Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encoding a combined keystore and trust store #42

Open
Tetha opened this issue Dec 2, 2022 · 1 comment
Open

Encoding a combined keystore and trust store #42

Tetha opened this issue Dec 2, 2022 · 1 comment
Labels

Comments

@Tetha
Copy link

Tetha commented Dec 2, 2022

Moin,

I've been wrestling with a library - march_hare - for a while. I need to provide TLS certificates to march_hare, so march_hare can connect to a TLS secured RabbitMQ instance in order to do messaging stuff.

In order to generate these certs from Hashicorp Vault, we have written a small internal tool called the certdeployer. This tool uses the vault API on one side and has a config files to write the certificates into files in pretty much whatever format we need - encoding/pem in three files (ca/key/cert), key and cert bundled, pkcs8, and so on.

This library is used (very successfully) to generate PKCS12 Keystores and Truststores for our java applications via the Encode and EncodeTrustEntries functions and then they can connect to postgres/rabbitmq/whatever.

However, march_hare is throwing a new wrench into the gears, because march_hare does not use a keystore and a truststore like many other applications. Instead, march hare wants one PKCS12 keystore, which in turn contains one key/cert safebag, and one trust-entry safebag with the CA.

Now after some back and forth I kinda bit the bullet and setup a quick and dirty PoC on a fork of kinda merging Encode and EncodeTrustEntries and this results in a keystore that actually works fine, at least in the keystore explorer. You can find the current kludge here:

https://github.com/Tetha/go-pkcs12/blob/combined-key-and-trust-store/pkcs12_combined.go

And like the biggest ordeal in this process was getting the two safebag lists appended right here:

https://github.com/Tetha/go-pkcs12/blob/combined-key-and-trust-store/pkcs12_combined.go#L124

Now, what I'd like to know from you is if you want this merged? If you do, I'd have to clean the code up a little, probably by extracting the safebag creations into reusable functions and adding a few tests. Things like that.

@Tetha
Copy link
Author

Tetha commented Dec 2, 2022

Just did some further testing, and the resulting keystore can indeed be loaded by march hare and functions correctly as a trust- and keystore at the same time.

@AGWA AGWA added the feature label Jul 15, 2023
@AGWA AGWA changed the title Adding a function to encode a combined keystore and trust store Encoding a combined keystore and trust store Jul 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants