[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 2 commits: patches: Support PyCA 44.0. (Closes: #1118599)
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Fri Oct 24 16:14:23 BST 2025
Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa
Commits:
6ed54020 by Timo Aaltonen at 2025-10-24T18:12:17+03:00
patches: Support PyCA 44.0. (Closes: #1118599)
- - - - -
9c800384 by Timo Aaltonen at 2025-10-24T18:13:47+03:00
releasing package freeipa version 4.12.4-2
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/0001-ipalib-x509-support-PyCA-44.0.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+freeipa (4.12.4-2) unstable; urgency=medium
+
+ * patches: Support PyCA 44.0. (Closes: #1118599)
+
+ -- Timo Aaltonen <tjaalton at debian.org> Fri, 24 Oct 2025 18:12:18 +0300
+
freeipa (4.12.4-1) unstable; urgency=medium
* New upstream release.
=====================================
debian/patches/0001-ipalib-x509-support-PyCA-44.0.patch
=====================================
@@ -0,0 +1,166 @@
+From d4d56a6705c870901bc73882e4804367f7c9c91a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy at redhat.com>
+Date: Sun, 1 Dec 2024 20:16:54 +0200
+Subject: [PATCH] ipalib/x509: support PyCA 44.0
+
+PyCA made x509.Certificate class concrete, it cannot be extended anymore
+by Python code. The intent is to use helper functions to instantiate
+certificate objects and never create them directly.
+
+FreeIPA wraps PyCA's x509.Certificate class and provides own shim
+on top of it. In most cases we load the certificate content via the
+helper functions and don't really need to derive from the certificate
+class.
+
+Move IPACertificate to be a normal Python object class that stores
+x509.Certificate internally. The only place where this breaks is when
+IPACertificate object needs to be passed to a code that expects
+x509.Certificate (Dogtag PKI). In such cases, expose the underlying
+certificate instance via IPACertificate.cert property.
+
+Fixes: https://pagure.io/freeipa/issue/9708
+
+Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
+---
+ ipalib/ipajson.py | 4 ++--
+ ipalib/x509.py | 10 +++++++++-
+ ipapython/ipaldap.py | 15 +++++++--------
+ ipaserver/plugins/dogtag.py | 3 ++-
+ 4 files changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/ipalib/ipajson.py b/ipalib/ipajson.py
+index 5551d12e5..fd99c8219 100644
+--- a/ipalib/ipajson.py
++++ b/ipalib/ipajson.py
+@@ -9,7 +9,7 @@ from decimal import Decimal
+ import json
+ import six
+ from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
+-from ipalib import capabilities
++from ipalib import capabilities, x509
+ from ipalib.x509 import Encoding as x509_Encoding
+ from ipapython.dn import DN
+ from ipapython.dnsutil import DNSName
+@@ -72,7 +72,7 @@ class _JSONPrimer(dict):
+ list: self._enc_list,
+ tuple: self._enc_list,
+ dict: self._enc_dict,
+- crypto_x509.Certificate: self._enc_certificate,
++ x509.IPACertificate: self._enc_certificate,
+ crypto_x509.CertificateSigningRequest: self._enc_certificate,
+ })
+
+diff --git a/ipalib/x509.py b/ipalib/x509.py
+index fd0823896..6780bead0 100644
+--- a/ipalib/x509.py
++++ b/ipalib/x509.py
+@@ -88,7 +88,7 @@ SAN_UPN = '1.3.6.1.4.1.311.20.2.3'
+ SAN_KRB5PRINCIPALNAME = '1.3.6.1.5.2.2'
+
+
+-class IPACertificate(crypto_x509.Certificate):
++class IPACertificate:
+ """
+ A proxy class wrapping a python-cryptography certificate representation for
+ IPA purposes
+@@ -205,6 +205,10 @@ class IPACertificate(crypto_x509.Certificate):
+ """
+ return self._cert.fingerprint(algorithm)
+
++ @property
++ def cert(self):
++ return self._cert
++
+ @property
+ def serial_number(self):
+ return self._cert.serial_number
+@@ -457,6 +461,8 @@ def load_pem_x509_certificate(data):
+ :returns: a ``IPACertificate`` object.
+ :raises: ``ValueError`` if unable to load the certificate.
