Build time configuration for CSR #50
Conversation
james-ctc
force-pushed
the
jc/csr-subject-alt-name
branch
from
81ae5f5 to
dd6eca8
Compare
|
I do not think that a compile-time configuration is a good option for this, the interface should be modified to support this for runtime only. We will clog the make with too much info. I think there should be added one more interface function 'gen_csr' whatver that receives a full struct with all the possible params so that in the future we will not be blocked by any other necessary params. On my side this doesn't have a go. @Pietfried what is your take on this? Shouldn't we stick with the initial design? |
|
Suppose I want to use RSA rather than EC for the CSR. At the moment this is hard coded to CryptoKeyType::EC_prime256v1 I feel supporting a cmake define is a much cleaner solution than requiring file edits or patches. Perhaps there is an intent for info.key_info.key_type to be configurable, but it isn't yet. This approach doesn't change any method calls or MQTT messages and hence is safe. The defaults leave existing operation untouched. |
|
That is correct, I've made a commit to fix the issue. We only need to modify the relevant interfaces to use it. Again, you are right, I should not have hard-coded these values in code (like the keys), but they should be hardcoded even less in the cmake. |
|
Yes I agree, moving directly to making this runtime configurable is probably the best way forward |
|
Agree with making this more flexible and runtime configurable |
|
I'm not keen on run-time configuration since the information in the CSR must match the information in system setting files for hostapd, systemd network information, and dnsmasq. In yocto I can configure variables so that all the configuration is consistent and can't be accidentally changed.
is preferable to applying a patch to the code. |
|
The patch has already be applied, check the last commit. We now have a full info CSR generation. However if this is a 'must' then I'd say let's make it to impact the cmake builds as little as possible, and not require to know about it too much if somebody does not use it. But it it is used, then the cmake option should over-write the info parameters. However before implementing, I'd also want to hear what @Pietfried @hikinggrass have to say. |
With this extra info/additional constraints I would also support (at least the possibility) of making this compile-time configurable. There's an argument to be made for runtime configurable settings during development, but on an embedded system you probably want to limit the possibilities of mis-configuring something |
james-ctc
force-pushed
the
jc/csr-subject-alt-name
branch
from
e8311f2 to
dd6eca8
Compare
subject alternative name can be added with DNS name and/or IPv4 address Signed-off-by: James Chapman <[email protected]>
Signed-off-by: James Chapman <[email protected]>
james-ctc
force-pushed
the
jc/csr-subject-alt-name
branch
from
dd6eca8 to
1d56434
Compare
Background
I'm using the client certificate as a TLS server certificate for MQTT and need to include the required subject alternative name fields in the certificate signing request (CSR).
i.e. subject alternative name can be added with DNS name and/or IPv4 address
Implementation
By default the subject alternative name extension is not added to the CSR. When CSR_DNS_NAME or CSR_IP_ADDRESS are set using cmake then a subject alternative name extension is created and populated with the supplied values,
e.g.
Possible future enhancement
APIs and methods could be updated to enable run-time configuration