Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: add extensions property to X509Certificate #48780

Closed
wants to merge 0 commits into from

Conversation

mertcanaltin
Copy link
Member

This pull request adds an enhanced property to the X509Certificate class, providing additional functionality for X.509 certificates. The new property improves the handling of certificate subjects, issuers, and other related information. This enhancement enhances the overall capabilities and usability of the X509Certificate class

issue:#48730
fyi @jeffsec-aws

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Jul 15, 2023
@mscdex
Copy link
Contributor

mscdex commented Jul 15, 2023

This needs tests.

@mertcanaltin mertcanaltin requested a review from mscdex July 15, 2023 16:51
Copy link
Member

@panva panva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May I suggest to rename certificateExtensions to just extensions. Also then update the first commit message (and the PR title) to crypto: add extensions property to X509Certificate?

@panva panva requested a review from tniessen July 15, 2023 17:02
@panva
Copy link
Member

panva commented Jul 15, 2023

I believe the tests belong better to test/parallel/test-crypto-x509.js. A test for accessing the property when there are no extensions would also be welcome.

Not being familiar with extensions myself so apologizies if the following questions are just plain irrelevant. I wonder if an extension can be present multiple times, in which case how would such extension be returned? Are there structured extensions? Or extensions who's value is not a string?

@tniessen is there a reason you didn't expose this in the first place?

@mertcanaltin mertcanaltin force-pushed the dev-48730 branch 2 times, most recently from 11d9028 to 6916509 Compare July 15, 2023 17:18
@panva panva changed the title crypto: update X509Certificate property crypto: add extensions property to X509Certificate Jul 15, 2023
@mertcanaltin
Copy link
Member Author

When I look before the test, I get the output of x509.extensions undefined. Could it be because I cannot access it because it is undefined?

@mertcanaltin mertcanaltin requested a review from panva July 16, 2023 08:33
@panva
Copy link
Member

panva commented Jul 16, 2023

I am unfamiliar with the underlying implementation.

@jeffsec-aws
Copy link

Nice work.

Extensions can be of various different types and content. Now they only appear one in terms of key (an OID see for example: https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/standard_x.509_v3_certificate_extensions) but can have multiple values in a form of an array.

@mertcanaltin
Copy link
Member Author

mertcanaltin commented Jul 17, 2023

@mscdex @panva @tniessen @jeffsec-aws hello I will be very happy if you review it, thank you very much

Copy link
Member

@panva panva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are there hardcoded values in the implementation?

@mertcanaltin
Copy link
Member Author

@panva How can I generate a certificate with extensions? I will use it in my test instead of hardcoded.

i will be using it in my test code

@panva
Copy link
Member

panva commented Jul 18, 2023

@mertcanaltin I am really not able to be of that kind of assistance.

@jeffsec-aws
Copy link

What method do you want to use to generate those certificates? Would OpenSSL commands help?

@mertcanaltin
Copy link
Member Author

What method do you want to use to generate those certificates? Would OpenSSL commands help?

yes it will help

@mertcanaltin mertcanaltin requested a review from panva July 29, 2023 21:17
Copy link
Member

@panva panva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll quote my earlier concern which needs to be settled before this can progress.

Not being familiar with extensions myself so apologizies if the following questions are just plain irrelevant. I wonder if an extension can be present multiple times, in which case how would such extension be returned? Are there structured extensions? Or extensions who's value is not a string?

These examples would need tests added and the documentation for this method also has to be added.

@mertcanaltin
Copy link
Member Author

Yes, I added this certificate to fixtures instead of hardcoding it and tried to fix my test @panva

@jeffsec-aws
Copy link

I'll quote my earlier concern which needs to be settled before this can progress.

Not being familiar with extensions myself so apologizies if the following questions are just plain irrelevant. I wonder if an extension can be present multiple times, in which case how would such extension be returned? Are there structured extensions? Or extensions who's value is not a string?

These examples would need tests added and the documentation for this method also has to be added.

And I answered to you. Extensions are referenced by OID so the key always appears only once. Now the value can be array of value for some extensions like OCSP Responder URL

@mertcanaltin mertcanaltin requested a review from panva July 31, 2023 18:52
@mertcanaltin
Copy link
Member Author

mertcanaltin commented Aug 2, 2023

Hello @jeffsec-aws,@panva I would appreciate it if you could review this Pull Request. Thank you!

