[Freeipa-devel] [PATCH] 318 add PKCS#10 parser
Rob Crittenden
rcritten at redhat.com
Tue Nov 24 21:17:15 UTC 2009
The pyOpenSSL PKCS#10 parser doesn't provide a way to get to attributes
so we can't get the subject alt names (or other interesting bits). This
pyasn1-based parser adds that support.
I'm also switching to the pyasn1 X509v3 support because older releases
of pyOpenSSL lacked the get_components() method on subjects making it
difficult to get a usable subject.
This PKCS#10 parser cannot handle all possible attribute types. It
should be robust enough to not blow up if it gets something it knows
nothing about.
If a subjectaltname extension is present in a CSR we:
- require that the host(s) exist in IPA
- If the requestor is a machine then the alt names must be present in
the services managedBy attribute. This is so we can control what
hosts(s) a machine can request a cert for.
I'm working on a way to be able to set the service principal within the
reuqest. Nalin's certmonger program will set it as an otherName in the
GeneralNames attribute. We should be able to make principal an optional
argument to cert-request and use the value from the CSR (and blow up if
we get it neither way).
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-318-pkcs10.patch
Type: application/mbox
Size: 51534 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091124/6fe97006/attachment.mbox>
More information about the Freeipa-devel
mailing list