-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement X500DistinguishedNameBuilder #66509
Conversation
Note regarding the This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, to please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change. |
Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones Issue DetailsCloses #44738
|
Draft until docs are done. |
...yptography/src/System/Security/Cryptography/X509Certificates/X500DistinguishedNameBuilder.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/src/Resources/Strings.resx
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/src/Resources/Strings.resx
Outdated
Show resolved
Hide resolved
/// <summary> | ||
/// This class facilitates building a distinguished name for an X.509 certificate. | ||
/// </summary> | ||
public sealed class X500DistinguishedNameBuilder |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you can come up with a sane way to describe the order of operations here, that'd probably make for a good remarks section.
Assuming that we went with the user-sanity implementation over the code-sanity implementation, that'd be finding some way to explain something like
For an X500DistinguishedName value whose Name property prints as "CN=widgets.example.org, OU=Widget Processing Center, O=Example Org" you would call AddCommonName("widgets.example.org"), then AddOrganizationalUnit("Widget Processing Center"), then AddOrganization("Example Org"), and finally Encode().
Or maybe it's only confusing when you're over-burdened with knowledge. That this reverses, and X500DN reverses, so everything just works like anyone who doesn't know how all this actually works thinks it does.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I came up with a way, though I'll let you be the judge of it's sanity.
...yptography/src/System/Security/Cryptography/X509Certificates/X500DistinguishedNameBuilder.cs
Show resolved
Hide resolved
...yptography/src/System/Security/Cryptography/X509Certificates/X500DistinguishedNameBuilder.cs
Outdated
Show resolved
Hide resolved
...yptography/src/System/Security/Cryptography/X509Certificates/X500DistinguishedNameBuilder.cs
Show resolved
Hide resolved
...yptography/src/System/Security/Cryptography/X509Certificates/X500DistinguishedNameBuilder.cs
Outdated
Show resolved
Hide resolved
...ies/System.Security.Cryptography/tests/X509Certificates/X500DistinguishedNameBuilderTests.cs
Show resolved
Hide resolved
...ies/System.Security.Cryptography/tests/X509Certificates/X500DistinguishedNameBuilderTests.cs
Show resolved
Hide resolved
...ies/System.Security.Cryptography/tests/X509Certificates/X500DistinguishedNameBuilderTests.cs
Show resolved
Hide resolved
...ies/System.Security.Cryptography/tests/X509Certificates/X500DistinguishedNameBuilderTests.cs
Outdated
Show resolved
Hide resolved
...ies/System.Security.Cryptography/tests/X509Certificates/X500DistinguishedNameBuilderTests.cs
Outdated
Show resolved
Hide resolved
...ies/System.Security.Cryptography/tests/X509Certificates/X500DistinguishedNameBuilderTests.cs
Outdated
Show resolved
Hide resolved
...ies/System.Security.Cryptography/tests/X509Certificates/X500DistinguishedNameBuilderTests.cs
Show resolved
Hide resolved
...ies/System.Security.Cryptography/tests/X509Certificates/X500DistinguishedNameBuilderTests.cs
Show resolved
Hide resolved
Conversation from my head:
|
...yptography/src/System/Security/Cryptography/X509Certificates/X500DistinguishedNameBuilder.cs
Outdated
Show resolved
Hide resolved
...ies/System.Security.Cryptography/tests/X509Certificates/X500DistinguishedNameBuilderTests.cs
Show resolved
Hide resolved
...yptography/src/System/Security/Cryptography/X509Certificates/X500DistinguishedNameBuilder.cs
Outdated
Show resolved
Hide resolved
...ies/System.Security.Cryptography/tests/X509Certificates/X500DistinguishedNameBuilderTests.cs
Show resolved
Hide resolved
What a coincidence. I had the same conversation with the same guy earlier this morning. |
@bartonjs thank you for the thorough feedback. I think I have addressed all of your feedback, with the exception of "Is what
My order of preference is 1, 4, 2, 3. |
Ignoring my https://github.com/dotnet/runtime/blob/39fb7f7826270f00b856e3e9a13165c07dec87cc/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X500DictionaryStringHelper.cs limits the outputs to Universal-class character string values. Reading through https://datatracker.ietf.org/doc/html/rfc4517 shows that almost everything looks like text... until I realized that it is also providing textual output for non-textual attribute values... so I think that means our X500DN.Format is missing a bunch of RFC 4517 rules (and probably Windows is, too, or maybe we just need some more test cases to improve our compatibility if they have more support than I recall). Forcing something to use a particular encoding, e.g. OU to use BMPEncoding, is solvable by Add. I forget why we wanted AddEncoded... maybe it was exactly for "this is something other than a text string" (unless it was "I'm walking through things using AsnReader, but want to replace one element... here, this is already encoded, just take it... don't make me turn it into a string for you to turn it back into bytes). I think I've talked myself in a circle as to whether we want to limit the type to character strings only or not. |
I think there was more utility back when we thought we would have multi-RDN value support. I don’t recall ever seeing non-text inputs, even for things where they could be better-than-text, they are usually strings. e.g. I’ve seen OIDs in subjects, but they are an OID as a PrintableString, not an OID as an OBJECT IDENTIFIER. I suppose |
Yeah, but we have the wrong shape for that. The one multi-valued test we have ( Lines 23 to 33 in e74c3e8
If it was a multi-RDN escape hatch then we'd've had just
Yeah. Let's just cut it. If we remember why we wanted it it's easy enough to add back (and already API-Approved) |
...ies/System.Security.Cryptography/tests/X509Certificates/X500DistinguishedNameBuilderTests.cs
Show resolved
Hide resolved
I didn’t intend to imply that I thought it was doing that, just that back when we were shaping out the API, it was an escape hatch for that. But then we threw an OID on there (so it can’t take the SET OF) so it didn’t make sense and we should have cut it instead. |
...yptography/src/System/Security/Cryptography/X509Certificates/X500DistinguishedNameBuilder.cs
Show resolved
Hide resolved
I yanked |
Closes #44738