-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch from node-forge to PKI.js #13894
Conversation
f753af7
to
ce2c8f7
Compare
Thanks @hashishaw for helping to clean up that I should probably add a changelog now? Are there any tests or documentation that need to be updated? |
Changelog would be excellent, and it looks like our acceptance tests are still passing which means you successfully switch out the libraries while maintaining expected functionality 🎉 Thanks again for tackling this! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great inline comments. Add a changelog and we'll be good to go! 🚀
This replaces the implementation of parse-pki-cert to use PKI.js rather than node-forge for two reasons: - PKI.js uses Web Crypto rather than maintaining a built-in implementation of several algorithms. - node-forge presently lacks support for ECDSA and Ed25519 certificates. Related: #13680 Signed-off-by: Alexander Scheel <[email protected]>
$ yarn add -D asn1js pvutils pkijs Signed-off-by: Alexander Scheel <[email protected]>
$ yarn remove node-forge Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
ce2c8f7
to
eae7863
Compare
// CommonName field, this is usually a PrintableString, BMPString, or a | ||
// UTF8String. Regardless of encoding, it should be present in the | ||
// valueBlock's value field if it is renderable. | ||
const commonNameOID = '2.5.4.3'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Linting hadn't run the first time, but it did now :-D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you for breaking this down and making is so clear to follow. 😍
@@ -0,0 +1,3 @@ | |||
```release-note:improvement |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
const commonNameOID = '2.5.4.3'; | ||
const commonNames = cert?.subject?.typesAndValues | ||
.filter((rdn) => rdn?.type === commonNameOID) | ||
.map((rdn) => rdn?.value?.valueBlock?.value); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In case anyone was wondering, this does appear to be the correct way to parse the RDN's value: https://github.com/PeculiarVentures/PKI.js/blob/master/src/AttributeTypeAndValue.js#L213-L214
Thanks @hashishaw and @hellobontempo! |
* Switch parse-pki-cert from node-forge to PKI.js This replaces the implementation of parse-pki-cert to use PKI.js rather than node-forge for two reasons: - PKI.js uses Web Crypto rather than maintaining a built-in implementation of several algorithms. - node-forge presently lacks support for ECDSA and Ed25519 certificates. Related: #13680 Signed-off-by: Alexander Scheel <[email protected]> * Add dependency on PKI.js $ yarn add -D asn1js pvutils pkijs Signed-off-by: Alexander Scheel <[email protected]> * Remove dependency on node-forge $ yarn remove node-forge Signed-off-by: Alexander Scheel <[email protected]> * Add changelog entry Signed-off-by: Alexander Scheel <[email protected]>
Definitely needing some review from the UI team here :-D I feel I shouldn't have so many changes to
package.json
, but maybe I can get some thoughts on that?After breaking a few things, I think I ended up doing the equivalent of:
to get the dependencies to install and build fine with
make static-dist
.I've roughly followed the following procedure after building Vault with the built-in UI:
I left the
console.log
in case someone has issues parsing certificates in the future, we'll at least be able to point them to a log statement they can share along with the original cert. Let me know if that should be removed.Resolves: #13680 (if merged).
/cc @hellobontempo @hashishaw