APPS: simplify x509 cert generation; allow pubkey input options to read private key#19076
APPS: simplify x509 cert generation; allow pubkey input options to read private key#19076DDvO wants to merge 3 commits intoopenssl:masterfrom
x509 cert generation; allow pubkey input options to read private key#19076Conversation
DDvO
added
branch: master
t8m
added
triaged: refactor
|
Ping @openssl/committers for 2nd review. |
tmshort
left a comment
tmshort
left a comment
There was a problem hiding this comment.
Other than a wishy-washy word in the documentation, looks ok to me.
|
@tmshort please reconfirm |
tmshort
added
approval: done
|
reconfirm |
|
With |
Right.
It's still good to support a private key input because for many scenarios it is available anyway (and the public portion can be derived automatically from it) and it is typically easier to handle (at least at the Yet good thought that we should offer also the possibility to directly provide a file with a public key. |
|
So don't we get a mixed semantics for the |
|
Ideally, the In any case, think about what is the least surprising (most natural) interface, and do that. Sure, this could be a followup PR, if you don't want to reopen reviews of the work so far. I'd be tempted to just amend this one, it is not a large PR. Your (and the other reviewers') call. |
With the current state of the PR, the
Interesting idea.
I was concerned exactly with this point, since the approval is already done. |
I can't think of one offhand, but in principle any command that expects a public key should be willing to read a private key instead, and extract the public key from that. That would be a general UI improvement. |
|
In this case, the option's expected data would depend on other options ( These questions perhaps mean that the PR should not immediately be merged. We should at least decide what the UI should look like long-term, and then perhaps merge this PR, with other PRs to follow, or amend it as seems best. One way or another, when all we want is a public key, it should be possible to specify a file with just the public key. Whether that's a separate public-key-only option, or a combo option that sometimes wants a private key, and other times a public key. Please think through what a user might expect in terms of behaviour, and what can be most clearly explained in the documentation, ... |
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
DDvO
changed the title
x509 cert generationx509 cert generation; allow pubkey input options to read private key
|
This PR is in a state where it requires action by @openssl/committers but the last update was 123 days ago |
DDvO
force-pushed
the
simplify_x509_cert_gen
branch
from
dc5f448 to
a1d1fc7
Compare
|
Rebased to fix merge conflicts. @t8m can you reapprove? |
|
There is an unrelated CI failure for is unrelated; fix for that is in #20369. |
…t generation Also remove inconsistent key usages from non-RSA certs.
DDvO
force-pushed
the
simplify_x509_cert_gen
branch
from
a1d1fc7 to
b33d756
Compare
|
Rebased again, just to get rid of the above unrelated CI failure message. |
|
LGTM |
Thank you @beldmit for this statement. |
beldmit
added
approval: done
|
Sorry, missed it |
It would be nice to also do the formal approval on review changes tab. |
|
@t8m done |
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
DDvO
added
approval: ready to merge
Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: David von Oheimb <[email protected]> (Merged from #19076)
…t generation Also remove inconsistent key usages from non-RSA certs. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: David von Oheimb <[email protected]> (Merged from #19076)
Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: David von Oheimb <[email protected]> (Merged from #19076)
|
Merged - thanks @t8m, @tmshort, @vdukhovni, and @beldmit for your reviews and approvals. |
6 participants
When reviewing the addition to
test/smime-certs/mksmime-certs.shby #18567,I noticed again that producing certs using
openssl x509is still needlessly cumbersome.While there are already abbreviations for the case of self-issued (including self-signed) certs,
for other certs (produced with the
-CAoption) one is so far forced to generate a cert request first.It turns out this was simply because is was not possible to combine the
-keyoption with-CA.Update: Due to the comments by @vdukhovni, changed the solution to allow reading a private key when a public key is expected. This enables conveniently using the
-force_pubkeyoption with-CA.This PR adds the missing feature and makes use of the simplification in
mksmime-certs.sh.It also adds a test case for the new feature in
25-test_x509.t.On this occasion, also clean up the key input options of other apps such as
pkey.On this occasion it also cleans up
mksmime-certs.sh, speeds up its cert generation by not freshly generating RSA and DSA keys, and fixes its generation of inconsistent key usages for non-RSA certs.