Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Certificate::from_der + Certificate::from_pem #274

Open
oscartbeaumont opened this issue May 17, 2024 · 2 comments
Open

Add Certificate::from_der + Certificate::from_pem #274

oscartbeaumont opened this issue May 17, 2024 · 2 comments

Comments

@oscartbeaumont
Copy link

I'm in the process of upgrading rcgen and I have to say the new API is much easier to understand, great job!

In reading some of the #62 I can see the idea of adding Certificate::from_der and Certificate::from_pem came up but they don't seem to have made it into the final release.

I wanted to know if there is a way to load an existing CA certificate to sign some more certificates without triggering signing.

Right now i'm doing the following:

let identity_key = todo!();
let cert: Vec<u8> = todo!();

let cert = CertificateParams::from_ca_cert_der(&cert.try_into().unwrap())
    .unwrap()
    .self_signed(&identity_key)
    .unwrap();

However, my presumption is that this will sign a new CA certificate on each startup of my application and I would rather just import the existing CA certificate and use it.

I tried to do a PR to add the Certificate::from_der + Certificate::from_pem but i'm kinda lost where the subject_public_key_info would come from. I've included what I had below:

impl Certificate {
	/// TODO
	pub fn from_der(der: CertificateDer<'static>) -> Result<Self, Error> {
		let params = CertificateParams::from_ca_cert_der(&der)?;
		Ok(Self {
			params,
			subject_public_key_info: todo!(),
			der,
		})
	}
}
@oscartbeaumont oscartbeaumont mentioned this issue May 17, 2024
Merged
3 tasks
@djc
Copy link
Member

djc commented May 21, 2024
edited
Loading

Yeah, this API isn't great right now. I've described a plan to improve it in #269 (comment) -- if you want to help implementing that, that would be awesome. Unfortunately with the current API I don't think there's a way around doing a fake self-signing of the CA certificate before using it to sign dependent certificates.

@oscartbeaumont oscartbeaumont mentioned this issue May 21, 2024
Draft
14 tasks
@jiangshaoqi jiangshaoqi mentioned this issue Oct 24, 2024
Closed
@acul009
Copy link

acul009 commented Nov 14, 2024

This would be great to have. It's the reason I can't upgrade to 0.13 right now.

I only notized after converting most of my code, which is unfortunate, but I had the opportunity to see the new 0.13 in action.

I actually really like the new params/signing API - it's a lot nicer to use than the manual serialize_der_with_signer
A few of the types are also pretty close to the wrappers I wrote. For the Keypair I was actually able to remove large parts of my own logic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@djc @oscartbeaumont @acul009