cert(cert): - cert = base64.b64encode(cert.encode()) - return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL) + return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0, re.DOTALL) def find_cepces_submit(): certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger', diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo deleted file mode 100644 index 0aad59607c2..00000000000 --- a/selftest/knownfail.d/gpo +++ /dev/null @@ -1,13 +0,0 @@ -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_centrify_crontab_ext -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_scripts_ext -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_rsop -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_access -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_files -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_issue -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_motd -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_openssh -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_startup_scripts -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_sudoers -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_symlink -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- 2.11.4.GIT