[Freeipa-devel] CSR autogeneration next steps
Ben Lipton
blipton at redhat.com
Wed Nov 2 23:12:01 UTC 2016
Hi everybody,
Soon I'm going to have to reduce the amount of time I spend on new
development work for the CSR autogeneration project, and I want to leave
the project in as organized a state as possible. So, I'm taking
inventory of the work I've done in order to make sure that what's ready
for review can get reviewed and the ideas that have been discussed get
prototyped or at least recorded so they won't be forgotten.
Code that's ready for review (I will continue to put in as much time as
needed to help get these ready for submission):
- Current PR: https://github.com/freeipa/freeipa/pull/10
- Allow some fields to be specified by the user at creation time:
https://github.com/LiptonB/freeipa/commits/local-user-data
- Automation for the full process from getting CSR data to requesting
cert: https://github.com/LiptonB/freeipa/commits/local-cert-build
Other prototypes and design ideas that aren't ready for submission yet:
- Utility written in C to build a CertificationRequestInfo from a
SubjectPublicKeyInfo and an openssl-style config file. The purpose of
this is to take a config that my code already knows how to generate, and
put it in a form that certmonger can use. This is nearly done and
available at:
https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c
- Ideally it should be possible to use this tool to reimplement the full
cert-request automation (local-cert-build branch) without a dependency
on the certutil/openssl tools. However, I don't think any of the python
crypto libraries have bindings for the functions that deal with
CertificationRequestInfo objects, so I don't think I can do this in the
short term.
- Certmonger "helper" program that takes in the CertificationRequestInfo
that certmonger generates, calls out to IPA for profile-specific data,
and returns an updated CertificationRequestInfo built from the data.
Certmonger doesn't currently support this type of helper, but (if I
understood correctly) this is the architecture Nalin believed would be
simplest to fit in. This is not done yet, but I intend to complete it
soon - it shouldn't require much code beyond what's in build_requestinfo.c.
- Tool to convert an XER-encoded cert extension to DER, given the ASN.1
description of the extension. This would unblock Jan Cholasta's idea of
using XSLT for templates rather than text-based formatting. I should be
able to implement the conversion tool, but it may be a while before I
have time to demo the full XSLT idea.
So: currently on my to do list are the certmonger helper and the
XER->DER conversion tool. Do you have any comments about these plans,
and is there anything else I can do to wrap up the project neatly?
Thanks,
Ben
More information about the Freeipa-devel
mailing list