-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use application/pem-certificate-chain for PEMs #13927
Conversation
As mentioned in hashicorp#10948, it appears we're incorrectly using the `application/pkix-cert` media type for PEM blobs, when `application/x-pem-file` is more appropriate. Per RFC 5280 Section 4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert` is only applicable when a single DER certificate is used. Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use the newer `application/pem-certificate-chain` media type for certificates. However, this is not applicable for CRLs, so we use fall back to `application/x-pem-file` for these. Notably, no official IETF source is present for the latter. On the OpenSSL PKI tutorial (https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is cited as coming from S/MIME's predecessor, PEM, but neither of the main PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type. Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, but another pair of eyes would be a good thing.
@abriening what's your thoughts on using For what its worth, Dogtag produces |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes sense to me :)
(I'm following the slack chat, but I think it's very unlikely that someone is relying on an incorrect contentType)
I've used the Looks like ACME draft was Seems like |
@abriening Thanks! For what it is worth, it appears that Vault doesn't respect (or check) the Accept header either way, so in that regard we'll at least be consistent with other APIs. That said, we have approvals and consensus internally that we're fine with this change (but not backporting it), so I think it is OK to merge. Thanks all for the reviews! |
* Use application/pem-certificate-chain for PEMs As mentioned in #10948, it appears we're incorrectly using the `application/pkix-cert` media type for PEM blobs, when `application/x-pem-file` is more appropriate. Per RFC 5280 Section 4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert` is only applicable when a single DER certificate is used. Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use the newer `application/pem-certificate-chain` media type for certificates. However, this is not applicable for CRLs, so we use fall back to `application/x-pem-file` for these. Notably, no official IETF source is present for the latter. On the OpenSSL PKI tutorial (https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is cited as coming from S/MIME's predecessor, PEM, but neither of the main PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type. Signed-off-by: Alexander Scheel <[email protected]> * Add changelog entry Signed-off-by: Alexander Scheel <[email protected]>
As mentioned in #10948, it appears we're incorrectly using the
application/pkix-cert
media type for PEM blobs, whenapplication/x-pem-file
is more appropriate. Per RFC 5280 Section4.2.1.13,
application/pkix-crl
is only appropriate when the CRL is inDER form. Likewise, Section 4.2.2.1 states that
application/pkix-cert
is only applicable when a single DER certificate is used.
Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer
application/pem-certificate-chain
media type forcertificates. However, this is not applicable for CRLs, so we use fall
back to
application/x-pem-file
for these. Notably, no official IETFsource is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.
Signed-off-by: Alexander Scheel <[email protected]>
While ietf-wg-acme/acme#120 (comment) seems to suggest
application/x-pem-file
is appropriate for PEM blobs in general (regardless of type), they ended up removing this in the final draft and introducing a new type.