-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add PKCS#10 attributes to CSR serializer #296
Conversation
Hope to give this a first pass soon. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is going in the right direction. Thanks!
Would you mind getting it split into smaller commits and knocking out some of the first round of feedback? I think it'll be easier for others to review when the changes are isolated and describe their purpose in the commit message 👍 That will also give me some time to double check the one bit of ASN.1 I wasn't confident about.
Thanks @cpu for doing an initial round of review. I had some time off last week so didn't get to this, but would definitely want this restructured into basically one commit per bullet point in your PR description (or more, potentially), and reviewing would be a lot easier based on that. |
c3d644b
to
e3d8766
Compare
@djc this is ready for another look! |
9ea4db2
to
da8342e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you remove the [1]
syntax? One can also do [abcabc]
and then later [abc]: https://example.com
. The issue with [1]
syntax is that it might be resolved in a global context instead of a local one, where we then have multiple URLs pointing to [1]
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really nice work!
Coming from #285, this PR adds PKCS#10 attributes to rcgen's CSR serialization logic.
Of course, rcgen has already implicitly supported at most one attribute in the form of PKCS#9's extensionRequest1, but this allows you to add others.
I haven't split up the commits yet in anticipation of review comments, but the rough changes are (as of writing):
Attribute
type that represents an RFC 52802/RFC 29863 (take your pick) ATTRIBUTE.custom_csr_attributes
field toCertificateParams
, of typeAttribute
custom_csr_attributes
inCertificateParams::serialize_request
Along the way, I've updated a few items that may or may not count as bugs. These are all subtle, so feel free to be pedantic when reviewing them:
Footnotes
https://datatracker.ietf.org/doc/html/rfc2985 ↩
https://datatracker.ietf.org/doc/html/rfc5280 ↩
https://datatracker.ietf.org/doc/html/rfc2986 ↩