New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: Provide a mechanism for accessing SRVNames #21789
Comments
Here's what I'm doing temporarily to solve my problem (lots of code copied and modified from the standard library). If one of the solutions (or something vaguely similar) proposed in this issue is accepted I can adapt it back to |
CL 62693 is adding more constraint checking but doesn't have SRVNames. I commented there to find out if it should be added. |
This did not end up being addressed by CL 62693; now that the 1.11 tree is open, would either of the above proposed APIs be acceptable? If so I will commit to submitting a CL during this cycle. Thanks! |
/cc @FiloSottile @agl |
I wouldn't object to just adding Do you think you'll also need |
I wouldn't object to just adding `SRVNames`
That sounds good to me, I'll prepare a CL.
Do you think you'll also need `XMPPAddresses`?
I wouldn't complain, but I could do without in a pinch if that feels a bit niche.
|
Change https://golang.org/cl/97376 mentions this issue: |
Update: I've added parsing and marshaling to the CL for certificates and certificate requests, but am waiting on the results of https://golang.org/cl/96378 before doing any sort of validation since that will probably require a more complicated rebase if I do it now. |
Accepted for SRVName per @FiloSottile 's comment above. |
The
SRVName
field of an X.509 certificate defined by RFC 4985 allows a certificate to be used to verify that a service is managed by a particular entity without giving the same entity control over the entire domain or subdomain (eg. if DNSName or CommonName were used).I would like to be able to access the SRVNames from a certificate parsed using
x509.ParseCertificate
and the like. I can see two ways of doing this, depending on how accessible this information needs to be. The easiest would be to add a field to theCertificate
struct alongside the existing SAN fields:and parse the SRVNames at the same time we parse DNSNames. This is easy to use, but it may not be desirable to pollute the struct with fields for more otherName values that aren't as widely used (especially when issues like #15196 may already cause it to balloon).
Alternatively, the raw SAN field can already be pulled out of the
Extensions []pkix.Extension
field. A more extensible approach might be to create a raw SAN field similar to Extensions that contains the raw map of OIDs and their values. Something like:which would make it possible for users to get ahold of arbitrary fields from the SAN without requiring that they pull the blob out of Extensions and re-parse it again.
Note that this would have to be in addition to the existing raw SAN field from Extensions (we probably can't remove it since code might already be pulling the SAN field out of Extensions). I have not included an ExtraExtensions (for marshalling) equivalent for this reason (what happens when both exist and you go to create a certificate?).
/cc @agl
The text was updated successfully, but these errors were encountered: