Actions
Story #6352
closed
As a user, I can submit my cert via TLS and I do not have to strip newlines from it
Start date:
Due date:
% Done:
100%
Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 69
Quarter:
Description
This story has two parts:
- Switching to urlencoding instead of newline stripping for X.509 certificates
- Switching to certificates being submitted to nginx and https via TLS and not as a header.
- Replace the storage of CA certificates from being on the filesystem to being being stored in the DB (same as RHSM Cert Guard)
Urlencoding¶
Recently we learned that urlencoding is a better way to encode certificates in headers. For example nginx has a field to specifically the $ssl_client_escaped_cert variable. For apache the following config will also perform url encoding:
RequestHeader set X-CLIENT-CERT "expr=%{escape:%{SSL_CLIENT_CERT}s}"
Cert Submission via TLS¶
User's want to use the cert and key together in TLS to assert the client has the key and not just the cert. Thus when the server has the client's cert they both have it and also know the client can prove cryptographic ownership of the cert.
Changing how CA certificates are stored¶
All certificates in Pulp are in the database except for this one. This will require the migration 0001 to be rewritten, but since it's never GA'd this should be acceptable.
Actions
.
Switch X509CertGuard to db storage and urlencode
The X509CertGuard was requiring the user to perform newline stripping from certificates, but this operation invalidates some certificates. Therefore it is not possible to continue with this method.
This PR switches the expectation of certificate delivery to be urlencoded and no longer with newlines striped.
This PR also stores the
X509CertGuard.ca_certificatein the database instead of on the filesystem.This PR fully regenerates the migrations, which is a breaking change. It comes with a .removal release note advising users as such.
https://pulp.plan.io/issues/6352 closes #6352