Accept nonRepudiation when unmarshalling keyUsage #811
Conversation
x509util/extensions.go
Outdated
| case convertName("nonRepudiation"): | ||
| // support legacy name for better user experience for users coming | ||
| // from OpenSSL | ||
| fallthrough | ||
| case convertName(KeyUsageContentCommitment): |
There was a problem hiding this comment.
Could you combine this into the single case statement instead of the fallthrough? I don't expect the code lines to change order, but just in case. Can you also make the "nonRepudiation" a non-exported constant? I.e. keyUsageNonRepudiation = "nonRepudiation" // old name for contentCommitment key usage
There was a problem hiding this comment.
Apparently we even enforce that style: https://github.com/smallstep/crypto/actions/runs/16708934820/job/47321789675?pr=811#step:9:32 😅
There was a problem hiding this comment.
Should be fixed now.
1a48ef0 to
f3c410e
Compare
|
@neverpanic just a minor linting issue left now |
ITU-T X.509 (10/2019) section 9.2.2.3 [1] defines 'contentCommitment' as the current name for what had previously been called 'nonRepudiation', and deprecates the old name: > It is not incorrect to refer to this keyUsage bit using the identifier > nonRepudiation. However, the use of this identifier has been > deprecated. The old name is still widely used, though — for example, OpenSSL still supports nonRepudiation exclusively. It is therefore not surprising that users attempt to specify that and just get an error message in return. See for example smallstep/certificates#2348. Modify the JSON unmarshalling to accept the old name, and transparently convert it to the new one. Keep marshalling the same, since we want to be conservative in what we send, but liberal in what we accept. [1]: https://www.itu.int/rec/T-REC-X.509-201910-I/en Related: smallstep/certificates#2348 Signed-off-by: Clemens Lang <neverpanic@gmail.com>
f3c410e to
f0c4a2f
Compare
Should be fixed now — would be nice if |
Thank you, @neverpanic! I don't disagree, but I'm not aware of a setting that allows doing so using |
Name of feature:
Accepting
NonRepudiationwhen unmarshallingkeyUsage.Pain or issue this feature alleviates:
Better user experience for users that are used to the old name (e.g., from OpenSSL, which still uses the old name exclusively).
Is there documentation on how to use this feature? If so, where?
I didn't add any, because I don't think this should be advertised — but it's nice when it works when somebody attempts it.
Supporting links/other PRs/issues:
smallstep/certificates#2348
Description
ITU-T X.509 (10/2019) section 9.2.2.3 1 defines 'contentCommitment' as the current name for what had previously been called 'nonRepudiation', and deprecates the old name:
The old name is still widely used, though — for example, OpenSSL still supports nonRepudiation exclusively. It is therefore not surprising that users attempt to specify that and just get an error message in return. See for example
Modify the JSON unmarshalling to accept the old name, and transparently convert it to the new one. Keep marshalling the same, since we want to be conservative in what we send, but liberal in what we accept.
Related: smallstep/certificates#2348