certificates
certificates copied to clipboard
smallstep
Templates should allow dynamic value for custom OIDs
Right now, to use custom OIDs you have to add a base64-encoded asn.1 value to the template. There's no way in the template engine to generate these values, so the only option is for them to be static. Some custom OIDs require dynamic values from the CSR or from user data.
It would be possible to marshal simple values like strings, integers, booleans, arrays adding a function that uses (asn1.MarshalWithParams)[https://pkg.go.dev/encoding/asn1#MarshalWithParams] as the backend:
asn1.MarshalWithParams("foo", "") // or "printable"
// []byte{0x13, 0x03, 0x66, 0x6f, 0x6f}
asn1.MarshalWithParams("foo", "utf8")
// []byte{0x0c, 0x03, 0x66, 0x6f, 0x6f}
asn1.MarshalWithParams("foo", "ia5")
// []byte{0x16, 0x03, 0x66, 0x6f, 0x6f}
Composite values would be hard to add.
For reference (and so i don't lose it). There appears to be something already to add custom extensions. There are examples here: https://smallstep.com/docs/step-ca/templates#basic-x509-template-examples (the last one being for a "unsupported extension" that looks like this:
{
"extensions": [
{"id": "1.2.3.4", "critical": false, "value": "Y3VzdG9tIGV4dGVuc2lvbiB2YWx1ZQ=="}
]
}
I would love to be able to use this with something like this instead:
{
"extensions": [
{"id": "1.3.6.1.4.1.34380.1.1.10", "critical": false, "value": {{ toBase64 .Principal }} },
{"id": "1.3.6.1.4.1.34380.1.1.25", "critical": false, "value": {{ toBase64 .Subject }} }
]
}
(the missing part being the toBase64 being an available function in the template processing)
@jokreliable I'm talking with @tashian about creating a template function that might work like this:
{
"extensions": [
{"id": "1.2.3.4", "critical": false, "value": {{ asn1Marhal .Principal }} },
{"id": "1.2.3.5", "critical": false, "value": {{ asn1Marhal .Subject "utf8" }} }
]
}
But it will probably fail for complex values.