Feature: allow to revoke or disable device CA

[vkhoroz]

Currently, an API allows to simply remove the device CA from a list of CAs.

This change implements the device CA removal via the X.509 certificate revocation.
That way, a user is required to crypto-sign the operation using the factory root CA.
Thus, we both obtain an cryptographic conscent from the user for this operation and protect against several scenarios:

• An accidental device CA removal by passing a wrong file to "keys ca update".
• An intentional device CA removal by bad admin who does not possess the factory root CA.

After this change, the API will be changed to require the "ca-crt" field to contain all device CAs which:

• Are already present in the "ca-crt" list on the backend.
• And are not explicitly listed in the "ca-revoke-crl" list.

There are two new operations introduced:

• disable device CA: Tell the backend to disallow registering new devices using this CA; already registered devices (using this CA) can still connect and use FoundriesFactory.
• revoke device CA: Tell the backend to remove this CA from the list of trusted device CAs; devices with client certs issued by this CA can no longer connect and use FoundriesFactory.

Signed-off-by: Volodymyr Khoroz volodymyr.khoroz@foundries.io

[mike-sul]

LGTM. It makes sense to me. I'll finalize this PR review after the corresponding API PR is posted.

[mike-sul]

If a user wants to add a new device CA then maybe it would be more convenient for a user to add just a new device ca to the "ca-crt" field, instead of

After this change, the API will be changed to require the "ca-crt" field to contain all device CAs which:

    Are already present in the "ca-crt" list on the backend.

?

[vkhoroz]

If a user wants to add a new device CA then maybe it would be more convenient for a user to add just a new device ca to the "ca-crt" field ...

The API will continue to require the client to upload the full CA list, as it is now.
But, the Fioctl allows the user to add just one CA using fioctl keys ca add-device-ca command.

What is changed:

• currently, the user can overwrite the list of device CAs with some garbage (completely new list of CAs) by mistake.
• after the change that will be no longer possible, as that list becomes append-only; with remove operation being accomplished via the crypto-signed CRL.

[mike-sul]

The API will continue to require the client to upload the full CA list

Not sure it's convenient from a user perspective since it requires to fetch the online device CA before making the update request.

[vkhoroz]

@doanac @mike-sul @StealthyCoder I'm almost done with this one.

I will take a look why PKI tests failed; they were passing for me locally.
A commit list is not ideal yet; so don't rush reviewing this - I'll clean it up tomorrow.
Also, I did not yet test this end-2-end fully - will continue tomorrow as well.

[vkhoroz]

@doanac @mike-sul @StealthyCoder @camilamacedo86

This was tested with the API version currently deployed to our staging MEDS instance.
I added and tested all planned featurettes:

• Device CA can be disabled or revoked.
• Dry-run and pretty options work as expected.
• When disabled, device CA shows as disabled in keys ca show.
• When disabled, I can no longer register devices using API with this CA.
• When revoked, devices using this CA cannot connect to device gateway, failing mTLS handshake.

What still needs to be implemented:

• The device gateway part for the auto-registration is pending.

[mike-sul]

LGTM

[vkhoroz]

@kprosise @vanmaegima @angolini do you want to give a grammar check to the new commands descriptions?

I believe that by Tuesday @doanac and/or @mike-sul will approve this; so it is stable enough for the literacy polish.

[kprosise]

Some minor suggestions, overall the text LGTM

[vkhoroz]

Rebased, squashed fixups, and applied all wording corrections.