[Freeipa-devel] CSR autogeneration next steps

Jan Cholasta jcholast at redhat.com
Mon Dec 5 09:25:17 UTC 2016 

Hi Ben,

On 3.11.2016 00:12, Ben Lipton wrote:
> Hi everybody,
>
> Soon I'm going to have to reduce the amount of time I spend on new
> development work for the CSR autogeneration project, and I want to leave
> the project in as organized a state as possible. So, I'm taking
> inventory of the work I've done in order to make sure that what's ready
> for review can get reviewed and the ideas that have been discussed get
> prototyped or at least recorded so they won't be forgotten.

Thanks, I have some questions and comments, see below.

>
> Code that's ready for review (I will continue to put in as much time as
> needed to help get these ready for submission):
>
> - Current PR: https://github.com/freeipa/freeipa/pull/10

How hard would it be to update the PR to use the "new" interface from 
the design thread? By this I mean that currently there is a command 
(cert_get_requestdata), which creates a CSR from profile id + principal 
+ helper, but in the design we discussed a command which creates a 
CertificationRequestInfo from profile id + principal + public key.

Internally it could use the OpenSSL helper, no need to implement the 
full "new" design. With your build_requestinfo.c code below it looks 
like it should be pretty straightforward.

>
> - Allow some fields to be specified by the user at creation time:
> https://github.com/LiptonB/freeipa/commits/local-user-data

Good idea :-)

>
> - Automation for the full process from getting CSR data to requesting
> cert: https://github.com/LiptonB/freeipa/commits/local-cert-build

LGTM, although I would prefer if this was a client-side extension of 
cert-request rather than a completely new command.

>
> Other prototypes and design ideas that aren't ready for submission yet:
>
> - Utility written in C to build a CertificationRequestInfo from a
> SubjectPublicKeyInfo and an openssl-style config file. The purpose of
> this is to take a config that my code already knows how to generate, and
> put it in a form that certmonger can use. This is nearly done and
> available at:
> https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c

Nice! As I said above, this could really make implementing the "new" 
csrgen interface simple.

>
>
> - Ideally it should be possible to use this tool to reimplement the full
> cert-request automation (local-cert-build branch) without a dependency
> on the certutil/openssl tools. However, I don't think any of the python
> crypto libraries have bindings for the functions that deal with
> CertificationRequestInfo objects, so I don't think I can do this in the
> short term.

You can use python-cffi to write your own minimal bindings. It's fairly 
straightforward, take a look at FreeIPA commit 500ee7e2 for an example 
of how to port C code to Python with python-cffi.

>
> - Certmonger "helper" program that takes in the CertificationRequestInfo
> that certmonger generates, calls out to IPA for profile-specific data,
> and returns an updated CertificationRequestInfo built from the data.
> Certmonger doesn't currently support this type of helper, but (if I
> understood correctly) this is the architecture Nalin believed would be
> simplest to fit in. This is not done yet, but I intend to complete it
> soon - it shouldn't require much code beyond what's in build_requestinfo.c.

To me this sounds like it should be a new operation of the current 
helper rather than a completely new helper.

Anyway, the ultimate goal is to move the csrgen code to the server, 
which means everything the helper will have to do is call a command over 
RPC.

>
> - Tool to convert an XER-encoded cert extension to DER, given the ASN.1
> description of the extension. This would unblock Jan Cholasta's idea of
> using XSLT for templates rather than text-based formatting. I should be
> able to implement the conversion tool, but it may be a while before I
> have time to demo the full XSLT idea.

Was there any progress on this?

>
> So: currently on my to do list are the certmonger helper and the
> XER->DER conversion tool. Do you have any comments about these plans,
> and is there anything else I can do to wrap up the project neatly?
>
> Thanks,
> Ben
>

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list