[Freeipa-devel] CSR autogeneration next steps

Ben Lipton blipton at redhat.com
Wed Nov 2 23:12:01 UTC 2016 

Hi everybody,

Soon I'm going to have to reduce the amount of time I spend on new 
development work for the CSR autogeneration project, and I want to leave 
the project in as organized a state as possible. So, I'm taking 
inventory of the work I've done in order to make sure that what's ready 
for review can get reviewed and the ideas that have been discussed get 
prototyped or at least recorded so they won't be forgotten.

Code that's ready for review (I will continue to put in as much time as 
needed to help get these ready for submission):

- Current PR: https://github.com/freeipa/freeipa/pull/10

- Allow some fields to be specified by the user at creation time: 
https://github.com/LiptonB/freeipa/commits/local-user-data

- Automation for the full process from getting CSR data to requesting 
cert: https://github.com/LiptonB/freeipa/commits/local-cert-build

Other prototypes and design ideas that aren't ready for submission yet:

- Utility written in C to build a CertificationRequestInfo from a 
SubjectPublicKeyInfo and an openssl-style config file. The purpose of 
this is to take a config that my code already knows how to generate, and 
put it in a form that certmonger can use. This is nearly done and 
available at: 
https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c

- Ideally it should be possible to use this tool to reimplement the full 
cert-request automation (local-cert-build branch) without a dependency 
on the certutil/openssl tools. However, I don't think any of the python 
crypto libraries have bindings for the functions that deal with 
CertificationRequestInfo objects, so I don't think I can do this in the 
short term.

- Certmonger "helper" program that takes in the CertificationRequestInfo 
that certmonger generates, calls out to IPA for profile-specific data, 
and returns an updated CertificationRequestInfo built from the data. 
Certmonger doesn't currently support this type of helper, but (if I 
understood correctly) this is the architecture Nalin believed would be 
simplest to fit in. This is not done yet, but I intend to complete it 
soon - it shouldn't require much code beyond what's in build_requestinfo.c.

- Tool to convert an XER-encoded cert extension to DER, given the ASN.1 
description of the extension. This would unblock Jan Cholasta's idea of 
using XSLT for templates rather than text-based formatting. I should be 
able to implement the conversion tool, but it may be a while before I 
have time to demo the full XSLT idea.

So: currently on my to do list are the certmonger helper and the 
XER->DER conversion tool. Do you have any comments about these plans, 
and is there anything else I can do to wrap up the project neatly?

Thanks,
Ben

More information about the Freeipa-devel mailing list