rustls / webpki

WebPKI X.509 Certificate Validation in Rust
https://docs.rs/rustls-webpki/latest/webpki/
Other
98 stars 51 forks source link

Support id-pe-acmeIdentifier certificate extension for ParsedCertificate #281

Closed kellpossible closed 3 months ago

kellpossible commented 3 months ago

With this commit https://github.com/rustls/rustls/commit/20fdce6ad961c4b2901b42cc8c0289e4d51b3cd2#diff-dd9aec7fb5c3190624000b6f4575f16e932e493437a4a032233db84016e94da7R69 it's no longer possible to use a certificate with the ACME extension with rustls's ConfigBuilder::with_single_cert() because it now attempts to parse the certificate as part of the keys_match() implementation because it now returns an error: InvalidCertificate(Other(OtherError(UnsupportedCriticalExtension))). Perhaps this should be a bug report with rustls I'm not really sure.

I think this is the RFC for the extension: https://www.rfc-editor.org/rfc/rfc8737.html

djc commented 3 months ago

Might be okay to teach webpki about this extension?

ctz commented 3 months ago

I don't think we can teach webpki to accept this critical extension, because that means it would be (quoting the RFC) "inadvertently used by non-ACME software".

Instead I would suggest that an ACME user must avoid the with_single_cert API, and instead use with_cert_resolver -- I think you actually want to do that anyway, because with_single_cert ignores the SNI value?

kellpossible commented 3 months ago

@ctz thanks, it was my thought to work around this issue using an implementation of ResolvesServerCert, I'll give it a try

kellpossible commented 3 months ago

I'm using LazyConfigAcceptor so already have access to the SNI I think

cpu commented 3 months ago

Instead I would suggest that an ACME user must avoid the with_single_cert API, and instead use with_cert_resolver

I also think this is the correct course of action. I'm going to close this issue for now since I think the consensus is there's no change to be made in webpki. If you run into any further difficulties reworking your application to use a cert resolver please feel free to open a new issue (perhaps in Rustls instead of webpki if required).

Thanks!

kellpossible commented 3 months ago

Thanks everyone for the feedback, I was able to work around this using a method similar to what was suggested, and am happy for this issue to be closed

On Mon, 26 Aug 2024, 23:47 Daniel McCarney, @.***> wrote:

Instead I would suggest that an ACME user must avoid the with_single_cert API, and instead use with_cert_resolver

I also think this is the correct course of action. I'm going to close this issue for now since I think the consensus is there's no change to be made in webpki. If you run into any further difficulties reworking your application to use a cert resolver please feel free to open a new issue (perhaps in Rustls instead of webpki if required).

Thanks!

— Reply to this email directly, view it on GitHub https://github.com/rustls/webpki/issues/281#issuecomment-2310261990, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCRJ2SII6PYQYK2ZHEOSBDZTMWY5AVCNFSM6AAAAABMZX5ZMKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJQGI3DCOJZGA . You are receiving this because you authored the thread.Message ID: @.***>

djc commented 3 months ago

(@kellpossible if you think it would make sense we could consider hosting some of the boring mechanics of this in instant-acme.)