Need to enhance the OpenSSL::X509 more features

[ghost]

Summary

I need this feature to sign some X509 certificates.
I don’t know much about OpenSSL.
I looked at the Crystal API documentation, but I didn't see this feature.
(e.g. OpenSSL::X509::Request, OpenSSL::PKey::RSA).

enhance: OpenSSL::X509::Certificate
(e.g. version, serial, public_key, subject, issuer...)

and Need more documentation (preferably like ruby).

In Ruby (Example From StackOverflow)

ca     = OpenSSL::X509::Certificate.new( File.read( INTERCEPTOR_CA_CERTIFICATE ) )
ca_key = OpenSSL::PKey::RSA.new( File.read( INTERCEPTOR_CA_KEY ) )

keypair = OpenSSL::PKey::RSA.new( 4096 )

req            = OpenSSL::X509::Request.new
req.version    = 0
req.subject    = OpenSSL::X509::Name.parse(
    "CN=www.origin-server.com/O=Arachni/OU=Proxy/L=Athens/ST=Attika/C=GR"
)
req.public_key = keypair.public_key
req.sign( keypair, OpenSSL::Digest::SHA1.new )

cert            = OpenSSL::X509::Certificate.new
cert.version    = 2
cert.serial     = rand( 999999 )
cert.not_before = Time.new
cert.not_after  = cert.not_before + (60 * 60 * 24 * 365)
cert.public_key = req.public_key
cert.subject    = req.subject
cert.issuer     = ca.subject

ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = cert
ef.issuer_certificate  = ca

cert.extensions = [
    ef.create_extension( 'basicConstraints', 'CA:FALSE', true ),
    ef.create_extension( 'extendedKeyUsage', 'serverAuth', false ),
    ef.create_extension( 'subjectKeyIdentifier', 'hash' ),
    ef.create_extension( 'authorityKeyIdentifier', 'keyid:always,issuer:always' ),
    ef.create_extension( 'keyUsage',
        %w(nonRepudiation digitalSignature
        keyEncipherment dataEncipherment).join(","),
        true
    )
]
cert.sign( ca_key, OpenSSL::Digest::SHA1.new )

References

• StackOverflow - Dynamically create SSL certs/keys with common CA
  
• RubyDoc - Class: OpenSSL::X509::Certificate

[ghost]

Please, if possible, please consider giving priority to this feature,
I need to use this feature, I need to use it to make MITM proxy server,
otherwise, I can only try to use Rust to rewrite this server... :(

[ysbaddaden]

This isnt trivial work. Nobody took the time to wrap OpenSSL functions. You can use them directly, thought, or tackle this, and open a pull request :)

[ghost]

@ysbaddaden

---

This isnt trivial work.

Yes, I guessed this possibility😟, but thanks for your reply😁.

---

You can use them directly, thought, or tackle this, and open a pull request :)

I may not be able to do this task (I don't know much about C language☹️), but I found another openssl.cr library, it seems a little old, I will try to use it🤔.

---

[RX14]

there is https://github.com/randomstate/openssl_ext