Story #6352
closedAs a user, I can submit my cert via TLS and I do not have to strip newlines from it
100%
Description
This story has two parts:
- Switching to urlencoding instead of newline stripping for X.509 certificates
- Switching to certificates being submitted to nginx and https via TLS and not as a header.
- Replace the storage of CA certificates from being on the filesystem to being being stored in the DB (same as RHSM Cert Guard)
Urlencoding¶
Recently we learned that urlencoding is a better way to encode certificates in headers. For example nginx has a field to specifically the $ssl_client_escaped_cert variable. For apache the following config will also perform url encoding:
RequestHeader set X-CLIENT-CERT "expr=%{escape:%{SSL_CLIENT_CERT}s}"
Cert Submission via TLS¶
User's want to use the cert and key together in TLS to assert the client has the key and not just the cert. Thus when the server has the client's cert they both have it and also know the client can prove cryptographic ownership of the cert.
Changing how CA certificates are stored¶
All certificates in Pulp are in the database except for this one. This will require the migration 0001 to be rewritten, but since it's never GA'd this should be acceptable.
Updated by bmbouter almost 5 years ago
- Tracker changed from Issue to Story
- Project changed from Pulp to CertGuard
- Subject changed from Remove newline checking and switch tooling to submit X.509 cert in their TLS session themselves to As a user, I can submit my cert via TLS and I do not have to strip newlines from it
- % Done set to 0
- Sprint set to Sprint 68
Adding to Sprint to prepare for the release and make it compatible with RHSMCertGuard.
Updated by bmbouter almost 5 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
Updated by bmbouter over 4 years ago
- Status changed from ASSIGNED to POST
- Sprint changed from Sprint 70 to Sprint 69
PR available at: https://github.com/pulp/pulp-certguard/pull/47
Added by bmbouter over 4 years ago
Updated by bmbouter over 4 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset 040177c629d24b02c93afe922e782df9acdba58e.
Updated by bmbouter over 4 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Switch X509CertGuard to db storage and urlencode
The X509CertGuard was requiring the user to perform newline stripping from certificates, but this operation invalidates some certificates. Therefore it is not possible to continue with this method.
This PR switches the expectation of certificate delivery to be urlencoded and no longer with newlines striped.
This PR also stores the
X509CertGuard.ca_certificate
in the database instead of on the filesystem.This PR fully regenerates the migrations, which is a breaking change. It comes with a .removal release note advising users as such.
https://pulp.plan.io/issues/6352 closes #6352