botan icon indicating copy to clipboard operation
botan copied to clipboard
verified publisher icon randombit

Add FFI for X.509 creation

Open arckoor opened this issue 7 months ago • 3 comments

Adds bindings for creating X.509 certificates.

arckoor avatar May 20 '25 15:05 arckoor

@randombit @reneme could you take a look and tell me what you think? Still WIP, almost no tests, but the python binding is usable-ish

arckoor avatar May 20 '25 15:05 arckoor

Coverage Status

coverage: 90.666% (+0.002%) from 90.664% when pulling 32b12bb53f2a89872900364672e29e4e04b3ae6a on arckoor:x509-ffi into 7fe3a730aae9cd5a21f9710f65db4557afc9d46e on randombit:master.

coveralls avatar May 20 '25 16:05 coveralls

The normal copilot comments I already mentioned myself, funnily enough the low-confidence suppressed ones are valid issues :thinking:

arckoor avatar May 22 '25 12:05 arckoor

Won't compile, needs #4890

arckoor avatar Jun 23 '25 16:06 arckoor

@randombit I think this is ready to take a look at. The python binding definitely still needs some attention, and I'm not sure how much more you want me to document. But all in all it works.

arckoor avatar Jul 14 '25 14:07 arckoor

@arckoor At this point I've just looked over the declarations in ffi.h but this already should give you something to go on

randombit avatar Jul 15 '25 11:07 randombit

Can you try rebasing onto #4996? I think the implementation within FFI becomes a bit simpler since there are fewer error cases to worry about, and usage become more flexible (ie it becomes possible to set two commonName fields, which is not necessarily a common thing, but certainly allowed by the relevant specs). [Also if there are any issues that make using that new type in FFI difficult I'd like to deal with them prior to merging]

randombit avatar Jul 16 '25 13:07 randombit

That should be it, I hope I didn't miss anything. I'm not entirely convinced by the allowed nullptrs for hash_fn, padding and challenge_password yet though. But I like the new builder. More functions for the PKCS#10 req I have noted down, I'll try to get that addressed as soon as I can.

arckoor avatar Jul 16 '25 21:07 arckoor

@arckoor Thanks. I'll review soon. I think it's likely this is not quite going to make it in time for the 3.9 release, largely because exactly how the builder works is still somewhat up in the air. There is some chance reneme and I get that worked out very quickly (like in the next few days) which would unblock this PR from merging, but tbh I would not count on it. Lacking that, likely merging sometime ~~ late August.

randombit avatar Jul 21 '25 02:07 randombit

I'll wait until #5095 is merged, and then I'm probably going to pick this back up in a bunch of smaller PRs (CRLs, more getters for the Certs, and finally creation) I think right now this thing is just way to big to reasonably review and merge

arckoor avatar Nov 11 '25 16:11 arckoor