crypto: expose OpenSSL's x.509 API #2492
Comments
silverwind
added
crypto
|
I wonder if something like this should live in |
|
It should be It feels like we are trying to workaround problems with C++ addons by moving everything into the core. I don't like this tendency. cc @bnoordhuis |
|
I think we can strike dh parameters (prime) generation off that list, as these seem to be obtainable through |
I take that back. Pretty sure the docs on cc: @shigeki |
|
@silverwind this is correct. |
|
@indutny yeah, I figured out generating dhparam in node yesterday, thanks to your nice asn.1 module :) |
|
@silverwind Yes, the supported format of |
|
openssl related stuff might be a good candidate for things that should be in core due to how easy it is to get openssl wrong with consequences that can popup in unexpected ways |
|
Is there consensus that this does or doesn't belong in core? Or is that still up for debate? |
|
I don't think there's consensus that it doesn't belong, but neither is there consensus that it would make it in. I think it's safe to say that it's unlikely this would make it in. |
|
I wouldn't necessarily object such additions but it's a bit of a slippery slope. For example:
Self-signed certificates are useless except for testing, so the logical next step is to support certificate signing using a CA key. But once you allow that, you can make a case that creating CA keys with node should also be possible. And once that is in, it should probably also be taught how to do CRL management, etc., etc. It would be a lot easier to simply link the openssl apps into the node binary so you could |
|
This issue has been inactive for sufficiently long that it seems like perhaps it should be closed. Feel free to re-open (or leave a comment requesting that it be re-opened) if you disagree. I'm just tidying up and not acting on a super-strong opinion or anything like that. |
|
Sorry to revive an old issue, but I'm wondering what the state of things is in 2020? Is it possible using the Node's
I want to do this programmatically and in a cross-platform way for testing, hence my interest. The closest I found was: https://stackoverflow.com/a/31624843/2715716 This uses Forge which I'd like to avoid (I'd rather use a built-in module for this, it doesn't feel right for crypto to be done by a non built-in module to me). https://stackoverflow.com/q/51942824/2715716 This generates the key-pair and signs a general payload with it, but it doesn't contain code showing how to generate a payload that would encode a certificate. I'm neither capable enough to write that code myself nor knowledgeable enough to know whether that is possible given the above described constraints, and while I don't expect anyone more capable or knowledgeable than me to whip up this code, I'd be grateful for an answer to whether this is possible and what would it take. |
To generate self-signed x.509 certificates and private keys from within an application, modules like pem have to rely on spawning the system's OpenSSL, which is problematic as it can be out of date or worse, not available at all (Windows).
I think it would make sense to expose the following APIs from the bundled OpenSSL through
crypto:Accompaning the above, I could also see the following:
The text was updated successfully, but these errors were encountered: