gpo: Decode base64 root cert before importing

The reasoning behind this is described in the previous commit message,
but essentially this should either be wrapped in certificate blocks and
imported as PEM, or converted back to binary and imported as DER.

I've opted for the latter since it's how it used to work before it
regressed in 157335ee93e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3f3ddfa699a33c2c8a59f7fb9ee044bb2a6e0e06)

diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
index 2122cc439f41b8ac123b2690c0fb300a282d86a0..b3ecdc5bf5e42d46cb0aae9b8653da9e8f4cdee6 100644 (file)
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
@@ -217,10 +217,11 @@ def getca(ca, url, trust_dir):
                  ' installed or not configured.')
         if 'cACertificate' in ca:
             log.warn('Installing the server certificate only.')
+            der_certificate = base64.b64decode(ca['cACertificate'])
             try:
-                cert = load_der_x509_certificate(ca['cACertificate'])
+                cert = load_der_x509_certificate(der_certificate)
             except TypeError:
-                cert = load_der_x509_certificate(ca['cACertificate'],
+                cert = load_der_x509_certificate(der_certificate,
                                                  default_backend())
             cert_data = cert.public_bytes(Encoding.PEM)
             with open(root_cert, 'wb') as w:

diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo
deleted file mode 100644 (file)
index f1e590b..0000000
--- a/selftest/knownfail.d/gpo
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes