Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for accessing an EndEntityCert's spki #28

Closed
mdecimus opened this issue Jan 12, 2023 · 6 comments
Closed

Add support for accessing an EndEntityCert's spki #28

mdecimus opened this issue Jan 12, 2023 · 6 comments

Comments

@mdecimus
Copy link

mdecimus commented Jan 12, 2023

Hi,

This is related to briansmith/webpki#85, currently it is not possible to access a certificate's public key and other details. A use case for this is the validation of end entity's certificates with DNS-Based Authentication of Named Entities (DANE).

It would also be quite useful to have access to the parsed X.509 certificate such as https://github.com/rusticata/x509-parser does.

Thanks

@cpu
Copy link
Member

cpu commented Sep 27, 2023

This will be resolved by #174

@djc
Copy link
Member

djc commented Sep 27, 2023

Actually I think this specific ask should already work on main (and probably the latest alpha)?

@cpu
Copy link
Member

cpu commented Sep 27, 2023

Actually I think this specific ask should already work on main (and probably the latest alpha)?

I might be missing something obvious but it looks to me like main doesn't expose a way to go from an EndEntityCert to a Cert. And both EndEntityCert and Cert don't expose SPKI, just subject.

@djc
Copy link
Member

djc commented Sep 27, 2023

We merged #184 last week, but I guess that doesn't expose SPKI, yet.

@ctz
Copy link
Member

ctz commented Sep 27, 2023

Note that Cert::spki is not a valid SPKI encoding, because it lacks the outer SEQUENCE tag and length. That is OK while it remains a crate-internal detail. But I don't think we can expose it as-is.

@cpu
Copy link
Member

cpu commented Oct 5, 2023

Note that Cert::spki is not a valid SPKI encoding, because it lacks the outer SEQUENCE tag and length. That is OK while it remains a crate-internal detail. But I don't think we can expose it as-is.

This was a good call out. Just leaving a note to say that #174 ended up exposing the entire certificate DER w/ Cert::der(), but not the Cert::spki field, side-stepping this concern. Consumers can use x509-parser or equivalent to pull out the SPKI without needing to worry about the peculiarities of the condensed webpki internal repr.

I think we can close this now.

@cpu cpu closed this as completed Oct 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants