Open SamWhited opened 7 years ago
Here's what I'm doing temporarily to solve my problem (lots of code copied and modified from the standard library). If one of the solutions (or something vaguely similar) proposed in this issue is accepted I can adapt it back to crypto/x509
: https://godoc.org/mellium.im/xmpp/x509
CL 62693 is adding more constraint checking but doesn't have SRVNames. I commented there to find out if it should be added.
This did not end up being addressed by CL 62693; now that the 1.11 tree is open, would either of the above proposed APIs be acceptable? If so I will commit to submitting a CL during this cycle. Thanks!
/cc @FiloSottile @agl
I wouldn't object to just adding SRVNames
, x509.Certificate
is way past the ergonomic API surface territory. I'm more wary of adding APIs with overlapping meaning and complex extensibility, causing issues like the one you identified with Extensions
.
Do you think you'll also need XMPPAddresses
?
I wouldn't object to just adding
SRVNames
That sounds good to me, I'll prepare a CL.
Do you think you'll also need
XMPPAddresses
?
I wouldn't complain, but I could do without in a pinch if that feels a bit niche.
Change https://golang.org/cl/97376 mentions this issue: crypto/x509: add SRV and XMPP fields
Update: I've added parsing and marshaling to the CL for certificates and certificate requests, but am waiting on the results of https://golang.org/cl/96378 before doing any sort of validation since that will probably require a more complicated rebase if I do it now.
Accepted for SRVName per @FiloSottile 's comment above.
The
SRVName
field of an X.509 certificate defined by RFC 4985 allows a certificate to be used to verify that a service is managed by a particular entity without giving the same entity control over the entire domain or subdomain (eg. if DNSName or CommonName were used).I would like to be able to access the SRVNames from a certificate parsed using
x509.ParseCertificate
and the like. I can see two ways of doing this, depending on how accessible this information needs to be. The easiest would be to add a field to theCertificate
struct alongside the existing SAN fields:and parse the SRVNames at the same time we parse DNSNames. This is easy to use, but it may not be desirable to pollute the struct with fields for more otherName values that aren't as widely used (especially when issues like #15196 may already cause it to balloon).
Alternatively, the raw SAN field can already be pulled out of the
Extensions []pkix.Extension
field. A more extensible approach might be to create a raw SAN field similar to Extensions that contains the raw map of OIDs and their values. Something like:which would make it possible for users to get ahold of arbitrary fields from the SAN without requiring that they pull the blob out of Extensions and re-parse it again. Note that this would have to be in addition to the existing raw SAN field from Extensions (we probably can't remove it since code might already be pulling the SAN field out of Extensions). I have not included an ExtraExtensions (for marshalling) equivalent for this reason (what happens when both exist and you go to create a certificate?).
/cc @agl