Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate processing refactoring #162

Closed
wants to merge 5 commits into from
Closed

Certificate processing refactoring #162

wants to merge 5 commits into from

Conversation

frasertweedale
Copy link
Contributor

This PR contains ready-for-review/test commits that:

  • support converting python-cryptography Name type to DN
  • avoid the need to parse friendlyName from CSR and remove
    the code that does that
  • convert ipalib.pkcs10 to use python-cryptography instead of NSS
    for processing CSRs.
  • eliminate our use of the nss.data_to_hex function
  • switch ipalib.x509 to use ASN.1 specifications provided by
    pyasn1-modules library, and remove our hand-rolled definitions.

It was discussed to target subteam staging branches for the ongoing
refactoring work but it does not seem that these were created yet.
I can retarget the PR after the cert refactoring branch gets
created.

@frasertweedale
dn: support conversion from python-cryptography Name
7b22e9d 
The upcoming change to using python-cryptography for certificate
process will require a way to convert
``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``.
Update the ``DN`` constructor to accept a ``Name``.

Part of: https://fedorahosted.org/freeipa/ticket/6398
@frasertweedale
pkcs10: use python-cryptography for CSR processing
1232b4a 
Update ``ipalib.pkcs10`` module to use python-cryptography for CSR
processing instead of NSS.

Part of: https://fedorahosted.org/freeipa/ticket/6398
@frasertweedale
pkcs10: remove pyasn1 PKCS freeipa#10 spec
2fa2b8f 
In the dogtag-ipa-ca-renew-agent-submit certmonger renewal helper,
we currently use our hand-rolled PKCS freeipa#10 pyasn1 specification to
parse the friendlyName out of CSRs generated by certmonger (it
contains the NSSDB nickname of the cert).

Use other information from the renewal helper process environment to
determine the nickname and remove our PKCS freeipa#10 pyasn1 spec.

Part of: https://fedorahosted.org/freeipa/ticket/6398
@frasertweedale
x509: avoid use of nss.data_to_hex
a7f24cc 
Avoid use of the nss.data_to_hex function for formatting certificate
fingerprints.  Add our own helper functions to format the
fingerprints as hex (with colons).

Part of: https://fedorahosted.org/freeipa/ticket/6398
@frasertweedale
x509: use pyasn1-modules X.509 specs
f888dd8 
Remove our hand-rolled pyasn1 specifications for X.509 in favour of
those provided by the pyasn1-modules library.

This also avoids a bug in our _Extension spec wherein parsing fails
if the 'critical' field is absent.

Part of: https://fedorahosted.org/freeipa/ticket/6398
@frasertweedale frasertweedale force-pushed the refactor/6398-cert-processing-batch1 branch from 76f37b0 to f888dd8 Compare October 14, 2016 05:31
@frasertweedale
Copy link
Contributor Author

Closing PR (will retarget to @dkupka's refactoring-certificates staging branch.

@frasertweedale frasertweedale deleted the refactor/6398-cert-processing-batch1 branch October 20, 2016 05:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@frasertweedale