-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: allow to revoke or disable device CA #324
Conversation
LGTM. It makes sense to me. I'll finalize this PR review after the corresponding API PR is posted. |
If a user wants to add a new device CA then maybe it would be more convenient for a user to add just a new device ca to the
? |
The API will continue to require the client to upload the full CA list, as it is now. What is changed:
|
Not sure it's convenient from a user perspective since it requires to fetch the online device CA before making the update request. |
5fba02d
to
26b208b
Compare
@doanac @mike-sul @StealthyCoder I'm almost done with this one. I will take a look why PKI tests failed; they were passing for me locally. |
26b208b
to
816513a
Compare
@doanac @mike-sul @StealthyCoder @camilamacedo86 This was tested with the API version currently deployed to our staging MEDS instance.
What still needs to be implemented:
|
e144fb5
to
c4b7d6e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@kprosise @vanmaegima @angolini do you want to give a grammar check to the new commands descriptions? I believe that by Tuesday @doanac and/or @mike-sul will approve this; so it is stable enough for the literacy polish. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some minor suggestions, overall the text LGTM
I need to use this routine for the "key ca revoke-device-ca" command. Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
…how" This is a no-op change, as the big.Int is printed as base 10 by default. This commit simply makes that explicit, so that we are protected from future changes. It is important for the device CA revocation, as users are going to copy-paste CA serials. Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
Currently, an API allows to simply remove the device CA from a list of CAs. This change proposes to implement device CA removal via the X.509 certificate revocation. That way, a user is required to crypto-sign the operation using the factory root CA. Thus, we both obtain an cryptographic conscent from the user for this operation and protect against several scenarios: - An accidental device CA removal by passing a wrong file to "keys ca update". - An intentional device CA removal by bad admin who does not possess the factory root CA. After this change, the API will be changed to require the "ca-crt" field to contain all device CAs which: - Are already present in the "ca-crt" list on the backend. - And are not explicitly listed in the "ca-revoke-crl" list. Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
This is a soft variant of the device CA revocation. A difference is that already registered devices can continue to connect and use FoundriesFactory. This is handy when the device CA is compromised, as it allows to act immediately so that things does not get worse. Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
We need this in order to be able to sign the CRL for the device CA revocation. For old factory CAs already in the field, a workaround is to artificially set this bit at runtime. The API needs to be smart to not check this bit of the factory root CA when validating the CRL. Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
This is called to make the user experience even safer. Before generating the CRL, we check if provided serials are known to the server as device CAs. Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
…rver Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
This helps me to introduce a logic for the disabled device CAs with less code. Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
…M data This was found while reviewing the copy-pasted code; so need to fix the original. Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
This will be reused for to validate if the revoked/disabled cert is present in the actual device CAs list. Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
762be5a
to
79245cd
Compare
Rebased, squashed fixups, and applied all wording corrections. |
Currently, an API allows to simply remove the device CA from a list of CAs.
This change implements the device CA removal via the X.509 certificate revocation.
That way, a user is required to crypto-sign the operation using the factory root CA.
Thus, we both obtain an cryptographic conscent from the user for this operation and protect against several scenarios:
After this change, the API will be changed to require the "ca-crt" field to contain all device CAs which:
There are two new operations introduced:
Signed-off-by: Volodymyr Khoroz volodymyr.khoroz@foundries.io