Project

Profile

Help

Story #6352

As a user, I can submit my cert via TLS and I do not have to strip newlines from it

Added by bmbouter almost 2 years ago. Updated over 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 69
Quarter:

Description

This story has two parts:

  1. Switching to urlencoding instead of newline stripping for X.509 certificates
  2. Switching to certificates being submitted to nginx and https via TLS and not as a header.
  3. Replace the storage of CA certificates from being on the filesystem to being being stored in the DB (same as RHSM Cert Guard)

Urlencoding

Recently we learned that urlencoding is a better way to encode certificates in headers. For example nginx has a field to specifically the $ssl_client_escaped_cert variable. For apache the following config will also perform url encoding:

RequestHeader set X-CLIENT-CERT "expr=%{escape:%{SSL_CLIENT_CERT}s}"

Cert Submission via TLS

User's want to use the cert and key together in TLS to assert the client has the key and not just the cert. Thus when the server has the client's cert they both have it and also know the client can prove cryptographic ownership of the cert.

Changing how CA certificates are stored

All certificates in Pulp are in the database except for this one. This will require the migration 0001 to be rewritten, but since it's never GA'd this should be acceptable.

Associated revisions

Revision 040177c6 View on GitHub
Added by bmbouter almost 2 years ago

Switch X509CertGuard to db storage and urlencode

The X509CertGuard was requiring the user to perform newline stripping from certificates, but this operation invalidates some certificates. Therefore it is not possible to continue with this method.

This PR switches the expectation of certificate delivery to be urlencoded and no longer with newlines striped.

This PR also stores the X509CertGuard.ca_certificate in the database instead of on the filesystem.

This PR fully regenerates the migrations, which is a breaking change. It comes with a .removal release note advising users as such.

https://pulp.plan.io/issues/6352 closes #6352

History

#1 Updated by bmbouter almost 2 years ago

  • Tracker changed from Issue to Story
  • Project changed from Pulp to CertGuard
  • Subject changed from Remove newline checking and switch tooling to submit X.509 cert in their TLS session themselves to As a user, I can submit my cert via TLS and I do not have to strip newlines from it
  • % Done set to 0
  • Sprint set to Sprint 68

Adding to Sprint to prepare for the release and make it compatible with RHSMCertGuard.

#2 Updated by bmbouter almost 2 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter

#3 Updated by rchan almost 2 years ago

  • Sprint changed from Sprint 68 to Sprint 69

#4 Updated by bmbouter almost 2 years ago

  • Description updated (diff)

#5 Updated by rchan almost 2 years ago

  • Sprint changed from Sprint 69 to Sprint 70

#6 Updated by bmbouter almost 2 years ago

  • Status changed from ASSIGNED to POST
  • Sprint changed from Sprint 70 to Sprint 69

#7 Updated by bmbouter almost 2 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#8 Updated by bmbouter over 1 year ago

  • Sprint/Milestone set to 1.0.0 Release

#9 Updated by bmbouter over 1 year ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF