Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adjust critical extensions and key usage #448

Closed
wants to merge 2 commits into from

Conversation

zhangyoufu
Copy link

@zhangyoufu zhangyoufu commented Jun 25, 2021

I would like to use easy-rsa to manage some general purpose PKI. This change makes it conform to common practice.

supersedes #187

@TinCanTech
Copy link
Collaborator

TinCanTech commented Mar 24, 2022

If you make all of your changes above, with the exception of the change to easyrsa, then you should get the desired result.

@zhangyoufu
Copy link
Author

If you make all of your changes above, with the exception of the change to easyrsa, then you should get the desired result.

I rebased my changes on master. And I didn't get why should I revert the change to easyrsa. Could you elaborate on that?

@TinCanTech
Copy link
Collaborator

Sorry, you misunderstand.

The x509-types files and openssl-easrsa.cnf are there for users to edit.
That is what you have done, that is for your private use.

Changing easyrsa is not required.

You can build all the certificates you need with only the changes to the data files.

@zhangyoufu
Copy link
Author

Sorry, you misunderstand.

The x509-types files and openssl-easrsa.cnf are there for users to edit. That is what you have done, that is for your private use.

Changing easyrsa is not required.

You can build all the certificates you need with only the changes to the data files.

I understand that users of easy-rsa are supposed to modify openssl config files to suit their own need. I do have many changes/hacks in my local repo and working well.

I opened this PR because I think this specific change is nice to have in easy-rsa repo. Since

critical keyUsage is required by RFC5280 §4.2.1.3
critical basicConstraints (for CA) is required by RFC5280 §4.2.1.9
critical extendedKeyUsage (for code signing) is required by macOS TN2206

critical keyUsage is required by RFC5280 §4.2.1.3
critical basicConstraints (for CA) is required by RFC5280 §4.2.1.9
critical extendedKeyUsage (for code signing) is required by macOS TN2206

Signed-off-by: Youfu Zhang <[email protected]>
@TinCanTech
Copy link
Collaborator

TinCanTech commented Mar 30, 2022

I have a proposal:

  1. Place all these changed files into a folder named x509-alt-types in the Easy-RSA root.
  2. Introduce new option: --x509-alt
    Have this option point EASYRSA_EXT_DIR to x509-alt-types
    --x509-alt MUST point only to the alternative X509 folder. Not configurable.
    I can help help with this ..
  3. Test it ..

I think that should work.

Same goes for: #503

@zhangyoufu
Copy link
Author

I have a proposal:

  1. Place all these changed files into a folder named x509-alt-types in the Easy-RSA root.
  2. Introduce new option: --x509-alt
    Have this option point EASYRSA_EXT_DIR to x509-alt-types
    --x509-alt MUST point only to the alternative X509 folder. Not configurable.
    I can help help with this ..
  3. Test it ..

I think that should work.

Same goes for: #503

I don't agree your proposal. I don't think maintaining a separate x509-alt-types worth the effort in long term.

I don't think my changes are breaking changes. I agree that more testing is necessary. What kind of concerns do you have? (What kind of tests can convince you to leave these PRs in their current form?)

@TinCanTech
Copy link
Collaborator

I don't think maintaining a separate x509-alt-types worth the effort in long term.

We are not going to maintain it, it will be there for these changes to be staged into. If we decide in the future that these alternative x509 profiles should become the standard then we will move it to the main folder.

@TinCanTech TinCanTech added X509-types x509-types and related and removed Reminder labels Mar 31, 2022
@TinCanTech
Copy link
Collaborator

TinCanTech commented Mar 31, 2022

Linking: #520

@TinCanTech
Copy link
Collaborator

Linking: #522

Note: #525 @zhangyoufu probably affects you.

@TinCanTech TinCanTech added the conflicts Conflicts with current label Oct 1, 2022
@TinCanTech TinCanTech removed this from the v3.1.3 - Future possibilities milestone Oct 1, 2022
@zhangyoufu zhangyoufu closed this Sep 4, 2023
@TinCanTech
Copy link
Collaborator

#1063

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
conflicts Conflicts with current discussion X509-types x509-types and related
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants