feat: Add cert-tools binary #638
Conversation
sbernauer
changed the title
NickLarsenNZ
moved this from Development: Waiting for Review
to Development: In Review
in Stackable Engineering
| const HEADER: &[u8] = b"-----BEGIN CERTIFICATE-----"; | ||
| const FOOTER: &[u8] = b"-----END CERTIFICATE-----"; |
There was a problem hiding this comment.
There are a few variations of the header/footer: See: https://github.com/openssl/openssl/blob/ea85fbce9fac7bf87c5c0a82151dbde259bbfc4f/include/openssl/pem.h#L35-L62
At least we might care about:
BEGIN CERTIFICATE
BEGIN RSA PUBLIC KEY
BEGIN ECDSA PUBLIC KEY
Same for END.
I left out legacy stuff like BEGIN DSA PUBLIC KEY.
There was a problem hiding this comment.
note: I copied that from existing code.
Also, https://docs.rs/openssl/latest/openssl/x509/struct.X509.html#method.from_pem states:
The input should have a header of -----BEGIN CERTIFICATE-----.
As we stuff the result into that openssl function, this is definitely not ideal but worked so far fine.
The good thing is that the SDP has most PEM files under it's own control, only rarely users add certificates to it.
Are you ok with merging as-is and improving it in case it causes any trouble? But I only see the option of adding error handling, as the openssl function seems to require this specific header
Co-authored-by: Nick <[email protected]>
Co-authored-by: Nick <[email protected]>
Co-authored-by: Nick <[email protected]>
Co-authored-by: Nick <[email protected]>
Description
Part of stackabletech/issues#764
Example usage
cargo r -p cert-tools -- generate-pkcs12-truststore --pkcs12 ./truststore.p12 --pem _test.pem --out ./out.p12 Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.07s Running `target/debug/truststore-merger --pkcs12 ./truststore.p12 --pem _test.pem --out ./out.p12` INFO Added certificate subject=[commonName = "secret-operator self-signed"] not_before=Sep 2 08:03:58 2025 GMT not_after=Sep 2 08:08:58 2026 GMT serial="A79EC2461C6D66B1" source=Pem("_test.pem") INFO Added certificate subject=[commonName = "secret-operator self-signed"] not_before=Sep 3 11:02:40 2025 GMT not_after=Sep 3 11:08:40 2025 GMT serial="0E4BC78F87304678" source=Pkcs12(Pkcs12Source { path: "./truststore.p12", password: "" }) INFO Added certificate subject=[commonName = "secret-operator self-signed"] not_before=Sep 3 11:03:12 2025 GMT not_after=Sep 3 11:09:12 2025 GMT serial="DD7DBA422B3966F8" source=Pkcs12(Pkcs12Source { path: "./truststore.p12", password: "" }) WARN Skipped certificate as a cert with the same SHA256 hash was already added source=Pkcs12(Pkcs12Source { path: "./truststore.p12", password: "" }) sha25="ee7da620f1c7341c210aafad0e369b579a4e6060b26dea6f05fd871c4b362f42" existing.not_before=Sep 2 08:03:58 2025 GMT existing.not_after=Sep 2 08:08:58 2026 GMT existing.subject=[commonName = "secret-operator self-signed"] existing.serial="A79EC2461C6D66B1" new.not_before=Sep 2 08:03:58 2025 GMT new.not_after=Sep 2 08:08:58 2026 GMT new.subject=[commonName = "secret-operator self-signed"] new.serial="A79EC2461C6D66B1" INFO Added certificate subject=[commonName = "secret-operator self-signed"] not_before=Sep 3 11:03:59 2025 GMT not_after=Sep 3 11:08:59 2026 GMT serial="8246453548B78E11" source=Pkcs12(Pkcs12Source { path: "./truststore.p12", password: "" }) INFO Added certificate subject=[commonName = "secret-operator self-signed"] not_before=Sep 3 11:02:01 2025 GMT not_after=Sep 3 11:08:01 2025 GMT serial="2ADEC7FB80162856" source=Pkcs12(Pkcs12Source { path: "./truststore.p12", password: "" })Definition of Done Checklist
Author
Reviewer
Acceptance
type/deprecationlabel & add to the deprecation scheduletype/experimentallabel & add to the experimental features tracker