Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: Untangle certificate request, creation and renewal #3268

Merged

Conversation

didier-wenzek
Copy link
Contributor

Proposed changes

Prepare the integration with Cumulocity CA, by putting apart the code to create self-signed certificate, to create signing request and to renew a certificate.

These different tasks was implemented by a single structure using misc flags to drive checks and file generation.
Now each PEM operation is control by a specific flow.

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
  • Documentation Update (if none of the other choices apply)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

#3248

Checklist

  • I have read the CONTRIBUTING doc
  • I have signed the CLA (in all commits with git commit -s)
  • I ran cargo fmt as mentioned in CODING_GUIDELINES
  • I used cargo clippy as mentioned in CODING_GUIDELINES
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

Copy link

codecov bot commented Nov 26, 2024

Copy link
Contributor

github-actions bot commented Nov 26, 2024

Robot Results

✅ Passed ❌ Failed ⏭️ Skipped Total Pass % ⏱️ Duration
527 0 2 527 100 1h31m48.934624s


let not_after = not_before + Duration::days(config.validity_period_days.into());
params.not_before = not_before;
params.not_after = not_after;

params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained); // IsCa::SelfSignedOnly is rejected by C8Y
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the change failing the system tests.

I forgot to inject this back to self-signed certificate creation.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed by 950ebcb

Comment on lines 16 to 30
/// Create self-signed device certificate and signing request
pub struct CreateCertCmd {
/// The device identifier
pub id: String,

/// The path where the device certificate will be stored
/// The path where the device certificate / request will be stored
pub cert_path: Utf8PathBuf,

/// The path where the device private key will be stored
pub key_path: Utf8PathBuf,

/// The path where the device CSR file will be stored
pub csr_path: Option<Utf8PathBuf>,

/// The component that is configured to host the MQTT bridge logic
pub bridge_location: BridgeLocation,
/// The owner of the private key
pub user: String,
pub group: String,
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: if CreateCertCmd creates certificate signing requests, what does the CreateCsrCmd do?

Is this a leftover of some previous changes, or am I not understanding something?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops. This is a leftover. CreateCertCmd is now only used to create self signed certificate.

This now confusing comment has been added during an intermediate step and has to be removed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed: 4cf7c88

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And improved: 0de8244

Copy link
Contributor

@albinsuresh albinsuresh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.


create_cmd.renew_test_certificate(config)
override_public_key(cert_path, cert.certificate_pem_string()?)
Copy link
Contributor

@albinsuresh albinsuresh Nov 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The explicit removal of the certificate in line. 40 seems redundant now, because of this "override" mechanism. But not harm either.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought the same but it is not. Indeed, a certificate is in practice write protected (0o444).

Signed-off-by: Didier Wenzek <[email protected]>
This field was used to hack the CreateCertCmd making it creating a CSR
instead of a self-signed certificate.

Signed-off-by: Didier Wenzek <[email protected]>
Previously, this user was derived from the bridge type introducing
an unrelated domain, even if in practice thin-edge mainly uses certificates
to authenticate the bridge.

Signed-off-by: Didier Wenzek <[email protected]>
Two fields were used to pass a device id to a CSR command,
one being only used if the other was not suitable.
Now the device id is provided by the caller.

Signed-off-by: Didier Wenzek <[email protected]>
@didier-wenzek didier-wenzek force-pushed the refactor/simplify_csr_creation branch from 0de8244 to 88bcaad Compare November 28, 2024 08:10
@didier-wenzek didier-wenzek added this pull request to the merge queue Nov 28, 2024
Merged via the queue into thin-edge:main with commit 649e4ed Nov 28, 2024
33 checks passed
@didier-wenzek didier-wenzek deleted the refactor/simplify_csr_creation branch November 28, 2024 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants