[Freeipa-devel] [PATCH] 318 add PKCS#10 parser
Jason Gerard DeRose
jderose at redhat.com
Tue Dec 1 01:26:44 UTC 2009
On Tue, 2009-11-24 at 16:17 -0500, Rob Crittenden wrote:
> The pyOpenSSL PKCS#10 parser doesn't provide a way to get to attributes
> so we can't get the subject alt names (or other interesting bits). This
> pyasn1-based parser adds that support.
>
> I'm also switching to the pyasn1 X509v3 support because older releases
> of pyOpenSSL lacked the get_components() method on subjects making it
> difficult to get a usable subject.
>
> This PKCS#10 parser cannot handle all possible attribute types. It
> should be robust enough to not blow up if it gets something it knows
> nothing about.
>
> If a subjectaltname extension is present in a CSR we:
>
> - require that the host(s) exist in IPA
> - If the requestor is a machine then the alt names must be present in
> the services managedBy attribute. This is so we can control what
> hosts(s) a machine can request a cert for.
>
> I'm working on a way to be able to set the service principal within the
> reuqest. Nalin's certmonger program will set it as an otherName in the
> GeneralNames attribute. We should be able to make principal an optional
> argument to cert-request and use the value from the CSR (and blow up if
> we get it neither way).
>
> rob
ack. pushed to master.
More information about the Freeipa-devel
mailing list