This drops our own PKCS#10 parser and uses the one from python-nss. I had to bump up the minimum required version of python-nss to pick up some new API for this.

This introduces some new challenges for us. NSS needs to be initialized for you to do any sort of operations otherwise you get ugly segfaults. So I added in some catch-all no_db inits to try to prevent this. I also had to add in some code when making SSL requests so that the right database is opened. AFAIK NSS still lacks the ability to operate on multiple databases concurrently. Once that is available this code becomes lots better.

Despite this, using the NSS parser is still safer. My PKCS#10 parser seemed ok but getting the extension requests out was a nightmare. It is much easier with python-nss.


Attachment: freeipa-488-csr.patch
Description: application/mbox

Freeipa-devel mailing list

Reply via email to