Skip to content
This repository has been archived by the owner on Feb 16, 2023. It is now read-only.

Add ability to use rustls instead of openssl #2

Closed
svenstaro opened this issue Sep 9, 2019 · 13 comments
Closed

Add ability to use rustls instead of openssl #2

svenstaro opened this issue Sep 9, 2019 · 13 comments

Comments

@svenstaro
Copy link

Is it possible to use rustls instead of OpenSSL for certainly? I think it'd make sense to have a rust-only native package which would make it easier to ship the tool to other platform without having to provide OpenSSL.
@passcod
Copy link
Owner

passcod commented Sep 9, 2019

"rust-only" sounds like a good idea.

However, neither rustls nor webpki (what rustls uses for cert validation) can be used, as rustls is uniquely focused on TLS connections and webpki is uniquely focused on verifying certificates, and as such neither can be used to create certificates.

Thus we would have to use either something else, or to use ring directly, which I'm gonna call as "out of scope for this project" due to the complexity. If there's a crate that can do openssl-like generation of certificates based on ring, I'll happily go with it, but otherwise, er, sorry.

@svenstaro
Copy link
Author

So there is https://github.com/est31/rcgen which only needs OpenSSL for development. I just created a certificate with that and without OpenSSL. Might wanna take a look. :D

@passcod
Copy link
Owner

passcod commented Sep 10, 2019

Oh, good. We'd still need to use build extensions directly, but it's probably doable then.

@est31
Copy link

est31 commented Sep 11, 2019

rcgen maintainer here. I support any efforts of adopting rcgen. If some feature is missing in rcgen, please file a bug!

@passcod
Copy link
Owner

passcod commented Sep 11, 2019

Certainly supports, and therefore needs:

  • other types of SANs, not just dns names
  • the client and server auth extension flag things
  • the pathlen or maxpathlen basic constraint

I think this can all be done just by writing raw extensions and ignoring rcgen's SANs support, though.

@est31
Copy link

est31 commented Sep 11, 2019

@passcod which SAN types do you need in specific? There is a list here: https://tools.ietf.org/html/rfc5280#section-4.2.1.6 (preceeded by "GeneralName ::= CHOICE {").

@passcod
Copy link
Owner

passcod commented Sep 11, 2019

dns and ip. Possibly email, just because I could see that come up later, but certainly not any of the others as I don't think there's a common use for those at all.

@est31 est31 mentioned this issue Sep 11, 2019
Closed
3 tasks
@est31
Copy link

est31 commented Sep 12, 2019

@passcod the 0.6.0 release of rcgen should contain all the things you listed in your comment above.

@passcod
Copy link
Owner

passcod commented Sep 12, 2019

Thanks! I'll go rewrite openssl out... this weekend or so.

@passcod
Copy link
Owner

passcod commented Sep 14, 2019

Almost done, I just want to add RSA support without OpenSSL now.

@passcod
Copy link
Owner

passcod commented Sep 14, 2019

Depends on rustls/rcgen#25

@passcod
Copy link
Owner

passcod commented Sep 15, 2019

Done in 1.7.0

@passcod passcod closed this as completed Sep 15, 2019
@svenstaro
Copy link
Author

Super nice!

@est31 est31 mentioned this issue Oct 12, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@svenstaro @passcod @est31