New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add expires option #291
Add expires option #291
Conversation
Codecov Report
@@ Coverage Diff @@
## master #291 +/- ##
==========================================
Coverage 100.00% 100.00%
==========================================
Files 10 10
Lines 1045 1181 +136
Branches 45 55 +10
==========================================
+ Hits 1045 1181 +136
|
ece9b68
to
eb55f70
Compare
Hi @herbygillot, thanks a lot for your polished contribution! Can you please clarify what your use case is for doing this? Are you interested in certs that expire sooner? Are you using trustme through the cli? We have a pretty high bar for allowing options like this, as it's easy to shoot yourself in the foot by using a wrong combination of options. For example, since November 2019 and macOS 10.15, TLS server certificates issued after July 1, 2019 must have a validity period of 825 days or fewer. We're currently not affected because we issue certs starting from January 1, 2000. But if I merge your PR, what should I do when someone asks to change the notBefore date? Would we need a check for this 825 days rule? What other rules are we not aware of? There are so many ways to shoot yourself in the foot with TLS certificates and the errors are so unclear when it happens that we're really reluctant to add options like this, which is why I'm asking about your use case. It would have to benefit many trustme users to be included.
(I would have appreciated a separate pull request for this change, as it needs to be discussed separately.) Even we're not testing it, the paths aren't wrong, but the naming is unfortunate.
Does that make sense? Do you think renaming client.pem to ca.pem would have helped avoid the confusion? |
Thank you for reviewing @pquentin. I am using
I think if Then we should give users who specifically want to do something outside of these rules an option to do so, like Another possibility that could keep the CLI simple is to add advanced options as an argparse subcommand. So one would need to do In this way the default CLI is kept as clean and simple as it is today, while at the same time allowing power users access to options they may need. advanced mode should print a message warning the user that there is the possibility of generating possibly invalid certs.
This does make sense, my fault for misunderstanding, and yes I think renaming could help here. |
Would you be happy with a |
Well that's certainly up to you, but since we're currently specifying some span of time towards the future, something like Alternatively if it's to be specified as an actual datestamp, then |
Can you please clarify why it's helpful to specify the precise expiry date?
Would you like to open a PR that changes client.pem to ca.pem? |
I only mentioning setting the precise expiry date as an alternative way of setting the expiry... a possible alternative to the method I'm currently proposing in this PR, which are time spans. I'm personally more partial to the method in the PR (time spans), rather than precise date.
I'll remove that commit, and allow you and team to change at your leisure. |
Sorry for the frustration I'm causing here. trustme is a small project that I'd like to keep small¹ and high-level, and this pull request adds 10% more code, which is why I'm reluctant to include this as is. My order of preference is:
Why is a simple ¹ This is also why I don't really want to encode all the possibles rules we want to adhere to in code: it would be nice but it's more code than what I'm willing to maintain. |
I was using |
eb55f70
to
1d5445a
Compare
(Removed cert renaming commit.) |
I'd be happy to hear what other maintainers think, but my opinion in that case is: let's only support I'd be happy to merge such a pull request! But let's open another one to do so. Thank you for your patience, and sorry for rejecting this. |
This PR adds the option to specify when the issued client certificate should expire (
Not After
field). It's specified in the style of<number>t
, wheret
can beH
(hour),m
(month),d
(days), etc...While adding this feature, I also found that the client and server certs were being written to the wrong paths. An included commit resolves this.