[Freeipa-devel] [PATCH] 488 use the python-nss CertificateRequest object
Rich Megginson
rmeggins at redhat.com
Wed Jul 21 19:32:36 UTC 2010
Rob Crittenden wrote:
> Rich Megginson wrote:
>> Rob Crittenden wrote:
>>> This drops our own PKCS#10 parser and uses the one from python-nss.
>>> I had to bump up the minimum required version of python-nss to pick
>>> up some new API for this.
>>>
>>> This introduces some new challenges for us. NSS needs to be
>>> initialized for you to do any sort of operations otherwise you get
>>> ugly segfaults. So I added in some catch-all no_db inits to try to
>>> prevent this. I also had to add in some code when making SSL
>>> requests so that the right database is opened. AFAIK NSS still lacks
>>> the ability to operate on multiple databases concurrently. Once that
>>> is available this code becomes lots better.
>>>
>>> Despite this, using the NSS parser is still safer. My PKCS#10 parser
>>> seemed ok but getting the extension requests out was a nightmare. It
>>> is much easier with python-nss.
>> Does python-nss expose the NSS_InitContext api?
>
> No, I'm not familiar with it either. Is it fully baked?
OpenLDAP uses it pretty heavily. Has been working fine with NSS 3.12.6
>
> rob
More information about the Freeipa-devel
mailing list