New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add minimal NewCertificateFromX509
implementation
#248
Conversation
e844e81
to
f5e8c24
Compare
Instead of relying on a new implementation based on generics, smallstep/crypto#248 was created to have a minimal implementation for supporting signing public keys.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, but we should put the logic in one private method.
x509util/certificate.go
Outdated
// If no template use only the certificate request with the | ||
// default leaf key usages. | ||
if o.CertBuffer == nil { | ||
return nil, errors.New("not implemented yet; use FromX509WithTemplate option") | ||
} | ||
|
||
// With templates | ||
var cert Certificate | ||
if err := json.NewDecoder(o.CertBuffer).Decode(&cert); err != nil { | ||
return nil, errors.Wrap(err, "error unmarshaling certificate") | ||
} | ||
|
||
// Enforce the public key from the template | ||
cert.PublicKey = template.PublicKey | ||
cert.PublicKeyAlgorithm = template.PublicKeyAlgorithm | ||
|
||
// Generate the subjectAltName extension if the certificate contains SANs | ||
// that are not supported in the Go standard library. | ||
if cert.hasExtendedSANs() && !cert.hasExtension(oidExtensionSubjectAltName) { | ||
ext, err := createCertificateSubjectAltNameExtension(cert, cert.Subject.IsEmpty()) | ||
if err != nil { | ||
return nil, err | ||
} | ||
// Prepend extension to achieve a certificate as similar as possible to | ||
// the one generated by the Go standard library. | ||
cert.Extensions = append([]Extension{ext}, cert.Extensions...) | ||
} | ||
|
||
return &cert, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is duplicated logic that can be combined into one internal function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in f1025e3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Minimal implementation of
NewCertificateFromX509
to create anx509.Certificate
without signing a CSR.This PR replaces #239 and #247. We decided on keeping the logic simple, and to not add generic processing of
x509.Certificate
andx509.CertificateRequest
for now.The changes from the other PRs might still be of interest in the (near) future when more options are added for manipulating a
x509.Certificate
orx509.CertificateRequest
, so we may reconsider the decision by then.