crypto: add extensions property to X509Certificate #48780
Conversation
|
Review requested:
|
nodejs-github-bot
added
crypto
|
This needs tests. |
|
I believe the tests belong better to Not being familiar with extensions myself so apologizies if the following questions are just plain irrelevant. I wonder if an extension can be present multiple times, in which case how would such extension be returned? Are there structured extensions? Or extensions who's value is not a string? @tniessen is there a reason you didn't expose this in the first place? |
panva
changed the title
|
When I look before the test, I get the output of x509.extensions undefined. Could it be because I cannot access it because it is undefined? |
|
I am unfamiliar with the underlying implementation. |
|
Nice work. Extensions can be of various different types and content. Now they only appear one in terms of key (an OID see for example: https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/standard_x.509_v3_certificate_extensions) but can have multiple values in a form of an array. |
|
@mscdex @panva @tniessen @jeffsec-aws hello I will be very happy if you review it, thank you very much |
|
@panva How can I generate a certificate with extensions? I will use it in my test instead of hardcoded. i will be using it in my test code |
|
@mertcanaltin I am really not able to be of that kind of assistance. |
|
What method do you want to use to generate those certificates? Would OpenSSL commands help? |
yes it will help |
There was a problem hiding this comment.
I'll quote my earlier concern which needs to be settled before this can progress.
Not being familiar with extensions myself so apologizies if the following questions are just plain irrelevant. I wonder if an extension can be present multiple times, in which case how would such extension be returned? Are there structured extensions? Or extensions who's value is not a string?
These examples would need tests added and the documentation for this method also has to be added.
|
Aside from my above suggestion to fix and simplify the docs entry I believe this lacks sufficient test coverage. Note that I can not review the c++ implementation |
Co-authored-by: Filip Skokan <panva.ip@gmail.com>
thank you very much for your suggestions, here I created a crypto-extensions.pem certificate for testing and tested the subjectAltName in the extension, in fact, I would be very happy if you have a suggestion. |
panva
dismissed
their stale review
dismissing one review, i still think test coverage is not there and someone else than me has to review the c++ code, there is no further point in asking me to review this,
There was a problem hiding this comment.
Node.js has made the mistake of representing structured ASN.1 data as strings in the past, which has led to various issues. Most notable, perhaps, CVE-2021-44532 and CVE-2021-44533, which were a nightmare to fix without breaking the ecosystem.
At this point, we should be extremely careful about exposing any human-readable information provided by OpenSSL for anything besides debugging purposes. These text formats are not meant to be processed automatically, and OpenSSL generally provides no stability guarantees.
|
|
||
| Returns: {Object} | ||
|
|
||
| Returns an object representing the extensions of the certificate. |
There was a problem hiding this comment.
This needs a lot more information, especially w.r.t. the exact structure of the returned object.
| @@ -0,0 +1,23 @@ | |||
| -----BEGIN CERTIFICATE----- | |||
There was a problem hiding this comment.
You should modify test/fixtures/keys/Makefile such that it can be used to generate this certificate, unless that is not feasible for some reason.
|
thank you very much for your suggestions I have applied a few changes and I hope I have followed the correct steps |
mertcanaltin
force-pushed
the
dev-48730
branch
from
36fb0c0
to
2486934
Compare
|
@tniessen greetings, I would be very happy if you could take a look when you have time, again many thanks for your support |
|
Greetings, I want to improve this place very much, do not hesitate to make suggestions when appropriate ❤️ |
|
There are still a bunch of tests failing and some comments from @tniessen that have not been addressed |
|
@tniessen Hello, I would like to move this place forward, do you have an update? |
This pull request adds an enhanced property to the X509Certificate class, providing additional functionality for X.509 certificates. The new property improves the handling of certificate subjects, issuers, and other related information. This enhancement enhances the overall capabilities and usability of the X509Certificate class
issue:#48730
fyi @jeffsec-aws