Skip to content
This repository has been archived by the owner on May 21, 2024. It is now read-only.

Allow re-importing the client TLS certifcate. #1743

Merged
merged 10 commits into from
Aug 25, 2020
Merged

Allow re-importing the client TLS certifcate. #1743

merged 10 commits into from
Aug 25, 2020

Conversation

pattivacek
Copy link
Collaborator

We already allow it for the root CA.

@codecov-commenter
Copy link

codecov-commenter commented Aug 11, 2020
edited
Loading

Codecov Report

Merging #1743 into master will decrease coverage by 3.57%.
The diff coverage is 51.10%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1743      +/-   ##
==========================================
- Coverage   84.98%   81.40%   -3.58%     
==========================================
  Files         178      178              
  Lines       12019    12561     +542     
==========================================
+ Hits        10214    10225      +11     
- Misses       1805     2336     +531
Impacted Files Coverage Δ
src/libaktualizr/crypto/crypto.h 61.11% <ø> (ø)
src/libaktualizr/storage/invstorage.h 100.00% <ø> (ø)
src/libaktualizr/crypto/crypto.cc 53.14% <43.67%> (-30.97%) ⬇️
src/libaktualizr/storage/invstorage.cc 65.25% <61.70%> (-23.34%) ⬇️
src/cert_provider/main.cc 33.87% <65.30%> (-29.85%) ⬇️
src/libaktualizr/crypto/keymanager.cc 70.74% <100.00%> (-18.74%) ⬇️
src/libaktualizr/storage/sqlstorage_base.h 60.00% <0.00%> (-40.00%) ⬇️
... and 4 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6c61fc6...dcad65b. Read the comment docs.

zabbal
zabbal previously approved these changes Aug 13, 2020
View reviewed changes
Copy link
Contributor

@zabbal zabbal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@pattivacek
Copy link
Collaborator Author

LGTM.

Thanks. Unfortunately I just tested it in a more realistic use case and it isn't working. Still investigating. For now, we should wait on merging.

@zabbal
Copy link
Contributor

zabbal commented Aug 13, 2020

Is there unit-test for the previous version (root CA re-import)?

@pattivacek
Copy link
Collaborator Author

Unfortunately I just tested it in a more realistic use case and it isn't working. Still investigating. For now, we should wait on merging.

False alarm, it was just because trying to reimport the key, too, which I haven't allowed here. For just the cert, it works fine.

Is there unit-test for the previous version (root CA re-import)?

Yep, the same test that I edited to test the new functionality.

@pattivacek pattivacek force-pushed the feat/OTA-5178/re-import-client-cert branch from 1e4ec83 to 3608f74 Compare August 13, 2020 13:16
@pattivacek pattivacek force-pushed the feat/OTA-5178/re-import-client-cert branch 2 times, most recently from 5097ce1 to ece2479 Compare August 13, 2020 13:50
@pattivacek pattivacek requested a review from Raigi August 13, 2020 14:20
@pattivacek
Copy link
Collaborator Author

I've updated this, tested it more thoroughly, removed the do-not-merge tag, and in the process (automatically) dismissed @zabbal's review. This is now ready for review again.

zabbal
zabbal previously approved these changes Aug 14, 2020
View reviewed changes
Copy link
Contributor

@zabbal zabbal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

A little side note: the importUpdateSimple() is defined and used only in invstorage.cc - do we really need to expose it in public API? Can it be marked static instead?

@pattivacek
Copy link
Collaborator Author

do we really need to expose it in public API?

Doesn't appear to be part of the public API (include/libaktualizr) to me, but maybe you mean something different? The function is private.

Can it be marked static instead?

I tried that recently (unrelated to this) but I wasn't able to make it work.

@zabbal
Copy link
Contributor

zabbal commented Aug 14, 2020

Nevermind then - most likely that's smth "lost in translation" while trying to apply my C experience to C++ world.

