Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add Certificate::from_der + Certificate::from_pem #274

Open
oscartbeaumont opened this issue May 17, 2024 · 2 comments
Open

Add Certificate::from_der + Certificate::from_pem #274

oscartbeaumont opened this issue May 17, 2024 · 2 comments

Comments

@oscartbeaumont
Copy link

I'm in the process of upgrading rcgen and I have to say the new API is much easier to understand, great job!

In reading some of the #62 I can see the idea of adding Certificate::from_der and Certificate::from_pem came up but they don't seem to have made it into the final release.

I wanted to know if there is a way to load an existing CA certificate to sign some more certificates without triggering signing.

Right now i'm doing the following:

let identity_key = todo!();
let cert: Vec<u8> = todo!();

let cert = CertificateParams::from_ca_cert_der(&cert.try_into().unwrap())
    .unwrap()
    .self_signed(&identity_key)
    .unwrap();

However, my presumption is that this will sign a new CA certificate on each startup of my application and I would rather just import the existing CA certificate and use it.

I tried to do a PR to add the Certificate::from_der + Certificate::from_pem but i'm kinda lost where the subject_public_key_info would come from. I've included what I had below:

impl Certificate {
	/// TODO
	pub fn from_der(der: CertificateDer<'static>) -> Result<Self, Error> {
		let params = CertificateParams::from_ca_cert_der(&der)?;
		Ok(Self {
			params,
			subject_public_key_info: todo!(),
			der,
		})
	}
}
@oscartbeaumont oscartbeaumont mentioned this issue May 17, 2024
Merged
3 tasks
@djc
Copy link
Member

djc commented May 21, 2024
edited
Loading

Yeah, this API isn't great right now. I've described a plan to improve it in #269 (comment) -- if you want to help implementing that, that would be awesome. Unfortunately with the current API I don't think there's a way around doing a fake self-signing of the CA certificate before using it to sign dependent certificates.

@oscartbeaumont oscartbeaumont mentioned this issue May 21, 2024
Closed
14 tasks
@jiangshaoqi jiangshaoqi mentioned this issue Oct 24, 2024
Closed
@acul009
Copy link

acul009 commented Nov 14, 2024

This would be great to have. It's the reason I can't upgrade to 0.13 right now.

I only notized after converting most of my code, which is unfortunate, but I had the opportunity to see the new 0.13 in action.

I actually really like the new params/signing API - it's a lot nicer to use than the manual serialize_der_with_signer
A few of the types are also pretty close to the wrappers I wrote. For the Keypair I was actually able to remove large parts of my own logic.

@blacktea1105 blacktea1105 mentioned this issue Dec 19, 2024
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@djc @oscartbeaumont @acul009