-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OpenSSL::X509::Extension#value_der method #234
Conversation
The #value method provides a weird stringification of the extension value that can't be parsed and isn't very useful. The new #value_der method provides the raw value, allowing users to decode the value and use it as needed.
👍 I was seeing something similar with cedarcode/webauthn-ruby#127 - in this case, it straight up mangles the binary data. authenticator_data.aaguid.bytes # expected
[248, 160, 17, 243, 140, 10, 77, 21, 128, 6, 23, 17, 31, 158, 220, 125]
extension.value.bytes # actual
[46, 46, 46, 46, 46, 46, 46, 10, 77, 46, 46, 46, 46, 46, 46, 46, 46, 125]
extension.to_h
{"oid"=>"1.3.6.1.4.1.45724.1.1.4", "value"=>".......\nM........}", "critical"=>false} Fortunately my use case is a little simpler and I know the expected byte length, so I don't need the ASN1 parsing: extension.to_der[-16..-1] == authenticator_data.aaguid Edit: this closes #163 |
LGTM. |
@mastahyeti Just wondering if |
I like |
What does der mean? |
Distinguished encoding rules. It's one of the binary encodings for ASN.1
data.
…On Sat, Jun 15, 2019 at 1:17 AM Samuel Williams ***@***.***> wrote:
What does der mean?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#234?email_source=notifications&email_token=AAIXLBMAA7A7EQDJC6CFUMTP2SJQVA5CNFSM4GJRSUUKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXYSFVI#issuecomment-502342357>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAIXLBLKH6BUMMQZ57TDEZTP2SJQVANCNFSM4GJRSUUA>
.
|
I wonder if we should have a more complex "value" object, e.g. class Value
def to_der
# ... same as .value_der
end
def to_s
# same as current .value
end
end Are there any other interesting properties/formats of value we should expose? |
DER encoded and parsed ( I think the biggest improvement we could make to how extensions are treated in this library would be to pick the most common extensions and expose their data in a useful way on the parent object. For example X509 certificates often have Subject Alternative Name (SAN), Extended Key Usage (EKU), Authority Key Identifier (AKI), and Subject Key Identifier (SKI) extensions. Instead of making the user parse these themselves, we could expose their values directly on the For less common extensions, I think providing individual |
That sounds really good to me, do you think you have time to implement it? I will review it and merge it. |
I don't have time to implement it right now, but can add it to my TODO list. |
The
#value
method provides a weird stringification of the extension value that can't be parsed and isn't very useful. The new#value_der
method provides the raw value, allowing users to decode the value and use it as needed.For example, I'm wanting to use the Authority Key Identifier extension from a certificate. To do this currently, I do
The change in this PR lets us simplify this to
While this still isn't great, I think it's as good as we can get. Since each extension has a different ASN.1 profile, we can't do much to parse the actual extension value for the user unless we wanted to add a bunch of logic for several popular extensions.