@pattivacek
Allow re-importing the client TLS certifcate and key.
b1db345 
We already allow it for the root CA.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek pattivacek force-pushed the feat/OTA-5178/re-import-client-cert branch from ece2479 to 8c144ce Compare August 21, 2020 13:21
@pattivacek pattivacek requested a review from aodukha August 21, 2020 13:23
@pattivacek pattivacek force-pushed the feat/OTA-5178/re-import-client-cert branch 2 times, most recently from a300a58 to 04edbfb Compare August 21, 2020 13:26
@pattivacek
Print more import details to the log at debug level.
4858c9a 
Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
cert-provider: Allow specifying device ID even without a fleet CA.
d587efa 
This enables the shared credential hack to help test cert replacement.
Note that the relevant parameter is --certificate-cn because that's how
it's used for the proper fleet CA method.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
Remove redundant common name parsing code.
090677d 
This logic is now only in once place (in the Crypto class) and the
KeyManager function just uses that directly.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
Move cert generation code to Crypto class.
a20ac4c 
Also refactor to use RSA_generate_key_ex instead of the deprecated
RSA_generate_key.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
Standardize StorageCommon test names.
9e86af0 
Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek pattivacek force-pushed the feat/OTA-5178/re-import-client-cert branch from 04edbfb to 8bf559a Compare August 21, 2020 14:04
@pattivacek
Copy link
Collaborator Author

I did a bunch of refactoring in order to be able to generate certificates so I could appropriately test the situation where a new certificate has a different device ID, which we've decided is not allowed.

zabbal
zabbal reviewed Aug 21, 2020
View reviewed changes
Copy link
Contributor

@zabbal zabbal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty neat overall.

src/libaktualizr/crypto/crypto.cc Outdated Show resolved Hide resolved
src/libaktualizr/crypto/crypto.cc Outdated Show resolved Hide resolved
src/libaktualizr/crypto/crypto.h Show resolved Hide resolved
src/libaktualizr/crypto/keymanager.cc Show resolved Hide resolved
src/libaktualizr/crypto/crypto.cc Show resolved Hide resolved
Raigi
Raigi previously approved these changes Aug 21, 2020
View reviewed changes
Copy link

@Raigi Raigi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OTF tests have passed:
test_06_replace_device_certificate_using_fleet_root_ca
test_07_invalid_certificate_not_accepted_by_backend
test_08_device_certificate_with_new_device_id_not_allowed

@pattivacek
Refactor cert generation, signing, and serialization into a separate …
c43736e 
…functions.

This allows for much easier reuse of the specific parts.

Also switch to exceptions instead of printing and returning false.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
Add option to self-sign a generated certificate.
a3bcf82 
This should only be used for testing, so it prints a message to tell you
that.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
Only re-import the client cert if the device ID is the same.
7e71c30 
Expand the test to check the negative case (with a different device ID)
as well.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
Reuse Crypto::generateRSAKeyPairEVP() in generateCert().
dcad65b 
Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek pattivacek force-pushed the feat/OTA-5178/re-import-client-cert branch from 8bf559a to dcad65b Compare August 24, 2020 07:48
@zabbal
Copy link
Contributor

zabbal commented Aug 24, 2020

@Raigi is this still good with latest changes?

@pattivacek
Copy link
Collaborator Author

Raigi is this still good with latest changes?

She's away this week, but very little changed from the version she was testing. I think this is safe to merge.

@pattivacek pattivacek merged commit 3d4d39e into master Aug 25, 2020
@pattivacek pattivacek deleted the feat/OTA-5178/re-import-client-cert branch August 25, 2020 15:54
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@zabbal zabbal zabbal approved these changes

@Raigi Raigi Raigi left review comments

@xaviergully xaviergully Awaiting requested review from xaviergully

@kbushgit kbushgit Awaiting requested review from kbushgit

@MatthiasBerchner MatthiasBerchner Awaiting requested review from MatthiasBerchner

@aodukha aodukha Awaiting requested review from aodukha

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pattivacek @codecov-commenter @zabbal @Raigi