Add support for accessing an EndEntityCert's spki

[mdecimus]

Hi,

This is related to briansmith/webpki#85, currently it is not possible to access a certificate's public key and other details. A use case for this is the validation of end entity's certificates with DNS-Based Authentication of Named Entities (DANE).

It would also be quite useful to have access to the parsed X.509 certificate such as https://github.com/rusticata/x509-parser does.

Thanks

[cpu]

This will be resolved by #174

[djc]

Actually I think this specific ask should already work on main (and probably the latest alpha)?

[cpu]

Actually I think this specific ask should already work on main (and probably the latest alpha)?

I might be missing something obvious but it looks to me like main doesn't expose a way to go from an EndEntityCert to a Cert. And both EndEntityCert and Cert don't expose SPKI, just subject.

[djc]

We merged #184 last week, but I guess that doesn't expose SPKI, yet.

[ctz]

Note that Cert::spki is not a valid SPKI encoding, because it lacks the outer SEQUENCE tag and length. That is OK while it remains a crate-internal detail. But I don't think we can expose it as-is.

[cpu]

Note that Cert::spki is not a valid SPKI encoding, because it lacks the outer SEQUENCE tag and length. That is OK while it remains a crate-internal detail. But I don't think we can expose it as-is.

This was a good call out. Just leaving a note to say that #174 ended up exposing the entire certificate DER w/ Cert::der(), but not the Cert::spki field, side-stepping this concern. Consumers can use x509-parser or equivalent to pull out the SPKI without needing to worry about the peculiarities of the condensed webpki internal repr.

I think we can close this now.