Add certificate OID map properties to vNEXT spec #89
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DerekTBrown
added a commit
to DerekTBrown/envoy
that referenced
this pull request
Jul 9, 2025
This change adds new methods to the SSL ConnectionInfo interface to expose certificate extension OID maps, which allow proxy-wasm filters to access certificate extension data. This implements the proposal from proxy-wasm/spec#89. The new properties are: - connection.oid_map_local_certificate (map) - connection.oid_map_peer_certificate (map) - upstream.oid_map_local_certificate (map) - upstream.oid_map_peer_certificate (map) Each property provides a map of OID strings to their values extracted from certificate extensions. Signed-off-by: Derek Brown <6845676+DerekTBrown@users.noreply.github.com>
This change adds new properties to access certificate OIDs: - connection.oid_map_local_certificate - connection.oid_map_peer_certificate - upstream.oid_map_local_certificate - upstream.oid_map_peer_certificate These properties return maps of all OIDs to their corresponding values in certificates, allowing plugins to access all certificate properties including X.509 extensions. Closes proxy-wasm#88 Signed-off-by: Derek Brown <6845676+DerekTBrown@users.noreply.github.com>
DerekTBrown
force-pushed
the
feature/cert-oid-maps
branch
from
7de81b5 to
bd924b3
Compare
|
I wrote a prototype implementation for Envoy, demonstrating feasibility: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR addresses issue #88 by adding new properties to access certificate OIDs:
connection.oid_map_local_certificateconnection.oid_map_peer_certificateupstream.oid_map_local_certificateupstream.oid_map_peer_certificateThese properties return maps of all OIDs to their corresponding values in certificates,
allowing plugins to access all certificate properties including X.509 extensions that may not
be exposed through the existing certificate properties.
This enhancement will enable Proxy-WASM plugins to access additional certificate attributes
needed for advanced use cases, particularly when working with certificates that contain
non-standard X.509 extensions with custom OIDs.