Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Certificate::from_der + Certificate::from_pem #274

Open
oscartbeaumont opened this issue May 17, 2024 · 1 comment
Open

Add Certificate::from_der + Certificate::from_pem #274

oscartbeaumont opened this issue May 17, 2024 · 1 comment

Comments

@oscartbeaumont
Copy link

I'm in the process of upgrading rcgen and I have to say the new API is much easier to understand, great job!

In reading some of the #62 I can see the idea of adding Certificate::from_der and Certificate::from_pem came up but they don't seem to have made it into the final release.

I wanted to know if there is a way to load an existing CA certificate to sign some more certificates without triggering signing.

Right now i'm doing the following:

let identity_key = todo!();
let cert: Vec<u8> = todo!();

let cert = CertificateParams::from_ca_cert_der(&cert.try_into().unwrap())
    .unwrap()
    .self_signed(&identity_key)
    .unwrap();

However, my presumption is that this will sign a new CA certificate on each startup of my application and I would rather just import the existing CA certificate and use it.

I tried to do a PR to add the Certificate::from_der + Certificate::from_pem but i'm kinda lost where the subject_public_key_info would come from. I've included what I had below:

impl Certificate {
	/// TODO
	pub fn from_der(der: CertificateDer<'static>) -> Result<Self, Error> {
		let params = CertificateParams::from_ca_cert_der(&der)?;
		Ok(Self {
			params,
			subject_public_key_info: todo!(),
			der,
		})
	}
}
@djc
Copy link
Member

djc commented May 21, 2024

Yeah, this API isn't great right now. I've described a plan to improve it in #269 (comment) -- if you want to help implementing that, that would be awesome. Unfortunately with the current API I don't think there's a way around doing a fake self-signing of the CA certificate before using it to sign dependent certificates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants