Closed tiran closed 3 years ago
Would you like to start a promising career in open source and provide a PR? :D
Bump 😇
Could you provide me with a valid example of such a file?
For reference.
To generate a trusted cert
$ openssl x509 -in path/regular/ca-cert.pem -trustout
-----BEGIN TRUSTED CERTIFICATE-----
MIICTDCCAbWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJHQjEP
EXACT SAME CONTENT AS NORMAL BEGIN CERTIFICATE
JtNIblnr7VTXcOiB15uakQ==
-----END TRUSTED CERTIFICATE-----
I guess it can be represented as
class TrustedCertificate(Certificate):
"""
A trusted certificate.
"""
TRUSTED certificates do not have the same content as normal certificates. They payload starts like a normal certificates, but there is additional auxiliary ASN.1 encoded data appended to the certificate.
ASN1_SEQUENCE(X509_CERT_AUX) = {
ASN1_SEQUENCE_OF_OPT(X509_CERT_AUX, trust, ASN1_OBJECT),
ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, reject, ASN1_OBJECT, 0),
ASN1_OPT(X509_CERT_AUX, alias, ASN1_UTF8STRING),
ASN1_OPT(X509_CERT_AUX, keyid, ASN1_OCTET_STRING),
ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, other, X509_ALGOR, 1)
} ASN1_SEQUENCE_END(X509_CERT_AUX)
TRUSTED certificates do not have the same content as normal certificates. They payload starts like a normal certificates, but there is additional auxiliary ASN.1 encoded data appended to the certificate.
That shouldn't be relevant for us tho, because we specifically do not interpret the contents of the PEM objects. All we care about is the start and the end.
@hynek let me give this a try :)
That shouldn't be relevant for us tho, because we specifically do not interpret the contents of the PEM objects. All we care about is the start and the end.
That makes sense -- except pem
also has sha1_hexdigest
property. The SHA-1 hexdigest of a trusted certificate should be equal to the sha1_hexdigest
property of a regular certificate, because they are the same certificate. That requires you to understand and strip away the auxiliar suffix.
@tiran I am now reading the man page for "trusted certificates" https://www.openssl.org/docs/man1.1.1/man1/x509.html
It this a custom extension created by OpenSSL or is a "standard/de-facto standard" implemented by other x509 handling tools ?
The actual command to generate a trusted cert is
$ openssl x509 -in path/to-normal/ca-cert.pem -trustout -addtrust emailProtection
I was missing the -addtrust part
Right now PEM is not doing any payload handing. I think that comparison of a normal and trusted certificate should be done outside of the PEM library.... or in a separate ticket :)
AFAIK the AUX data extension was invited by OpenSSL and only used by OpenSSL.
NSS and p11-kit have similar features, but implement them on top of Cryptoki API (PKCS#11). For example NSS has CKA PKCS11 properties like CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
. Freedesktop's p11-kit can include additional properties in [p11-kit-object-v1]
stanzas, e.g. x-distrusted
.
OpenSSL has a feature called trusted certificate, see https://www.openssl.org/docs/man1.0.2/apps/x509.html . It's a X.509 certificate with additional auxiliary data. A trusted certificate is enclosed in
BEGIN TRUSTED CERTIFICATE
/END TRUSTED CERTIFICATE
. I suggest that you treat it like a subclass of certificate.