Generate v3 certificates

[martoko]

The rustls rust package relies on the webpki package, which does not currently support anything other than v3 certificates.
See briansmith/webpki#219

Any chance that lagrange could be made to generate v3 certificates, while we wait for v1 certificate support for for webpki?

The current workaround is to import a v3 certificate, which works just fine.

[skyjake]

It's trivial to mark the generated certificates as v3. I'll apply the change.

However, X509 v3 adds a number of fields related to allowed key usage. OpenSSL docs say:

If the key usage or extended key usage extension is absent then typically usage is unrestricted.

I am currently not setting any usage flags since these are not meaningful in Gemini, but libraries meant for the web may behave otherwise. It should be tested whether this works in webpki as expected.

[skyjake]

And now that I check briansmith/webpki#219 I see that the subject alternate name is also expected, so that's another change I'll need to still make.

[martoko]

Hmm, maybe I didn't actually investigate this thoroughly enough. There seems to be another way for me to parse certificates without webpki. (The openssl package) If you think there is actually a reason for using v1 certificates, and that v3 makes things rather complicated, then maybe don't make the change? 2021年8月29日(日) 6:29 Jaakko Keränen ***@***.***>:

…

And now that I check briansmith/webpki#219 <briansmith/webpki#219> I see that the subject alternate name is also expected, so that's another change I'll need to still make. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#327 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AELT2SVLM3U2N2NG5QB43FLT7GZSDANCNFSM5C64F2LA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[skyjake]

Hmm yes, I did some quick testing with v3 and subject alternative names. Maybe I didn't set the X509 extensions correctly, but at least gemini://station.martinrue.com/ failed to understand my newly generated certificate.

I'll leave it at v1 for now since no v3 features are actually being used at the moment.

[skyjake]

The decision is to keep generating v1 certificates because no features from later versions are actually needed/used.