+ """
++ if isinstance(data, IPACertificate):
++ return data
+ return IPACertificate(
+ crypto_x509.load_pem_x509_certificate(data, backend=default_backend())
+ )
+@@ -469,6 +475,8 @@ def load_der_x509_certificate(data):
+ :returns: a ``IPACertificate`` object.
+ :raises: ``ValueError`` if unable to load the certificate.
+ """
++ if isinstance(data, IPACertificate):
++ return data
+ return IPACertificate(
+ crypto_x509.load_der_x509_certificate(data, backend=default_backend())
+ )
+diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
+index 1888e4091..5bb81c1bc 100644
+--- a/ipapython/ipaldap.py
++++ b/ipapython/ipaldap.py
+@@ -33,7 +33,6 @@ import warnings
+
+ from collections import OrderedDict
+
+-from cryptography import x509 as crypto_x509
+ from cryptography.hazmat.primitives import serialization
+
+ import ldap
+@@ -748,10 +747,10 @@ class LDAPClient:
+ 'dnszoneidnsname': DNSName,
+ 'krbcanonicalname': Principal,
+ 'krbprincipalname': Principal,
+- 'usercertificate': crypto_x509.Certificate,
+- 'usercertificate;binary': crypto_x509.Certificate,
+- 'cACertificate': crypto_x509.Certificate,
+- 'cACertificate;binary': crypto_x509.Certificate,
++ 'usercertificate': x509.IPACertificate,
++ 'usercertificate;binary': x509.IPACertificate,
++ 'cACertificate': x509.IPACertificate,
++ 'cACertificate;binary': x509.IPACertificate,
+ 'nsds5replicalastupdatestart': unicode,
+ 'nsds5replicalastupdateend': unicode,
+ 'nsds5replicalastinitstart': unicode,
+@@ -1000,7 +999,7 @@ class LDAPClient:
+ return dct
+ elif isinstance(val, datetime):
+ return val.strftime(LDAP_GENERALIZED_TIME_FORMAT).encode('utf-8')
+- elif isinstance(val, crypto_x509.Certificate):
++ elif isinstance(val, x509.IPACertificate):
+ return val.public_bytes(x509.Encoding.DER)
+ elif val is None:
+ return None
+@@ -1027,7 +1026,7 @@ class LDAPClient:
+ return DNSName.from_text(val.decode('utf-8'))
+ elif target_type in (DN, Principal):
+ return target_type(val.decode('utf-8'))
+- elif target_type is crypto_x509.Certificate:
++ elif target_type is x509.IPACertificate:
+ return x509.load_der_x509_certificate(val)
+ else:
+ return target_type(val)
+@@ -1381,7 +1380,7 @@ class LDAPClient:
+ ]
+ return cls.combine_filters(flts, rules)
+ elif value is not None:
+- if isinstance(value, crypto_x509.Certificate):
++ if isinstance(value, x509.IPACertificate):
+ value = value.public_bytes(serialization.Encoding.DER)
+ if isinstance(value, bytes):
+ value = binascii.hexlify(value).decode('ascii')
+diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
+index 78afb2797..ee6d0e347 100644
+--- a/ipaserver/plugins/dogtag.py
++++ b/ipaserver/plugins/dogtag.py
+@@ -1581,7 +1581,8 @@ class kra(Backend):
+
+ crypto = cryptoutil.CryptographyCryptoProvider(
+ transport_cert_nick="ra_agent",
+- transport_cert=x509.load_certificate_from_file(paths.RA_AGENT_PEM)
++ transport_cert=x509.load_certificate_from_file(
++ paths.RA_AGENT_PEM).cert
+ )
+
+ # TODO: obtain KRA host & port from IPA service list or point to KRA load balancer
+--
+2.51.0
+
=====================================
debian/patches/series
=====================================
@@ -8,3 +8,4 @@ fix-sssd-socket-activation.diff
map-ssh-service.diff
Make-path-of-Samba-lock-directory-configurable-and-u.patch
Make-name-of-nobody-group-configurable-and-use-nogro.patch
+0001-ipalib-x509-support-PyCA-44.0.patch
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/898dda7ce759c55b7c552f381007f1157f98c71d...9c800384dfc46cd6d24249d92e82051cdd183a61
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/898dda7ce759c55b7c552f381007f1157f98c71d...9c800384dfc46cd6d24249d92e82051cdd183a61
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20251024/cbde8aab/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list