Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: x/crypto/ocsp: Export certID and the code that populates it #59284

Open
mholt opened this issue Mar 28, 2023 · 1 comment
Open

proposal: x/crypto/ocsp: Export certID and the code that populates it #59284

mholt opened this issue Mar 28, 2023 · 1 comment
Labels
Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Milestone

Comments

@mholt
Copy link

mholt commented Mar 28, 2023

I am implementing ACME Renewal Information (ARI) for TLS servers to be able to automatically renew their certificates within a CA-designated timeframe.

It turns out that ARI is actually an OCSP request, but with slightly different ceremony: the GET request URI is literally suffixed with an encoded RFC 6960 OCSP request CertID structure.

Unfortunately, ocsp.CreateRequest() returns an opaque byte slice. The data we need is that exact same data but without the following (essentially empty) wrapping:

ocspRequest{
	tbsRequest{
		Version: 0,
		RequestList: []request{
			{
				Cert: 

I'd like to propose that we export the bulk of this function:

https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.7.0:ocsp/ocsp.go;l=628-666

and update this comment:

	// OCSP seems to be the only place where these raw hash identifiers are
	// used.

since now, in 2023, there is one other place that the raw hash identifier is used: ARI. 😅

The exported function should return an exported CertID struct. From there, marshaling as ASN.1 is easy (with asn1.Marshal()).

Of course, CreateRequest() would reuse the same code, now exported for the benefit of ARI clients. 😊

Hope this makes sense. Thanks for considering!

@mholt mholt added the Proposal label Mar 28, 2023
@gopherbot gopherbot added this to the Proposal milestone Mar 28, 2023
@seankhliao
Copy link
Member

cc @golang/security

@seankhliao seankhliao added the Proposal-Crypto Proposal related to crypto packages or other security issues label Mar 28, 2023
@ianlancetaylor ianlancetaylor moved this to Incoming in Proposals Mar 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
Status: Incoming
Development

No branches or pull requests

3 participants