-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expand CSR generation support #285
Comments
@lvkv we already have support for building CSRs, which currently works by building from a |
Oh interesting! I didn't catch that the way to create a I tried creating a dummy CSR using this method, but ran into an rcgen/rcgen/src/certificate.rs Lines 545 to 553 in 746da00
Agreed that thinking this out is a good idea. I'm also very much not against first-class support for these bits (it'd be quite nice, actually!). Comprehensive support might be a bit out of reach, given that the spec is a >250 page PDF, but I think it should be more than possible to implement enough of a skeleton so that people can easily add in whatever bits they need when they need to. I think it'd be a good idea to figure out the boundaries of what
Personally what I'd like to support for is:
Lots of text! Let me know what you think. As always, I'm more than happy to work with you guys to create something useful! |
The big picture motivation is to use AD CS as a CA on Linux. Unfortunately, that means learning how to speak the CSR equivalent of parseltongue. On the bright side, it's a great excuse to craft a super flexible CSR generation library... 🙂 |
We're open to improving how that API works, if you have suggestions!
It's possible -- it's been a while, so it might make sense to try it against main to see what works there.
Right now I think what we do for CSRs is the PKCS#10 message format, and I think deviating from that would sort of need a separate justification.
Adding
For these I think it's all about coming up with a reasonably type-safe API. (Note that these are my personal opinions, the other maintainers might feel differently.) |
I was thinking this too!
Yeah, using what's in main, it looks like EKUs are supported, but key usages aren't. How does the following sound as a high-level plan? These can more or less all be worked on in parallel:
|
👋 I haven't gone deep on the MS-WCCE spec or the required PKCS#10 attribute changes, but here are some initial thoughts. At one point I had ambitions of reworking the way extensions are handled (see #164) and one goal of that rework was to help bring parity between what's supported in certs, what's supported in CSRs, and how custom extensions are handled. Maybe there are some ideas to revive from that stale branch that could help here? In general I'm a little bit wary about extending the existing API with new features while the underlying handling is messy/inconsistent but I also don't want to block helpful improvements on a big refactor I can't commit to seeing through myself. Maybe this concern would fall away after the diffs start to come up for review?
I'm not sure I'm convinced about this. I think in general I'd prefer to see Rcgen expose a helpful/usable API for custom EKUs, certificate extensions, and CSR attributes but not MS-WCCE specific bits (perhaps with the exception of defining well known OID constants). The MS-WCCE standard feels pretty niche to me, and like something the majority of rcgen users wouldn't benefit from. I think it would be a better end-state if someone with the bandwidth to support the MS-WCCE use-case could do that external to Rcgen using primitives it exposes. WDYT? |
Yeah, FWIW I'm totally fine with MS-WCCE ideas not getting first-class API support here 🙂 having the building blocks to express them myself is just as good if not better; there are undoubtedly many other weird standards put out by big tech companies, and choosing to support this one may set an exhausting precedent.
Yeah, how do you feel about this revised plan, then? I can take a stab at doing all 3 of these:
Like most users, I need this yesterday 🙂 so I'm naturally inclined to prioritize expanding the API. That being said, I'm more than happy to help you guys out with making the implementation more sustainable for the long run. Net-zero spaghetti initiative. |
This sounds great to me. @est31 Do you have any reservations here?
I think we're on the same page but just to be super clear don't feel obligated to try and revive all of #164 or anything :-) There's been quite a bit of API changes since then and I think the scope was ambitious on its own. I trust your judgement on what might make sense to try and shim into your overall goal. |
sounds fine to me. |
That's fair. I thought we might want to try making sure that people don't put together potentially dangerous combinations of custom EKUs, extensions and attributes, so I figured putting some guardrails in place might help here. But I do agree that this MS-WCCE stuff might be niche (it's hard to say how niche) so we don't want to put in place too much special stuff for it. |
Now that #296 has been merged, I'd like to resurface #296 (comment) before either @cpu or I forget Basically, there are aspects of the API here that can probably be updated or rethought—either to make the developer experience better, facilitate a more organized implementation, or both. Some things worth noting off the top of my head:
|
Description updated. |
@est31 I think you meant to type "CSRs", not "CRLs"? FTR I think "Generate X.509 certificates and certificate signing requests" would also sound fine 🙂 but it's ultimately up to you |
Oops, lol, corrected. You are right. |
Hi! I'm looking for an alternative to rust-openssl's
X509ReqBuilder
for building and signing certificate signing requests. Ideally an alternative that supports:I've had a great experience with other Rustls projects, so I checked here first and found
rcgen
. Of course, I understand if a CSR builder is out of scope here.Motivation: I'm implementing a subset of the MS-WCCE certificate enrollment protocol, which involves crafting CSRs with a many interesting extensions and attributes. I'm also open to suggestions for other crates that might be able to help out with this!
The text was updated successfully, but these errors were encountered: