Add `Certificate::from_der` + `Certificate::from_pem`

[oscartbeaumont]

I'm in the process of upgrading rcgen and I have to say the new API is much easier to understand, great job!

In reading some of the #62 I can see the idea of adding Certificate::from_der and Certificate::from_pem came up but they don't seem to have made it into the final release.

I wanted to know if there is a way to load an existing CA certificate to sign some more certificates without triggering signing.

Right now i'm doing the following:

let identity_key = todo!();
let cert: Vec<u8> = todo!();

let cert = CertificateParams::from_ca_cert_der(&cert.try_into().unwrap())
    .unwrap()
    .self_signed(&identity_key)
    .unwrap();

However, my presumption is that this will sign a new CA certificate on each startup of my application and I would rather just import the existing CA certificate and use it.

I tried to do a PR to add the Certificate::from_der + Certificate::from_pem but i'm kinda lost where the subject_public_key_info would come from. I've included what I had below:

impl Certificate {
	/// TODO
	pub fn from_der(der: CertificateDer<'static>) -> Result<Self, Error> {
		let params = CertificateParams::from_ca_cert_der(&der)?;
		Ok(Self {
			params,
			subject_public_key_info: todo!(),
			der,
		})
	}
}

[djc]

Yeah, this API isn't great right now. I've described a plan to improve it in #269 (comment) -- if you want to help implementing that, that would be awesome. Unfortunately with the current API I don't think there's a way around doing a fake self-signing of the CA certificate before using it to sign dependent certificates.

[acul009]

This would be great to have. It's the reason I can't upgrade to 0.13 right now.

I only notized after converting most of my code, which is unfortunate, but I had the opportunity to see the new 0.13 in action.

I actually really like the new params/signing API - it's a lot nicer to use than the manual serialize_der_with_signer
A few of the types are also pretty close to the wrappers I wrote. For the Keypair I was actually able to remove large parts of my own logic.

[cyqsimon]

Yeah, this API isn't great right now. I've described a plan to improve it in #269 (comment) -- if you want to help implementing that, that would be awesome. Unfortunately with the current API I don't think there's a way around doing a fake self-signing of the CA certificate before using it to sign dependent certificates.

I came across this trying to write a certificate signing library. From what I'm seeing from testing, the certificate generated from the "fake self-signing" workaround seems to be semantically equivalent to the original, with the only differences (as far as I can tell) being the ordering of extensions and the lack of AKI auto-detection. Are there any caveats or footguns I should watch out for when signing certificates using this workaround?

[djc]

I came across this trying to write a certificate signing library. From what I'm seeing from testing, the certificate generated from the "fake self-signing" workaround seems to be semantically equivalent to the original, with the only differences (as far as I can tell) being the ordering of extensions and the lack of AKI auto-detection. Are there any caveats or footguns I should watch out for when signing certificates using this workaround?

I think that's about it.

[djc]

I think this request no longer makes sense with the 0.14.x API.

[acul009]

Just wanted to give an update on my situation:
Not sure if I was just stupid or if the API changed, but I managed to make it work with a Signer.

I personally don‘t need any other changes.