-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x509-cert: Document (or improve) how to construct custom extensions #1490
Comments
It may be worth noting that at least some YubiKey extensions are not encoded per RFC5280, i.e., they hold raw bytes not an ASN.1 type. I am not sure offhand how well this would play with any profile implementation. Some details are here: Yubico/yubico-piv-tool#181. |
Indeed; that is my primary concern with the required
I have no idea what ASN.1 DER correctness constraints those are placing on the custom extensions, or if there is any way to work around those constraints for "legacy" extensions that did not follow whatever RFC says that extension values are ASN.1 DER encoded. |
There isn't much I can do about yubico using misformatted extensions. |
This makes `add_extension` link back to the example provided in `AsExtension`. Fixes RustCrypto#1490
Just for completeness sake "critical" means "if your program reading extensions doesn't recognize this extension then the validation should fail". This is a way to indicate that some particular extension is not optional but rather important. It's rarely used but one example in the wild is the "poison extension" in pre-certificates: https://certificate.transparency.dev/howctworks/ Which causes the pre-certificate to be rejected (because of the critical bit in the poison extension). |
CertificateBuilder::add_extension
has the following public interface:formats/x509-cert/src/builder.rs
Lines 196 to 197 in e0c3e08
If I follow the breadcrumb trail to the
AsExtension
trait, I get this as the public API that needs implementing for a custom extension:formats/x509-cert/src/ext.rs
Lines 47 to 51 in e0c3e08
AssociatedOid
makes enough sense to me.der::Encode
is somewhat confusing, because its documentation is just:The method documentation is a little better:
However, it is unclear how the output of this method will be treated. My particular example is the YubiKey PIV attestation policy extension, which is documented as:
Should that map to two raw ASN.1 bytes? Is there some other ASN.1 DER wrapper around it that I need to know about? This should be handled in the
yubikey
crate (which I will upstream my impl to), but it is unclear what kind of verification happens on the output ofder::Encode::encode
.AsExtension::critical
makes zero sense to me. What is a "critical extension" and how should I decide whether mine is? There is no description here to guide me, or any references to external documentation I should read before deciding what to return here.It would be helpful to improve documentation across the board here, but in particular:
CertificateBuilder::add_extension
should document where to find existing extensions (a direct link to the list ofAsExtension
implementors would be ideal).CertificateBuilder::add_extension
orAsExtension
should document how to go about implementing a custom extension, with considerations about correctness (how to ensure everyone can parse your extension), best practices, and whatever criticality is.The text was updated successfully, but these errors were encountered: