Helpers for accessing AKI/SKI extensions of certs/crls #260
Conversation
| # | ||
| # Returns a Hash with keys :key_identifier, :authority_cert_issuer, | ||
| # and :authority_cert_serial_number. | ||
| def authority_key_identifier |
There was a problem hiding this comment.
Looking at Go's implementation, they only expose the key_identifier part of this extension. That seems like a reasonable choice, given that it's what is mostly useful for matching certificates to their issuers. Going that route would also simplify this method here.
|
I think it's okay to handle a subset of the available data as long as the design doesn't preclude us from supporting more in the future and that it would still make sense given the design choices made. I would like to avoid methods that contain |
lib/openssl/x509.rb
Outdated
| raise ASN1::ASN1Error "invalid GeneralName" | ||
| end | ||
|
|
||
| if gn_asn1.tag == 4 |
There was a problem hiding this comment.
In this case, it designates that this is a directoryName (see RFC 5280 Appendix A.2), which is a Name (see RFC 5280 Section 4.1.2.4)
GeneralName ::= CHOICE {
otherName [0] AnotherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
Name ::= CHOICE { -- only one possibility for now --
rdnSequence RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY -- DEFINED BY AttributeType
There was a problem hiding this comment.
Do you think it makes sense to add some constants?
lib/openssl/x509.rb
Outdated
| fields[:authority_cert_issuer] = if !issuer.nil? | ||
| # TODO raise if there are more than one values? GeneralNames is a | ||
| # SEQUENCE. | ||
| x509_name_from_general_name(issuer.value.first) |
There was a problem hiding this comment.
Another option is to return an array, even if it only contains one thing.
| @@ -111,13 +111,18 @@ def issue_crl(revoke_info, serial, lastup, nextup, extensions, | |||
| crl | |||
| end | |||
|
|
|||
| def get_subject_key_id(cert) | |||
| def get_subject_key_id(cert, hex: true) | |||
There was a problem hiding this comment.
unpack_subject_key_id might be better?
There was a problem hiding this comment.
I'm just updating the existing method here. You'd like me to change the name?
There was a problem hiding this comment.
I feel like get_subject_key_id is not a great name, but I'll leave it up to you. It's a relatively minor point.
lib/openssl/x509.rb
Outdated
| else | ||
| # TODO: raise error instead of returning nil? | ||
| # this is some other kind of general name. | ||
| nil |
There was a problem hiding this comment.
I think it's exception: It's not empty, but it's also exception to expected value. Even if our "expected value" is pretty limited at this time.
|
In d63b835, I decided to match Go's behavior by only returning the |
|
Sorry to be so slow to respond here. I got caught up with travel and work things. I think I've responded to your comments on the latest changes. |
|
@ioquatix Is this good to merge? |
|
Looks good to me. Merged. |
|
Thanks |
I'm taking a stab at implementing some of the functionality discussed in #234 (comment). This stuff is kind of tedious to write, so I thought I'd open a PR that just adds helpers for two extensions to make sure we're on the same page about how this should work. Support for more extensions can be added in future PRs if this works out.
This PR adds a
#subject_key_identifiermethod to theCertificateclass that parses out the value of thesubjectKeyIdentifierextension. This is fairly straightforward. This PR also adds a#authority_key_identifiermethod to theCertificateandCRLclasses that parses out the value of theauthorityKeyIdentifierextension. This extension has a number of possible fields and I decided that aHashwas the simplest way to represent this data.In both cases, I tried to validate the extension contents per the specification and covered many of the edge cases. The flexibility of these extensions makes things difficult though. For example, the
authority_cert_issuerfield of theauthorityKeyIdentifierextension is aGeneralNames, which can be aSEQUENCEofGeneralNames, each of which can be one of nine different types, some of which have multiple possible subtypes. In practice though, this field should always be an RDN sequence. I opted to only handle the common case and returnnilotherwise. I'm happy to discuss other options here and to be more or less flexible with these complex types./cc @ioquatix