[Freeipa-devel] [PATCH] 318 add PKCS#10 parser

[Rob Crittenden]

The pyOpenSSL PKCS#10 parser doesn't provide a way to get to attributes 
so we can't get the subject alt names (or other interesting bits). This 
pyasn1-based parser adds that support.

I'm also switching to the pyasn1 X509v3 support because older releases 
of pyOpenSSL lacked the get_components() method on subjects making it 
difficult to get a usable subject.

This PKCS#10 parser cannot handle all possible attribute types. It 
should be robust enough to not blow up if it gets something it knows 
nothing about.

If a subjectaltname extension is present in a CSR we:

- require that the host(s) exist in IPA
- If the requestor is a machine then the alt names must be present in 
the services managedBy attribute. This is so we can control what 
hosts(s) a machine can request a cert for.

I'm working on a way to be able to set the service principal within the 
reuqest. Nalin's certmonger program will set it as an otherName in the 
GeneralNames attribute. We should be able to make principal an optional 
argument to cert-request and use the value from the CSR  (and blow up if 
we get it neither way).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-318-pkcs10.patch
Type: application/mbox
Size: 51534 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091124/6fe97006/attachment.mbox>