Support for getting ASN.1 value for parsed extensions #5002
Milestone
Comments
|
I'm interested in how you would implement this. I'm not opposed to this conceptually, but I think our willingness to accept a patch would be predicated on whether we can build a sane API for this. |
|
I created a WIP for this (#5025). In it, every extension type gets a new property |
|
@reaperhulk and I discussed this a bit. One of the things that's on our roadmap for 2021 is to move our X.509 extension parsing away from using OpenSSL, and towards our own DER parser (see #5357). We think that's going to have profound implications for the API here, so we're not making any hard decisions until that happens. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
When parsing a certificate or CSR, it would be nice to be able to get the ASN.1 value for all extensions in a simple way without having to essentially re-create the certificate parsing code (i.e. iterating over the extensions by using
obj._backendandobj._x509and FFI).This data is available when reading certificates or CSRs, it is currently only stored for
UnrecognizedExtensions. So storing it, and adding a property (maybe calledasn1_value), which is eitherNone(if ASN.1 value is not available) or the ASN.1 value itself, should be no problem.I'd like the use this as follows:
Let me expand on 2): say I want to add a certain extension using cryptography right now. For that, I can add a
UnrecognizedExtensionwith the correct content. But if I want to check whether this extension is already there with the correct content, I have to assume that it will come as aUnrecognizedExtension. If cryptography ever supports this extension type directly, my code for detecting whether the correct content is there will stop working.Would adding this to cryptography be acceptable? (I can create a PR for this if wanted.)
The text was updated successfully, but these errors were encountered: