csrbuilder icon indicating copy to clipboard operation
csrbuilder copied to clipboard
verified publisher icon wbond

[WIP]: Export Certification Request Information Builder

Open sodre opened this issue 5 years ago • 3 comments

The goal of this PR it to help with the long-standing issue wbond/asn1crypto#6 where we want to use the existing work in csrbuilder to create a CertificationRequestInfo but let the actual signing be done separately.

We do it by splitting pulling up all methods from CSRBuilder into the base class CRIBuilder, and refactoring the build methods of each class. This has the advantage of not breaking any of the existing APIs.

@wbond, if you're okay with this concept I would like to do a similar split for certbuilder.

sodre avatar Mar 30 '21 17:03 sodre

Conceptually the biggest issue is figuring out how to make oscrypto a default, but optional dependency in setup.py.

wbond avatar Mar 30 '21 19:03 wbond

Perhaps there end up being two packages? One that is the abstract code using asn1crypto and another the uses it and signs it with oscrypto?

wbond avatar Mar 30 '21 19:03 wbond

@wbond, thanks for responding quickly!

I was not trying to completely solve the original issue of supporting a third-party crypto library in this PR. Instead, I wanted the user to get all the way to a "ToBeSigned"CertificateRequest in proper ASN1 format and then let them sign and attach the signature according to their needs.

In my case I am using boto3 AWS KMS, but you could include any other crypto library at this point.

Another option is to check if the private_key has a SignerTrait. At that point we can just invoke private_key.sign(content, hash). Would you prefer a solution along that path?

sodre avatar Mar 30 '21 20:03 sodre