vrr/g3
2
0
Fork 0
mirror of https://github.com/bytedance/g3.git synced 2026-05-05 23:41:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

g3-tls-cert: update keyUsage for tls end-entity cert

Browse source
This commit is contained in:
Zhang Jingqiang 2023-10-13 14:44:09 +08:00
parent 30b15db6b6
commit 58489462e0
8 changed files with 119 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

2
doc/standards.md
View file

@ -79,6 +79,8 @@ The code should comply to these, but should be more compliant to existing popula
: Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA
- [rfc4055](https://datatracker.ietf.org/doc/html/rfc4055/)
: Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
- [rfc9295](https://datatracker.ietf.org/doc/html/rfc9295/)
: Clarifications for Ed25519, Ed448, X25519, and X448 Algorithm Identifiers
## Cryptography

2
g3fcgen/src/backend/mod.rs
View file

@ -41,7 +41,7 @@ impl OpensslBackend {
pub(crate) fn refresh(&mut self) -> anyhow::Result<()> {
self.builder.refresh_datetime()?;
self.builder.refresh_pkey()?;
self.builder.refresh_ec256()?;
self.builder.refresh_serial()?;
Ok(())
}

16
g3mkcert/src/main.rs
View file

@ -478,9 +478,13 @@ fn generate_root(args: ArgMatches) -> anyhow::Result<()> {
let mut builder = if let Some(bits) = args.get_one::<u32>(ARG_RSA) {
RootCertBuilder::new_rsa(*bits)?
} else if args.get_flag(ARG_X448) {
RootCertBuilder::new_x448()?
return Err(anyhow!(
"x448 can not be used in certification authority certificate"
));
} else if args.get_flag(ARG_X25519) {
RootCertBuilder::new_x25519()?
return Err(anyhow!(
"x25519 can not be used in certification authority certificate"
));
} else if args.get_flag(ARG_ED448) {
RootCertBuilder::new_ed448()?
} else if args.get_flag(ARG_ED25519) {
@ -518,9 +522,13 @@ fn generate_intermediate(args: ArgMatches) -> anyhow::Result<()> {
let mut builder = if let Some(bits) = args.get_one::<u32>(ARG_RSA) {
IntermediateCertBuilder::new_rsa(*bits)?
} else if args.get_flag(ARG_X448) {
IntermediateCertBuilder::new_x448()?
return Err(anyhow!(
"x448 can not be used in certification authority certificate"
));
} else if args.get_flag(ARG_X25519) {
IntermediateCertBuilder::new_x25519()?
return Err(anyhow!(
"x25519 can not be used in certification authority certificate"
));
} else if args.get_flag(ARG_ED448) {
IntermediateCertBuilder::new_ed448()?
} else if args.get_flag(ARG_ED25519) {

2
lib/g3-tls-cert/Cargo.toml
View file

@ -1,6 +1,6 @@
[package]
name = "g3-tls-cert"
version = "0.2.0"
version = "0.3.0"
license.workspace = true
edition.workspace = true

45
lib/g3-tls-cert/src/builder/client.rs
View file

@ -57,10 +57,46 @@ impl TlsClientCertBuilder {
tls_impl_new!(new_ec384);
tls_impl_new!(new_ec521);
tls_impl_new!(new_sm2);
tls_impl_new!(new_ed25519);
tls_impl_new!(new_ed448);
tls_impl_new!(new_x25519);
tls_impl_new!(new_x448);
pub fn new_ed25519() -> anyhow::Result<ClientCertBuilder> {
let pkey = super::pkey::new_ed25519()?;
let key_usage = KeyUsage::new()
.critical()
.digital_signature()
.build()
.map_err(|e| anyhow!("failed to build KeyUsage extension: {e}"))?;
ClientCertBuilder::new(pkey, key_usage)
}
pub fn new_ed448() -> anyhow::Result<ClientCertBuilder> {
let pkey = super::pkey::new_ed448()?;
let key_usage = KeyUsage::new()
.critical()
.digital_signature()
.build()
.map_err(|e| anyhow!("failed to build KeyUsage extension: {e}"))?;
ClientCertBuilder::new(pkey, key_usage)
}
pub fn new_x25519() -> anyhow::Result<ClientCertBuilder> {
let pkey = super::pkey::new_x25519()?;
let key_usage = KeyUsage::new()
.critical()
.key_agreement()
.build()
.map_err(|e| anyhow!("failed to build KeyUsage extension: {e}"))?;
ClientCertBuilder::new(pkey, key_usage)
}
pub fn new_x448() -> anyhow::Result<ClientCertBuilder> {
let pkey = super::pkey::new_x448()?;
let key_usage = KeyUsage::new()
.critical()
.key_agreement()
.build()
.map_err(|e| anyhow!("failed to build KeyUsage extension: {e}"))?;
ClientCertBuilder::new(pkey, key_usage)
}
pub fn new_rsa(bits: u32) -> anyhow::Result<ClientCertBuilder> {
let pkey = super::pkey::new_rsa(bits)?;
@ -70,6 +106,7 @@ impl TlsClientCertBuilder {
fn with_pkey(pkey: PKey<Private>) -> anyhow::Result<ClientCertBuilder> {
let key_usage = KeyUsage::new()
.critical()
.key_agreement()
.digital_signature()
.key_encipherment()
.build()

