How to include TLS-unique value in CSR?
I'm using a GlobalSign EST Go library that provides an implementation of the RFC 7030 (EST).
So far doesn't provide any function to generate a CSR at runtime and therefore include the TLS-unique value in the CSR before enrolment.
I might use the crypto package for that along with a little code tweaking.
However there is something I noticed while debugging the simple functions such as getting the CACerts or even enrolling an existing CSR
I can't have access to the TLS-unique value from the GlobalSign client implementation, I guess that would be part of the code tweaking I mentioned earlier
And this might be the solution, but not sure how to make use of it, the context. I was hoping to find the http context and eventually get the information of TLS-unique value in there. Unfortunately, whether I use
context.TODO()or.Background(), it's empty in my debugging.
Also, that 2nd point made me wonder, is it supposed to be like that?
I thought I should include that value in the form of the challenge password attribute of the CSR, and that CSR is then sent to the server, and the server is going to verify it's the same TLS unique value. Because any http request will generate a new TLS-unique value. Or at least, that's my interpretation of the RFC 7030 - section 3.5.
If my understanding is correct, then there is something wrong with my EST go package, and I still don't know how I could get that value from the client during the enroll operation.
If there are any other Go libs that implement the EST protocol with more flexibility, you're welcome to share.
