From 9c98ae152210320710932f83414e12c43ee4439a Mon Sep 17 00:00:00 2001
From: RedProkofiev <nicholaswhyatt@gmail.com>
Date: Mon, 2 Oct 2023 14:42:15 +0000
Subject: [PATCH] PyOpenSSL handling of DN outputs

---
 requirements.txt |  1 +
 ssm/crypto.py    | 25 +++++++++++++++++--------
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index e2c93c97..930687c5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,6 +2,7 @@
 
 argo-ams-library
 certifi<2020.4.5.2  # Used by AMS (via requests), 2020.4.5.2 dropped support for Python 2
+pyOpenSSL
 stomp.py<5.0.0
 python-daemon<=2.3.0  # 2.3.1 dropped support for Python 2
 python-ldap<3.4.0  # python-ldap-3.4.0 dropped support for Python 2
diff --git a/ssm/crypto.py b/ssm/crypto.py
index 13badd8b..41983d60 100644
--- a/ssm/crypto.py
+++ b/ssm/crypto.py
@@ -23,6 +23,7 @@
 from __future__ import print_function
 
 from subprocess import Popen, PIPE
+import OpenSSL
 import quopri
 import base64
 import logging
@@ -297,17 +298,25 @@ def verify_cert_path(certpath, capath, check_crls=True):
 
 
 def get_certificate_subject(certstring):
-    """Return the certificate subject's DN, in legacy openssl format."""
-    p1 = Popen(['openssl', 'x509', '-noout', '-subject'],
-               stdin=PIPE, stdout=PIPE, stderr=PIPE, universal_newlines=True)
-
-    subject, error = p1.communicate(certstring)
+    """Return the certificate subject's DN, in legacy openssl format.
 
-    if (error != ''):
+    In 3.4.0, this was updated to use PyOpenSSL to maintain compatibility with
+    Python 3.6 and later versions, along with OpenSSL 1.0.2 and 1.1.1.
+    """
+    try:
+        subject_x509name = OpenSSL.crypto.load_certificate(
+            type=OpenSSL.crypto.FILETYPE_PEM,
+            buffer=certstring
+            ).get_subject()
+    except Exception as error:
         log.error(error)
-        raise CryptoException('Failed to get subject: %s' % error)
+        log.error(CryptoException)
+        raise error
+
+    # Outputs DN in slash-separated format
+    subject = "".join("/{:s}={:s}".format(name.decode(), value.decode())
+                      for name, value in subject_x509name.get_components())
 
-    subject = subject.strip()[9:]  # remove 'subject= ' from the front
     return subject