2
lib/g3-tls-cert/src/builder/intermediate.rs
View file

@ -53,8 +53,6 @@ impl IntermediateCertBuilder {
impl_new!(new_sm2);
impl_new!(new_ed25519);
impl_new!(new_ed448);
impl_new!(new_x25519);
impl_new!(new_x448);
pub fn new_rsa(bits: u32) -> anyhow::Result<Self> {
let pkey = super::pkey::new_rsa(bits)?;

2
lib/g3-tls-cert/src/builder/root.rs
View file

@ -52,8 +52,6 @@ impl RootCertBuilder {
impl_new!(new_sm2);
impl_new!(new_ed25519);
impl_new!(new_ed448);
impl_new!(new_x25519);
impl_new!(new_x448);
pub fn new_rsa(bits: u32) -> anyhow::Result<Self> {
let pkey = super::pkey::new_rsa(bits)?;

68
lib/g3-tls-cert/src/builder/server.rs
View file

@ -57,10 +57,46 @@ impl TlsServerCertBuilder {
tls_impl_new!(new_ec384);
tls_impl_new!(new_ec521);
tls_impl_new!(new_sm2);
tls_impl_new!(new_ed25519);
tls_impl_new!(new_ed448);
tls_impl_new!(new_x25519);
tls_impl_new!(new_x448);
pub fn new_ed25519() -> anyhow::Result<ServerCertBuilder> {
let pkey = super::pkey::new_ed25519()?;
let key_usage = KeyUsage::new()
.critical()
.digital_signature()
.build()
.map_err(|e| anyhow!("failed to build KeyUsage extension: {e}"))?;
ServerCertBuilder::new(pkey, key_usage)
}
pub fn new_ed448() -> anyhow::Result<ServerCertBuilder> {
let pkey = super::pkey::new_ed448()?;
let key_usage = KeyUsage::new()
.critical()
.digital_signature()
.build()
.map_err(|e| anyhow!("failed to build KeyUsage extension: {e}"))?;
ServerCertBuilder::new(pkey, key_usage)
}
pub fn new_x25519() -> anyhow::Result<ServerCertBuilder> {
let pkey = super::pkey::new_x25519()?;
let key_usage = KeyUsage::new()
.critical()
.key_agreement()
.build()
.map_err(|e| anyhow!("failed to build KeyUsage extension: {e}"))?;
ServerCertBuilder::new(pkey, key_usage)
}
pub fn new_x448() -> anyhow::Result<ServerCertBuilder> {
let pkey = super::pkey::new_x448()?;
let key_usage = KeyUsage::new()
.critical()
.key_agreement()
.build()
.map_err(|e| anyhow!("failed to build KeyUsage extension: {e}"))?;
ServerCertBuilder::new(pkey, key_usage)
}
pub fn new_rsa(bits: u32) -> anyhow::Result<ServerCertBuilder> {
let pkey = super::pkey::new_rsa(bits)?;
@ -70,6 +106,7 @@ impl TlsServerCertBuilder {
fn with_pkey(pkey: PKey<Private>) -> anyhow::Result<ServerCertBuilder> {
let key_usage = KeyUsage::new()
.critical()
.key_agreement()
.digital_signature()
.key_encipherment()
.build()
@ -136,6 +173,15 @@ impl TlcpServerEncCertBuilder {
}
}
macro_rules! impl_refresh_pkey {
($refresh:ident, $new:ident) => {
pub fn $refresh(&mut self) -> anyhow::Result<()> {
self.pkey = super::pkey::$new()?;
Ok(())
}
};
}
impl ServerCertBuilder {
pub fn new(pkey: PKey<Private>, key_usage: X509Extension) -> anyhow::Result<Self> {
let serial = super::serial::random_16()?;
@ -187,8 +233,18 @@ impl ServerCertBuilder {
self.pkey = pkey;
}
pub fn refresh_pkey(&mut self) -> anyhow::Result<()> {
self.pkey = super::pkey::new_ec256()?;
impl_refresh_pkey!(refresh_ec224, new_ec224);
impl_refresh_pkey!(refresh_ec256, new_ec256);
impl_refresh_pkey!(refresh_ec384, new_ec384);
impl_refresh_pkey!(refresh_ec521, new_ec521);
impl_refresh_pkey!(refresh_sm2, new_sm2);
impl_refresh_pkey!(refresh_ed25519, new_ed25519);
impl_refresh_pkey!(refresh_ed448, new_ed448);
impl_refresh_pkey!(refresh_x25519, new_x25519);
impl_refresh_pkey!(refresh_x448, new_x448);
pub fn refresh_rsa(&mut self, bits: u32) -> anyhow::Result<()> {
self.pkey = super::pkey::new_rsa(bits)?;
Ok(())
}