@Trott
Copy link
Member

Trott commented Sep 19, 2023

@nodejs/crypto This could probably use some reviews (or re-reviews for the people that have already reviewed it).

@Trott Trott added the commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. label Sep 19, 2023
@mertcanaltin mertcanaltin requested a review from panva November 3, 2023 07:23
@mertcanaltin
Copy link
Member Author

greetings I triggered you guys again very sorry I wonder if I have a chance to get an update here

panva
panva previously requested changes Nov 3, 2023
Copy link
Member

@panva panva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am unable to review the implementation, aside of that this lacks sufficient test coverage and update to documentation.

@panva panva added the c++ Issues and PRs that require attention from people who are familiar with C++. label Nov 3, 2023
@mertcanaltin
Copy link
Member Author

mertcanaltin commented Nov 3, 2023

I am unable to review the implementation, aside of that this lacks sufficient test coverage and update to documentation.

thank you very much for your suggestion, I updated the document @panva

@mertcanaltin mertcanaltin requested a review from panva November 3, 2023 18:45
@mertcanaltin
Copy link
Member Author

greetings I updated the document and I think I got stuck on a flakky test @panva

doc/api/crypto.md Outdated Show resolved Hide resolved
@panva
Copy link
Member

panva commented Nov 8, 2023

Aside from my above suggestion to fix and simplify the docs entry I believe this lacks sufficient test coverage.

Note that I can not review the c++ implementation

@mertcanaltin
Copy link
Member Author

Aside from my above suggestion to fix and simplify the docs entry I believe this lacks sufficient test coverage.

Note that I can not review the c++ implementation

thank you very much for your suggestions, here I created a crypto-extensions.pem certificate for testing and tested the subjectAltName in the extension, in fact, I would be very happy if you have a suggestion.

@mertcanaltin mertcanaltin requested a review from panva November 12, 2023 13:40
@panva panva removed their request for review November 12, 2023 14:11
@panva panva dismissed their stale review November 12, 2023 14:12

dismissing one review, i still think test coverage is not there and someone else than me has to review the c++ code, there is no further point in asking me to review this,

Copy link
Member

@tniessen tniessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Node.js has made the mistake of representing structured ASN.1 data as strings in the past, which has led to various issues. Most notable, perhaps, CVE-2021-44532 and CVE-2021-44533, which were a nightmare to fix without breaking the ecosystem.

At this point, we should be extremely careful about exposing any human-readable information provided by OpenSSL for anything besides debugging purposes. These text formats are not meant to be processed automatically, and OpenSSL generally provides no stability guarantees.


Returns: {Object}

Returns an object representing the extensions of the certificate.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs a lot more information, especially w.r.t. the exact structure of the returned object.

src/crypto/crypto_common.cc Outdated Show resolved Hide resolved
src/crypto/crypto_common.cc Outdated Show resolved Hide resolved
src/crypto/crypto_common.cc Outdated Show resolved Hide resolved
src/crypto/crypto_common.cc Outdated Show resolved Hide resolved
src/crypto/crypto_common.cc Outdated Show resolved Hide resolved
src/crypto/crypto_common.cc Outdated Show resolved Hide resolved
@@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should modify test/fixtures/keys/Makefile such that it can be used to generate this certificate, unless that is not feasible for some reason.

@mertcanaltin
Copy link
Member Author

thank you very much for your suggestions I have applied a few changes and I hope I have followed the correct steps

@mertcanaltin mertcanaltin requested a review from jasnell December 9, 2023 16:35
@mertcanaltin mertcanaltin requested a review from panva January 3, 2024 20:53
@panva panva removed their request for review January 3, 2024 22:00
@mertcanaltin
Copy link
Member Author

@tniessen greetings, I would be very happy if you could take a look when you have time, again many thanks for your support

@mertcanaltin
Copy link
Member Author

Greetings, I want to improve this place very much, do not hesitate to make suggestions when appropriate ❤️

@marco-ippolito
Copy link
Member

There are still a bunch of tests failing and some comments from @tniessen that have not been addressed

@mertcanaltin
Copy link
Member Author

@tniessen Hello, I would like to move this place forward, do you have an update?

@mertcanaltin
Copy link
Member Author

hello this is my old first attempt to contribute, I will try to fix this place if you have any suggestions please feel free

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants