New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom X509 extensions #1411
Comments
I'm interested in doing that too. I looked deeper, starting from d8f299fbb,
I've tried to put make use of it, but the code is still panicking at runtime. The code looks like that: const SIGSTORE_ISSUER_OID: &str = "1.3.6.1.4.1.57264.1.1";
let issuer = "hello world";
let sigstore_issuer_nid = openssl::nid::Nid::create(SIGSTORE_ISSUER_OID, "sigstore", "Sigstore OIDC issuer")?;
let sigstore_subject_issuer_extension = X509Extension::new_nid(
None,
Some(&x509v3_context),
sigstore_issuer_nid,
&subject_issuer,
)?; At runtime I get this error: Error: error:22097081:X509 V3 routines:do_ext_nconf:unknown extension:crypto/x509v3/v3_conf.c:82: @tpambor (sorry for the direct mention, but given you are the one who exposed If you are interested I can share the code of the whole demo app on a gist. |
I think I sorted it out, almost... I had to specify the const SIGSTORE_ISSUER_OID: &str = "1.3.6.1.4.1.57264.1.1";
let issuer = "hello world";
// This is what solves the previous error
let value = format!("ASN1:UTF8String:{}", subject_issuer);
let sigstore_issuer_nid = openssl::nid::Nid::create(SIGSTORE_ISSUER_OID, "sigstore", "Sigstore OIDC issuer")?;
let sigstore_subject_issuer_extension = X509Extension::new_nid(
None,
Some(&x509v3_context),
sigstore_issuer_nid,
&value,
)?; Now the certificate is generated, however... when looking into that I get a "strange" output:
The strange output are the |
@flavio I think you figured it out. I'm doing it similarly. |
Thanks for the help @tpambor and for the explanation about the "mysterious" chars. There's still something that drives me crazy... I'm trying to recreate something similar to this certificate:
This is created by a Go program, and it has all its arbitrary attributes without these symbols:
I've used the This is what I get for the Go certificate:
As you can see, the string is encoded using a I've changed my rust code, the one producing the certificate to do something like that: let sigstore_issuer_nid =
openssl::nid::Nid::create(SIGSTORE_ISSUER_OID, "sigstore", "Sigstore OIDC issuer")?;
let mut buffer = [0u8; 1000];
let mut der_encoder = der::Encoder::new(&mut buffer);
let data = der::asn1::OctetString::new(&subject_issuer.as_bytes())
.map_err(|e| anyhow!("{:?}", e))?;
der_encoder
.encode(&data)
.map_err(|e| anyhow!("Cannot encode subject_issuer to DER: {}", e))?;
let encoded_string = der_encoder
.finish()
.map_err(|e| anyhow!("Cannot finish encoding subject_issuer to DER: {}", e))?;
let hex_string: Vec<String> = encoded_string
.iter()
.map(|v| format!("{:02X}", v))
.collect();
let value = format!("DER:{}", hex_string.join(""));
let sigstore_subject_issuer_extension = X509Extension::new_nid(
None,
Some(&x509v3_context),
sigstore_issuer_nid,
&value,
)?; Unfortunately the final cert still has the extra ASCII symbols:
Looking closer at the der structure I get:
They are basically the same, but it looks something is adding the extra 2 chars... 🤯 Why am I so obsessed by these 2 extra chars? Because when parsing the certificate using const ISSUER_OID: Oid<'static> = oid!(1.3.6 .1 .4 .1 .57264 .1 .1);
fn inspect_cert(name: &str) -> Result<()> {
let cert_raw = fs::read(name)?;
let (_, pem) = parse_x509_pem(&cert_raw)?;
let cert = pem.parse_x509()?;
let extensions = cert.tbs_certificate.extensions_map()?;
for (oid, ext) in extensions {
if oid == ISSUER_OID {
println!("oid: {}", oid);
println!("ext: {:?}", ext);
let value = String::from_utf8(ext.value.to_vec());
println!("value is: {:?}", value);
}
}
Ok(())
} This is the output I get:
Sorry about the noise, I hope you didn't mind being my rubber duck debugging companion 😄 |
@flavio Seems you are right. I created a UTF8String with content "Something". Encoded that is:
If I look at it in a hex editor I get:
So it seems it is nested inside a octet string but I don't know exactly why. That happens here: https://github.com/openssl/openssl/blob/af16097febcd4fa31cd5fcd05ad09cf8b53659ea/crypto/x509/v3_conf.c#L258 |
Adds a solver for the [`TLS-ALPN-01`](https://www.rfc-editor.org/rfc/rfc8737.html) challenge. We needed to re-implement parts of [`tokio-native-tls`](https://crates.io/crates/tokio-native-tls) and [`native-tls`](https://crates.io/crates/native-tls) since they do not provide enough control over the SSL acceptor in favor of cross-system compatibility. Furthermore, we also needed to pull in [`rcgen`](https://crates.io/crates/rcgen) since `openssl` does not support [custom extensions](sfackler/rust-openssl#1411) or [marking them as critical](sfackler/rust-openssl#1601).
Currently
rust-openssl
supports a number of X509 extensions, though it's not a complete list. And if I understand correctly it doesn't support custom extensions.I think it would be great to support creating custom X509 extensions, similar to how it's done in
openssl
:The text was updated successfully, but these errors were encountered: