spotlightishere
commented
1 year ago Certificate generation has been converted to leverage rcgen as of c69df5f5042fd6c2662a206c73532db6b52c12d9, making certificate generation significantly more readable.
Since November, the paradigm has changed, somewhat - the pkcs7 crate is slated to support pkcs7-signedData in v0.4.0, suitable for our purposes with MDM. However, via that family of projects, there is currently no easy way to validate the envelope's signature against any certificate chain (i.e. Apple's, or our own). For now, we will continue to leverage OpenSSL for PKCS#7.
The primary intent of mdm-server is to provide a small, lightweight (yet capable) MDM server. Its original intention has been to allow it to run on my OpenWrt router.
With that in mind, OpenWrt (since 21.02, per release notes) has used wolfSSL for SSL. Ideally, it would be nice to not require OpenSSL to be installed whatsoever on my router would be - primarily due to its already limited storage constraints, and partly because it's a pain. Testing multiple SSL libraries sounds like a hassle as well.
It would appear that there is no decent way to work with creating PKCS#7 signatures via pure Rust alone, so this goal does not seem possible at the moment. This issue exists to track what OpenSSL-specific features are brought in, with hopes that they can eventually be replaced - or perhaps that something can be sorted out with the wolfSSL compatibility layer.