Closed flihp closed 6 months ago
RFC 5280 4.1 describes the extensions field of the TBSCertificate structure as OPTIONAL. Attempts to generate a cert from KDL that omits the extensions node:
extensions
TBSCertificate
OPTIONAL
key-pair "root" { ed25519 } entity "root" { country-name "foo" organization-name "bar" common-name "baz" } certificate "root" { issuer-entity "root" issuer-key "root" subject-entity "root" subject-key "root" not-after "9999-12-31T23:59:59Z" serial-number "00" }
results in the following error:
$ pki-playground -c foo.kdl generate-key-pairs $ pki-playground -c foo.kdl generate-certificates Error: × Loading config from "./foo.kdl" failed ╰─▶ error parsing KDL Error: × child node `extensions` is required ╭─[./foo.kdl:10:1] 10 │ 11 │ ╭─▶ certificate "root" { 12 │ │ issuer-entity "root" 13 │ │ issuer-key "root" 14 │ │ subject-entity "root" 15 │ │ subject-key "root" 16 │ │ 17 │ │ not-after "9999-12-31T23:59:59Z" 18 │ │ serial-number "00" 19 │ ├─▶ } · ╰──── node starts here ╰────
Instead this should generate a cert w/ no extensions.
resolved by #92
flihp
commented
6 months ago
RFC 5280 4.1 describes the
extensionsfield of theTBSCertificatestructure asOPTIONAL. Attempts to generate a cert from KDL that omits the extensions node:results in the following error:
Instead this should generate a cert w/ no extensions.