`CertifiedIssuer::from_ca_cert_{pem,der}`?

[cyqsimon]

While upgrading from 0.13 to 0.14, I ran into some difficulties trying to keep the old functionality. Specifically, I would like to have access to the issuer certificate while generating a leaf certificate.

Scouring the changelogs and documentation, I did find CertifiedIssuer which seems to be what I need. Unfortunately I couldn't find a way to load an existing certificate like you can with Issuer (Issuer::from_ca_cert_{pem,der}). So here's the feature request.

---

Here's a slimmed-down version of my current code using rcgen-0.13:

fn main() -> Result<()> {
    let issuer = load_issuer("path/to/issuer.crt", "path/to/issuer.key")?;
    let leaf = generate(&issuer)?;
    dbg!(leaf);
}

fn load_issuer(cert_pem: &str, key_pem: &str) -> Result<CertifiedKey> {
    let key_pair = KeyPair::from_pem(key_pem)?;
    let cert = {
        let mut params = CertificateParams::from_ca_cert_pem(cert_pem)?;
        // https://github.com/rustls/rcgen/issues/274#issuecomment-2121969453
        params.self_signed(&key_pair)?
    };
    // various checks omitted here ...
    Ok(CertifiedKey { cert, key_pair })
}

pub fn generate(issuer: &CertifiedKey) -> Result<CertifiedKey> {
    let params = {
        let issuer_params = issuer.cert.params();
        let mut params = CertificateParams::new([])?;
        // set certificate expiry to match issuer
        params.not_before = issuer_params.not_before;
        params.not_after = issuer_params.not_after;
        // set other certificate params ...
        params
    };
    let key_pair = KeyPair::generate_for(&PKCS_ED25519)?;
    let cert = params.signed_by(&key_pair, &issuer.cert, &issuer.key_pair)?;
    Ok(CertifiedKey { cert, key_pair })
}

I would like to update load_issuer to return a CertifiedIssuer (and ideally get rid of the self-signing hack), so that I can read from the issuer certificate in generate. But without CertifiedIssuer::from_ca_cert_{pem,der} I don't think it's possible.

[djc]

I think this runs afoul of exactly the hole that the 0.14 API is trying to close. From the 0.13 documentation:

In general this function only extracts the information needed for signing. Other attributes of the Certificate may be left as defaults.

We can talk more about your requirements (rather than the current solution or a solution you've come up with) so we can figure out if there's a better way to do this, but I don't think we'll want to merge the API you propose. In general, the advice is to parse an existing certificate with x509-parser to get the bits you need.

[cyqsimon]

I think this runs afoul of exactly the hole that the 0.14 API is trying to close. From the 0.13 documentation:

In general this function only extracts the information needed for signing. Other attributes of the Certificate may be left as defaults.

We can talk more about your requirements (rather than the current solution or a solution you've come up with) so we can figure out if there's a better way to do this, but I don't think we'll want to merge the API you propose.

Understandable.

In general, the advice is to parse an existing certificate with x509-parser to get the bits you need.

Yes this should work for me. It's just that in my understanding, rcgen is already invoking x509-parser under the hood. So doing it this way would be doing some of the same work twice.

Also this would necessitate creating a custom struct because CertifiedIssuer does not carry all the info I need. Minor annoyance but annoyance nonetheless.