On 3.11.2016 00:12, Ben Lipton wrote:
Soon I'm going to have to reduce the amount of time I spend on new
development work for the CSR autogeneration project, and I want to leave
the project in as organized a state as possible. So, I'm taking
inventory of the work I've done in order to make sure that what's ready
for review can get reviewed and the ideas that have been discussed get
prototyped or at least recorded so they won't be forgotten.
Thanks, I have some questions and comments, see below.
Code that's ready for review (I will continue to put in as much time as
needed to help get these ready for submission):
- Current PR: https://github.com/freeipa/freeipa/pull/10
How hard would it be to update the PR to use the "new" interface from
the design thread? By this I mean that currently there is a command
(cert_get_requestdata), which creates a CSR from profile id + principal
+ helper, but in the design we discussed a command which creates a
CertificationRequestInfo from profile id + principal + public key.
Internally it could use the OpenSSL helper, no need to implement the
full "new" design. With your build_requestinfo.c code below it looks
like it should be pretty straightforward.
- Allow some fields to be specified by the user at creation time:
Good idea :-)
- Automation for the full process from getting CSR data to requesting
LGTM, although I would prefer if this was a client-side extension of
cert-request rather than a completely new command.
Other prototypes and design ideas that aren't ready for submission yet:
- Utility written in C to build a CertificationRequestInfo from a
SubjectPublicKeyInfo and an openssl-style config file. The purpose of
this is to take a config that my code already knows how to generate, and
put it in a form that certmonger can use. This is nearly done and
Nice! As I said above, this could really make implementing the "new"
csrgen interface simple.
- Ideally it should be possible to use this tool to reimplement the full
cert-request automation (local-cert-build branch) without a dependency
on the certutil/openssl tools. However, I don't think any of the python
crypto libraries have bindings for the functions that deal with
CertificationRequestInfo objects, so I don't think I can do this in the
You can use python-cffi to write your own minimal bindings. It's fairly
straightforward, take a look at FreeIPA commit 500ee7e2 for an example
of how to port C code to Python with python-cffi.
- Certmonger "helper" program that takes in the CertificationRequestInfo
that certmonger generates, calls out to IPA for profile-specific data,
and returns an updated CertificationRequestInfo built from the data.
Certmonger doesn't currently support this type of helper, but (if I
understood correctly) this is the architecture Nalin believed would be
simplest to fit in. This is not done yet, but I intend to complete it
soon - it shouldn't require much code beyond what's in build_requestinfo.c.
To me this sounds like it should be a new operation of the current
helper rather than a completely new helper.
Anyway, the ultimate goal is to move the csrgen code to the server,
which means everything the helper will have to do is call a command over
- Tool to convert an XER-encoded cert extension to DER, given the ASN.1
description of the extension. This would unblock Jan Cholasta's idea of
using XSLT for templates rather than text-based formatting. I should be
able to implement the conversion tool, but it may be a while before I
have time to demo the full XSLT idea.
Was there any progress on this?
So: currently on my to do list are the certmonger helper and the
XER->DER conversion tool. Do you have any comments about these plans,
and is there anything else I can do to wrap up the project neatly?
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code