Fix: Set Subject CN in certificates per W3C spec

[kaidokert]

Remove internal certificate generation from QuinnClient and QuinnServer. Both now require pre-generated certificates with W3C-compliant 160-bit serials and Subject CN = agent hostname. This architectural change ensures the application layer's CertificateKey logic is always used. Fix data loss bug where save_to_pem() overwrote loaded certificates with dummy data.

Fixes #5

[gemini-code-assist]

Summary of Changes

Hello @kaidokert, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant architectural refactoring of certificate handling within the OpenScreen project. The primary goal is to enforce W3C compliance for all certificates and centralize their generation and management. By delegating certificate creation to the application layer, the system ensures consistent adherence to standards for serial numbers and Subject CN, while also resolving a critical bug that caused certificate data loss during persistence.

Highlights

• Centralized Certificate Management: The QuinnClient and QuinnServer components no longer generate certificates internally. Instead, they now require pre-generated certificates, centralizing certificate creation and management within the application layer's CertificateKey logic.
• W3C Compliance Enforcement: Certificates are now enforced to adhere to W3C specifications, specifically requiring 160-bit serial numbers and the Subject Common Name (CN) to match the agent's hostname. This improves interoperability and security.
• Certificate Persistence Bug Fix: A data loss bug in the save_to_pem() function has been resolved. Previously, loaded certificates were incorrectly overwritten with dummy data, which is now fixed by correctly encoding DER bytes to PEM format.
• Streamlined Quinn Module: The openscreen-quinn module has been streamlined by removing its standalone openscreen-test and openscreen-receiver binaries, along with their associated CLI dependencies. This simplifies the module's scope and reduces its footprint.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces significant and valuable architectural improvements. By moving certificate generation and management from the openscreen-quinn transport layer to the openscreen-application layer, it establishes a much cleaner separation of concerns. This change makes the openscreen-quinn crate a more reusable and focused library.

The fix for the data loss bug in save_to_pem() is critical for ensuring certificate persistence works correctly. The previous behavior of overwriting loaded certificates with dummy data was a serious issue, and the new implementation in cert.rs correctly handles loading and saving DER-encoded data.

Furthermore, the changes to ensure certificates are generated with a W3C-compliant Subject CN and 160-bit serial number are essential for interoperability and standards compliance. The updated tests, especially the one verifying the Subject CN, provide good confidence in the correctness of these changes.

Overall, this is an excellent pull request that improves correctness, maintainability, and architecture. I have one minor suggestion to improve efficiency by avoiding unnecessary data cloning.