V3 certificate extensions for Pike v7.6 release 112
JCRM wrote:
> The routine for generating PKCS Certificate Signing Requests only
> supported version 1 of the standard.
>
> This lets it generate version 3 certificates.
>
Urk, that wasn't the final version - I'd got the param sections right in
the final version.
Also, I've realised that this implementation encapsulates a possibly
faulty cognitive model of the version 3 certificate extension into the
call - On the one hand certificate extensions ARE just attributes, so in
retrospect I don't think they should have their own build_csr()
parameter - especially, as I have now separated out the routines for
building the extensionRequest attribute.
On the other hand, the v3 extensions are logically additional to the
original CSR, they're just implemented as attributes - and having them
as an additional parameter makes it easier for the function to know if
it should be using a version 1 or version 3 certificate request.
I think I may do a bit of a rewrite of this. Under different uses many
of the fields in a certificate request are optional including the
distinguishedName, so I think a new approach is is order:
Sequence build_certificate_request(Crypto RSA.key, mapping (string :
mixed) csr_parts, void | array (int) version_min_max)
Where the string part of the mapping corresponds to the certificate part
(version, name, attributes, &c). This approach would make it easier to
extend in future (not that is is likely to change now...)
Anyone have any thoughts as to how I should best proceed?
|