Support generating custom x509 certificates #1481
Conversation
|
@marten-seemann here's the new PR |
There was a problem hiding this comment.
This looks good to me, but I'll let @marten-seemann submit the approval. Thanks for this and moving the PR over here!
|
@marten-seemann this look OK to you? |
There was a problem hiding this comment.
I approve this, but I want @marten-seemann to look too since this touches certs and crypto.
|
friendly ping @marten-seemann |
p2p/security/tls/crypto.go
Outdated
| } | ||
|
|
||
| // DefaultCertTemplate returns the default template for generating an Identity's TLS certificates. | ||
| func DefaultCertTemplate() (*x509.Certificate, error) { |
There was a problem hiding this comment.
This function doesn't seem worth exposing. All that we're doing here is set a serial number, the subject and the validity period.
It's also slightly misleading, as the Default implies that it's safe to use for multiple identities, which it is not.
p2p/security/tls/crypto.go
Outdated
| // GenerateSignedExtension uses the provided private key to sign the public key, and returns the | ||
| // signature within a pkix.Extension. | ||
| // This extension is included in a certificate to cryptographically tie it to the libp2p private key. | ||
| func GenerateSignedExtension(sk ic.PrivKey, pubKey crypto.PublicKey) (*pkix.Extension, error) { |
There was a problem hiding this comment.
Nit: return a pkix.Extension here. It's a very small struct.
|
Thanks @marten-seemann. I just pushed some changes addressing your comments. |
|
Hey @marten-seemann think this PR is ok to merge? |
|
Yes, it is. I approved it. But we won't merge it before the v0.21 release. |
|
Right after #1648, we’ll merge this. We wanted to make this release pretty small and we’ve started running some smoke tests for v0.21. |
|
awesome. thanks! |
This PR was originally opened here libp2p/go-libp2p-tls#99 and relates to this issue: fixes #1538
Context
libp2ptls.NewIdentitygenerates a newIdentitywhich includes an x509 certificate with a special signed extension which ties the TLS key pair to a libp2p network identity. In flow, we use this key pair to secure a gRPC interface which is accessible to nodes on the network as well as external public clients, allowing them to verify that they've connected to the correct staked node.The current implementation of
NewIdentitydoes not support customizing the certificate template, and uses default options that aren't compatible with standard TLS clients (e.g. Subject doesn't include acnfield).Proposal
This PR refactors keyToCertificate into 3 methods
GenerateSignedExtension(exported), which generates the signed extensioncertTemplatewhich returns the default certificate template used to generate the self-signed certificate,keyToCertificate, which accepts anx509.Certificatetemplate, adds the signed extension and returns thetls.Certificateobject.This PR also adds a new optional parameter to
NewIdentity, which can provide a custom certificate template.The changes are intended to be backwards compatible and add the ability for a caller to specify the x509 certificate fields they wish to include in the generated certificate.