Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cert-util: Add -make-ech-key #18

Merged
merged 1 commit into from
Jan 7, 2021
Merged

cert-util: Add -make-ech-key #18

merged 1 commit into from
Jan 7, 2021

Conversation

cjpatton
Copy link
Collaborator

@cjpatton cjpatton commented Jan 6, 2021

This feature generates an ECH key using the DNS name specified by the
input certificate as the public name. The key is written to the file
specified by the -key-out flag and the ECHConfigs (consumed by the
client) is written to the file specified by the -out flag.

@cjpatton cjpatton requested a review from xvzcf January 6, 2021 19:14
@cjpatton cjpatton force-pushed the cjpatton/ech-gen branch 2 times, most recently from 3e799dc to 3c01bb9 Compare January 6, 2021 20:55
@cjpatton cjpatton mentioned this pull request Jan 6, 2021
Merged
chris-wood
chris-wood approved these changes Jan 6, 2021
View reviewed changes
cert-tool-src/ech.go
if len(clientFacingCert.DNSNames) == 0 {
fatalIfErr(errors.New("input certificate does not specify a DNS name"), keyGenErrMsg)
}
template.PublicName = clientFacingCert.DNSNames[0]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might not be a valid public facing name (*.example.com) -- should we check this rather than just picking the first one?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hrm ... good point. I will fix this.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, DNSNames[0] is hard-coded as "server" here, which is already not a valid public name. (It needs to be an SNI.) I just decided to add this as a TODO and will address it in #20.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That works!

@cjpatton
cert-util: Add -make-ech-key
90d6310 
This feature generates an ECH key using the DNS name specified by the
input certificate as the public name. The key is written to the file
specified by the -key-out flag and the ECHConfigs (consumed by the
client) is written to the file specified by the -out flag.
@chris-wood chris-wood merged commit 19d3ccd into main Jan 7, 2021
@cjpatton cjpatton mentioned this pull request Jan 7, 2021
Merged
@xvzcf xvzcf deleted the cjpatton/ech-gen branch January 7, 2021 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chris-wood chris-wood chris-wood approved these changes

@xvzcf xvzcf Awaiting requested review from xvzcf

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cjpatton @chris-wood