zacikpa
commented
4 years ago As of now, it should be functional with basic ASN.1 tags and RSA private keys.
Closed zacikpa closed 3 years ago
zacikpa
commented
4 years ago As of now, it should be functional with basic ASN.1 tags and RSA private keys.
zacikpa
commented
3 years ago I just rebased onto master.
I realized far too late that I should have split this into multiple PRs :/ I will be improving the new generator with separate PRs from now, as well as adding new example chains.
There may be some dependency issues in the root Makefile that I might find and fix later. As of now I'm not aware of anything that would break things and I suppose we want the new example chains online till the 15th, so this PR is ready to merge.
zacikpa
commented
3 years ago Thanks for the review. In the end, I have decided to store the modified part of go/crypto package in our repository. Furthermore, I switched to using GO modules, which means you no longer have to install dependencies manually. This should also solve a part of #91.
Rename the script generate. The current name is quite ambiguous. What does itr generate? Is it yml2asn1? Or yml2certtificate? Or is it more general than that?
Done. yml2cert seems like a best choice for me.
Create a make target installing the necessary Go packages for the generaotr and make it as a dependancy for compilation. This saves trouble for us, other developers with system setup.
Not needed anymore. The packages are installed automatically by the Go module system. The only requirement left is Go >= 1.13.
Adjust the main Readme to say in the local beild section that there are now more requirements (and probably link to the more detailed Readme in the generaator folder).
Done. I added Go >= 1.13 as a requirement there.
I still agree with the sloppiness, though. Will try to work on that in future commits :)
This is a first presentable draft of how all of our certificate chains could be generated in the future.
As of now, it is very much WIP and the existing code needs refactoring. However, I wanted some feedback to see whether I am headed in the right direction.
The basic idea is that a certificate can be generated from a template that mimics its ASN.1 structure. All of the certificate's fields are filled from a YAML template (with arbitrary value and arbitrary ASN.1 tag/type). In the end, the certificate is signed using any private key we want.
This way, we can recreate all kinds of errors, including the ones that weren't possible using CLIs of libraries.