-
Notifications
You must be signed in to change notification settings - Fork 11
revive project for pkcs12 write support #28
Comments
hm. that's unfortunate.
housing it here seems like a reasonable idea to me. probably want to start by pulling any changes/improvements made in x/crypto. |
Another consideration: does maintaining this as a fork of x/crypto cause problems using this side-by-side with x/crypto? I assume a full fork is done to re-use unexported code from inside x/crypto... |
What is necessary to kick the tires here? My personal crypto skills are quite limited but maybe I can help anyway!? I guess there is no step by step guide that explains how to implement the write support. May somebody point to a specification that should be implemented here? Maybe I can get in touch and see how it goes? Since my comment here is quite motivational my personal time is also limited but maybe it works out somehow anyway. |
@AGWA had started on it in #22. The last update I saw from him is at cloudflare/cfssl#449 (comment) |
Looks like code from #22 already landed in https://github.com/AGWA-forks/golang-crypto. There is some sort of similarity at least. See
Is https://github.com/AGWA-forks/golang-crypto advised to be used though? Is it save for use? |
@AGWA had suggested otherwise. Though I'm not 100% sure, I think there were some bug/security fixes when Azure/go-pkcs12 was moved into x/crypto that haven't been applied back to AGWA's fork. |
https://github.com/AGWA-forks/golang-crypto is up-to-date with the changes that were made when Azure/go-pkcs12 was moved into x/crypto, and can be cleanly rebased on the latest x/crypto upstream. That said, the project which required this got put on hiatus so I'm not currently using or maintaining this code. Using a fork of a crypto library seems like a generally bad idea to me, since you could miss security fixes that are applied upstream. A standalone library for PKCS#12 writing would be great, but would require duplication of internal code in x/crypto. |
CC: @JargoonPard |
There is currently a discussion around the use of FYI, I personally don't need PKCS12 writing, nor am I a crypto guru. You may be on your own. |
@boumenot had a similar issue when implementing the packer azure-arm builder: https://github.com/mitchellh/packer/tree/master/builder/azure/pkcs12 |
I wonder if the Go SDK team has any desire to own this? Given that we need this for Azure APIs basically... |
cc: @eduardkoller |
cc: @vishrutshah |
@AGWA Hey Andrew. We at cloud foundry are looking to create the pfx data given a cert/key from users for azure application gateways. Do you have plans to make this standalone library for pkcs12 writing or should we plan to make our own? |
@genevievelesperance I do not currently have plans to write this library. |
Cool, thanks! |
@boumenot Amazing! We'll use that. Thanks! |
Woot! I'm going to close this out! |
Looks like pkcs12 write support is not going to land in upstream crypto: golang/go#14125
This is, unfortunately, somewhat necessary for Azure stuff. For example, someone is going to write an
azure-ingress-controller
for Kubernetes, and they're going to need to convert PKCS8 to PKCS12 because we of course expect certs in PKCS12 format.There are other things that need it. Anyway, it's not going to live in the main crypto repos, should we house it here?
The text was updated successfully, but these errors were encountered: