search

jeroen / openssl

OpenSSL bindings for R
Other
65 stars 23 forks source link

Class representing a certificate and private key pair #68

Closed hongooi73 closed 5 years ago

hongooi73 commented 5 years ago

Hi, I just had a question about certificates. Say I have a file "mycert.pem" that contains both the public cert and the private key. Does openssl include any object class to represent both of these?

I can read this via read_pem:

pem <- read_pem("mycert.pem")
pem
# $`PRIVATE KEY`
# [1] 30 82 04 bc 02 01 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 04 82 04 a6 30 82 04
# ...
# $CERTIFICATE
# [1] 30 82 03 03 30 82 01 eb a0 03 02 01 02 02 10 1c c8 2a e2 ee ef 4e 01 9b ef f9 d2 16 b1
# ...

But this is just a regular list. Or I can read this via read_cert:

cert <- read_cert("mycert.pem"
cert
# [x509 certificate] example.com
# md5: bc4cf33a2677ec5296d9edc68d901cf5
# sha1: f2e2ebb3fe6e9f028226aa6cc25972701988d0f8

But this only includes the public cert.

The background to the question is that I'm extending my AzureAuth package to allow authenticating with certs. I already have an S3 generic and method for signing a client assertion using a cert stored in Azure Key Vault, and I was hoping that I could just write a similar method for openssl objects.

sign_assertion <- function(certificate, claim, size)
{
    UseMethod("sign_assertion")
}

# for a cert stored in Key Vault
sign_assertion.stored_cert <- function(certificate, claim, size)
{
    kty <- certificate$policy$key_props$kty  # key type determines signing alg
    alg <- if(kty == "RSA")
        paste0("RS", size)
    else paste0("ES", size)

    header <- list(alg=alg, x5t=certificate$x5t, kid=certificate$x5t, typ="JWT")
    token_conts <- paste(token_encode(header), token_encode(claim), sep=".")

    paste(token_conts,
        certificate$sign(openssl::sha2(charToRaw(token_conts), size=size), alg),
        sep=".")
}

# similar method for openssl (?)
sign_assertion.cert <- function(certificate, claim, size)
{
    # ???
}
jeroen commented 5 years ago

No, you need to read both separately. In your case you use read_key("mycert.pem") to read the key and read_cert("mycert.pem") to read the cert from that file.

This is because usually the private key is not contained in the same file as the cert, because you are sharing the cert with 3rd parties.

hongooi73 commented 5 years ago

No worries. Also, a huge thank you for all the work you've done on R infrastructure. I couldn't imagine trying to work without jsonlite, openssl, and now jose; not to mention getting R to work nicely with Windows.