Project

Profile

Help

Story #6352

closed

As a user, I can submit my cert via TLS and I do not have to strip newlines from it

Added by bmbouter over 4 years ago. Updated over 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 69
Quarter:

Description

This story has two parts:

  1. Switching to urlencoding instead of newline stripping for X.509 certificates
  2. Switching to certificates being submitted to nginx and https via TLS and not as a header.
  3. Replace the storage of CA certificates from being on the filesystem to being being stored in the DB (same as RHSM Cert Guard)

Urlencoding

Recently we learned that urlencoding is a better way to encode certificates in headers. For example nginx has a field to specifically the $ssl_client_escaped_cert variable. For apache the following config will also perform url encoding:

RequestHeader set X-CLIENT-CERT "expr=%{escape:%{SSL_CLIENT_CERT}s}"

Cert Submission via TLS

User's want to use the cert and key together in TLS to assert the client has the key and not just the cert. Thus when the server has the client's cert they both have it and also know the client can prove cryptographic ownership of the cert.

Changing how CA certificates are stored

All certificates in Pulp are in the database except for this one. This will require the migration 0001 to be rewritten, but since it's never GA'd this should be acceptable.

Also available in: Atom PDF