Use application/pem-certificate-chain for PEMs #13927
Conversation
As mentioned in hashicorp#10948, it appears we're incorrectly using the `application/pkix-cert` media type for PEM blobs, when `application/x-pem-file` is more appropriate. Per RFC 5280 Section 4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert` is only applicable when a single DER certificate is used. Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use the newer `application/pem-certificate-chain` media type for certificates. However, this is not applicable for CRLs, so we use fall back to `application/x-pem-file` for these. Notably, no official IETF source is present for the latter. On the OpenSSL PKI tutorial (https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is cited as coming from S/MIME's predecessor, PEM, but neither of the main PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
|
@abriening what's your thoughts on using For what its worth, Dogtag produces |
|
I've used the Looks like ACME draft was Seems like |
|
@abriening Thanks! For what it is worth, it appears that Vault doesn't respect (or check) the Accept header either way, so in that regard we'll at least be consistent with other APIs. That said, we have approvals and consensus internally that we're fine with this change (but not backporting it), so I think it is OK to merge. Thanks all for the reviews! |
* Use application/pem-certificate-chain for PEMs As mentioned in #10948, it appears we're incorrectly using the `application/pkix-cert` media type for PEM blobs, when `application/x-pem-file` is more appropriate. Per RFC 5280 Section 4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert` is only applicable when a single DER certificate is used. Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use the newer `application/pem-certificate-chain` media type for certificates. However, this is not applicable for CRLs, so we use fall back to `application/x-pem-file` for these. Notably, no official IETF source is present for the latter. On the OpenSSL PKI tutorial (https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is cited as coming from S/MIME's predecessor, PEM, but neither of the main PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
As mentioned in #10948, it appears we're incorrectly using the
application/pkix-certmedia type for PEM blobs, whenapplication/x-pem-fileis more appropriate. Per RFC 5280 Section4.2.1.13,
application/pkix-crlis only appropriate when the CRL is inDER form. Likewise, Section 4.2.2.1 states that
application/pkix-certis only applicable when a single DER certificate is used.
Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer
application/pem-certificate-chainmedia type forcertificates. However, this is not applicable for CRLs, so we use fall
back to
application/x-pem-filefor these. Notably, no official IETFsource is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>While ietf-wg-acme/acme#120 (comment) seems to suggest
application/x-pem-fileis appropriate for PEM blobs in general (regardless of type), they ended up removing this in the final draft and introducing a new type.