×

django-ca, HSM and PoC

Fedora

django-ca, HSM and PoC


django-ca is a feature rich
certificate authority written in Python, using the django framework. The
project exists for long, have great documentation and code comments all around.
As I was looking around for possible CAs which can be used in multiple projects
at work, django-ca seems to be a good base fit. Though it
has still a few missing parts (which are important for us), for example HSM
support and Certificate Management over CMS.

I started looking into the codebase of django-ca more and meanwhile also
started cleaning up (along with Magnus Svensson) another library written at
work for HSM support. I also
started having conversion with Mathias (who is the author of django-ca) about
this feature.

Thanks to the amazing design of the Python Cryptography
team, I could just add several Private
key implementations in our
library, which in turn can be used as a normal private key.

I worked on a proof of concept branch (PoC), while getting a lot of tests also working.

===== 107 failed, 1654 passed, 32 skipped, 274 errors in 286.03s (0:04:46) =====

Meanwhile Mathias also started writing a separate feature branch where he is
moving the key operations encapsulated inside of backends, and different
backends can be implemented to deal with HSM or normal file based storage. He
then chatted with me on Signal over 2 hours explaining the code and design of
the branch he is working on. He also taught me many other django/typing things
which I never knew before in the same call. His backend based approach makes my
original intention of adding HSM support very easy. But, it also means at first
he has to modify the codebase (and the thousands of test cases) first.

I am writing this blog post also to remind folks that not every piece of code
needs to go to production (or even merged). I worked on a PoC, that validates
the idea. And then we have a better and completely different design. It is
perfectly okay to work hard for a PoC and later use a different approach.

As some friends asked on Mastodon, I will do a separate post about the cleanup of the other library.



Source link