-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Typed certificates in NodeMetadataPayload
#12
Conversation
Codecov Report
@@ Coverage Diff @@
## master #12 +/- ##
======================================
Coverage 0.00% 0.00%
======================================
Files 12 12
Lines 423 434 +11
======================================
- Misses 423 434 +11
Continue to review full report at Codecov.
|
Okay, so after some investigation of the difference: The differing substrings do encode the OID. In Python, we have
In the Rust version, we have
So, according to RFC 5280, this encodes an empty // parameters is strictly OPTIONAL, which means we can omit it completely.
// However, it is common to see this field encoded as NULL and some
// parsers seem to insist the NULL be there or else they refuse to
// parse the ASN.1. So we ensure this field is always set. So, I guess, we have to live with this discrepancy and make sure that we consistently use either Rust-made or Python-made certificates on the Python side. It seems that when Python opens the certificate, it preserves the original DER, and maps it to the fields it knows, so when one serializes it again, the null field is there. But you cannot reproduce this behavior in a certificate made in Python (unless you do some byte manipulation manually). P.S. Thanks to this article which explains ASN.1 much better than the standard. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🎉
0475d45
to
d81f3eb
Compare
Closing in favor of #13. |
NodeMetadataPayload.certificate_bytes
tocertificate
and made it a type ofx509_certificate::certificate::X509Certificate
.certificate_der
, returning a DER-encoded certificateDER vs PEM is ~370 vs ~570 bytes, so not a small difference.
There is one issue though. When I serialize a certificate created in Python (in
cryptograpgy
) as DER, pass it to the Rust object, and then serialize the Rust object to DER, it returns a slightly different certificate.Example:
Python:
Rust:
The difference here is two occurrences of
b'\x06\x08*\x86H\xce=\x04\x03\x04'
in Python andb'\x06\x08*\x86H\xce=\x04\x03\x04\x05\x00'
in Rust. It is kind of at the place where OID (1.2.840.10045.4.3.4
) would be, and looks like it, but not quite.The Rust version can be deserialized back into Python, but the resulting certificate is not equal to the original one.
openssl x509 -inform der
does not show any differences.