-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve ability to create PKI tier by building off of each step #57
Comments
Note I didn't include any OCSP or CRL type stuff in the above PKI... Just trying to keep it simple for the demo. |
This part is probably the most frustrating, and I feel it could be dramatically simplified: foo_ca_cert = R509::CertificateAuthority::Signer.selfsign(
:csr => foo_ca_csr,
:not_before => not_before,
:not_after => not_after_20,
:extensions => ext_foo_ca,
:message_digest => "SHA512"
)
foo_ca = R509::Cert.new(
:cert => foo_ca_cert.to_pem,
:key => foo_ca_csr.key.to_pem
)
bar_ca_config = R509::Config::CAConfig.new(
:ca_cert => foo_ca
)
bar_ca = R509::CertificateAuthority::Signer.new(bar_ca_config)
bar_ca_cert = bar_ca.sign(
:csr => bar_ca_csr,
:not_before => not_before,
:not_after => not_after_10,
:extensions => ext_bar_ca,
:message_digest => "SHA512"
) Basically, I want to take a CSR, sign it (whether self-signed or by another certificate), and then use that object to take a separate CSR and sign it, repeating ad infinitum. Right now, I have to manually create R509::Cert and R509::Config::CAConfig objects before I can do that, which adds unneeded complexity. |
Issue #50 causes a lot of useless code for generation of extensions that already exist by default, but yet I have to do manually just to set a critical flag on keyUsage. |
The current trunk definitely requires you to create a new CAConfig and Signer object and since you need the paired cert + key I see why you have to create a new Cert object too. This is far outside use cases I've previously considered so maybe we can work through a sane system together. I can think of two potential approaches... New Method on CertAdd a new method on R509::Cert instances (call it New ClassBuild a new class (let's call it My inclination if either of these sound like they'd be useful to you (and hopefully to others in the future!) would be to add the new method to Cert. It feels more Ruby-ish than a factory class like SignerBuilder. BTW, on #50 I haven't refactored that yet because of the colossal backwards compatibility consequences. I'm still thinking about it. |
* This change improves the situation for #57 * Tests to validate the key is being returned (or not) based on the three types of objects that can be sent to the signer ** CSR (with key) ** CSR (no key) ** SPKI (can't contain key)
It's pretty painful right now to build a full PKI tiered system manually due to problems such as issue #55. I just put together a quick demo showing what I mean. I have a few thoughts to improve this (besides the aforementioned issue), but I'll post them as separate comments.
The following code creates a PKI system looking like this:
The text was updated successfully, but these errors were encountered: