Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: crypto/x509: Provide a mechanism for accessing SRVNames #21789

Open
SamWhited opened this issue Sep 7, 2017 · 9 comments

Comments

@SamWhited
Copy link
Member

commented Sep 7, 2017

The SRVName field of an X.509 certificate defined by RFC 4985 allows a certificate to be used to verify that a service is managed by a particular entity without giving the same entity control over the entire domain or subdomain (eg. if DNSName or CommonName were used).

I would like to be able to access the SRVNames from a certificate parsed using x509.ParseCertificate and the like. I can see two ways of doing this, depending on how accessible this information needs to be. The easiest would be to add a field to the Certificate struct alongside the existing SAN fields:

type Certificate struct {
    …
    // Subject Alternate Name values
    DNSNames       []string
    SRVNames       []string
    EmailAddresses []string
    IPAddresses    []net.IP
    …
}

and parse the SRVNames at the same time we parse DNSNames. This is easy to use, but it may not be desirable to pollute the struct with fields for more otherName values that aren't as widely used (especially when issues like #15196 may already cause it to balloon).

Alternatively, the raw SAN field can already be pulled out of the Extensions []pkix.Extension field. A more extensible approach might be to create a raw SAN field similar to Extensions that contains the raw map of OIDs and their values. Something like:

type Certificate struct {
    …
    // Extensions contains raw X.509 extensions. When parsing certificates,
    // this can be used to extract non-critical extensions that are not
    // parsed by this package. When marshaling certificates, the Extensions
    // field is ignored, see ExtraExtensions.
    Extensions []pkix.Extension

    // SAN contains raw X.509 extensions that were not parsed into the DNSNames,
    // EmailAddresses, or IPAddresses fields..
    SAN []pkix.Extension
    …
}

which would make it possible for users to get ahold of arbitrary fields from the SAN without requiring that they pull the blob out of Extensions and re-parse it again.
Note that this would have to be in addition to the existing raw SAN field from Extensions (we probably can't remove it since code might already be pulling the SAN field out of Extensions). I have not included an ExtraExtensions (for marshalling) equivalent for this reason (what happens when both exist and you go to create a certificate?).

/cc @agl

@SamWhited SamWhited added the Proposal label Sep 7, 2017

@gopherbot gopherbot added this to the Proposal milestone Sep 7, 2017

@agl agl self-assigned this Sep 7, 2017

@SamWhited

This comment has been minimized.

Copy link
Member Author

commented Sep 8, 2017

Here's what I'm doing temporarily to solve my problem (lots of code copied and modified from the standard library). If one of the solutions (or something vaguely similar) proposed in this issue is accepted I can adapt it back to crypto/x509: https://godoc.org/mellium.im/xmpp/x509

@rsc

This comment has been minimized.

Copy link
Contributor

commented Oct 16, 2017

CL 62693 is adding more constraint checking but doesn't have SRVNames. I commented there to find out if it should be added.

@SamWhited

This comment has been minimized.

Copy link
Member Author

commented Feb 15, 2018

This did not end up being addressed by CL 62693; now that the 1.11 tree is open, would either of the above proposed APIs be acceptable? If so I will commit to submitting a CL during this cycle. Thanks!

@rsc

This comment has been minimized.

Copy link
Contributor

commented Feb 26, 2018

@FiloSottile

This comment has been minimized.

Copy link
Member

commented Feb 26, 2018

I wouldn't object to just adding SRVNames, x509.Certificate is way past the ergonomic API surface territory. I'm more wary of adding APIs with overlapping meaning and complex extensibility, causing issues like the one you identified with Extensions.

Do you think you'll also need XMPPAddresses?

@SamWhited

This comment has been minimized.

Copy link
Member Author

commented Feb 26, 2018

@gopherbot

This comment has been minimized.

Copy link

commented Feb 27, 2018

Change https://golang.org/cl/97376 mentions this issue: crypto/x509: add SRV and XMPP fields

@SamWhited

This comment has been minimized.

Copy link
Member Author

commented Feb 28, 2018

Update: I've added parsing and marshaling to the CL for certificates and certificate requests, but am waiting on the results of https://golang.org/cl/96378 before doing any sort of validation since that will probably require a more complicated rebase if I do it now.

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

commented Mar 19, 2018

Accepted for SRVName per @FiloSottile 's comment above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.