Skip to content
This repository has been archived by the owner on May 21, 2024. It is now read-only.

Allow re-importing the client TLS certifcate. #1743

Merged
merged 10 commits into from
Aug 25, 2020
Merged

Allow re-importing the client TLS certifcate. #1743

merged 10 commits into from
Aug 25, 2020

Conversation

pattivacek
Copy link
Collaborator

We already allow it for the root CA.

@codecov-commenter
Copy link

codecov-commenter commented Aug 11, 2020
edited

Codecov Report

Merging #1743 into master will decrease coverage by 3.57%.
The diff coverage is 51.10%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1743      +/-   ##
==========================================
- Coverage   84.98%   81.40%   -3.58%     
==========================================
  Files         178      178              
  Lines       12019    12561     +542     
==========================================
+ Hits        10214    10225      +11     
- Misses       1805     2336     +531
Impacted Files Coverage Δ
src/libaktualizr/crypto/crypto.h 61.11% <ø> (ø)
src/libaktualizr/storage/invstorage.h 100.00% <ø> (ø)
src/libaktualizr/crypto/crypto.cc 53.14% <43.67%> (-30.97%) ⬇️
src/libaktualizr/storage/invstorage.cc 65.25% <61.70%> (-23.34%) ⬇️
src/cert_provider/main.cc 33.87% <65.30%> (-29.85%) ⬇️
src/libaktualizr/crypto/keymanager.cc 70.74% <100.00%> (-18.74%) ⬇️
src/libaktualizr/storage/sqlstorage_base.h 60.00% <0.00%> (-40.00%) ⬇️
... and 4 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6c61fc6...dcad65b. Read the comment docs.

zabbal
zabbal previously approved these changes Aug 13, 2020
View reviewed changes
Copy link
Contributor

@zabbal zabbal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@pattivacek
Copy link
Collaborator Author

LGTM.

Thanks. Unfortunately I just tested it in a more realistic use case and it isn't working. Still investigating. For now, we should wait on merging.

@zabbal
Copy link
Contributor

zabbal commented Aug 13, 2020

Is there unit-test for the previous version (root CA re-import)?

@pattivacek
Copy link
Collaborator Author

Unfortunately I just tested it in a more realistic use case and it isn't working. Still investigating. For now, we should wait on merging.

False alarm, it was just because trying to reimport the key, too, which I haven't allowed here. For just the cert, it works fine.

Is there unit-test for the previous version (root CA re-import)?

Yep, the same test that I edited to test the new functionality.

@pattivacek pattivacek force-pushed the feat/OTA-5178/re-import-client-cert branch from 1e4ec83 to 3608f74 Compare August 13, 2020 13:16
@pattivacek pattivacek force-pushed the feat/OTA-5178/re-import-client-cert branch 2 times, most recently from 5097ce1 to ece2479 Compare August 13, 2020 13:50
@pattivacek pattivacek requested a review from Raigi August 13, 2020 14:20
@pattivacek
Copy link
Collaborator Author

I've updated this, tested it more thoroughly, removed the do-not-merge tag, and in the process (automatically) dismissed @zabbal's review. This is now ready for review again.

zabbal
zabbal previously approved these changes Aug 14, 2020
View reviewed changes
Copy link
Contributor

@zabbal zabbal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

A little side note: the importUpdateSimple() is defined and used only in invstorage.cc - do we really need to expose it in public API? Can it be marked static instead?

@pattivacek
Copy link
Collaborator Author

do we really need to expose it in public API?

Doesn't appear to be part of the public API (include/libaktualizr) to me, but maybe you mean something different? The function is private.

Can it be marked static instead?

I tried that recently (unrelated to this) but I wasn't able to make it work.

@zabbal
Copy link
Contributor

zabbal commented Aug 14, 2020

Nevermind then - most likely that's smth "lost in translation" while trying to apply my C experience to C++ world.

@pattivacek
Allow re-importing the client TLS certifcate and key.
b1db345 
We already allow it for the root CA.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek pattivacek force-pushed the feat/OTA-5178/re-import-client-cert branch from ece2479 to 8c144ce Compare August 21, 2020 13:21
@pattivacek pattivacek force-pushed the feat/OTA-5178/re-import-client-cert branch 2 times, most recently from a300a58 to 04edbfb Compare August 21, 2020 13:26
@pattivacek
Print more import details to the log at debug level.
4858c9a 
Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
cert-provider: Allow specifying device ID even without a fleet CA.
d587efa 
This enables the shared credential hack to help test cert replacement.
Note that the relevant parameter is --certificate-cn because that's how
it's used for the proper fleet CA method.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
Remove redundant common name parsing code.
090677d 
This logic is now only in once place (in the Crypto class) and the
KeyManager function just uses that directly.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
Move cert generation code to Crypto class.
a20ac4c 
Also refactor to use RSA_generate_key_ex instead of the deprecated
RSA_generate_key.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
Standardize StorageCommon test names.
9e86af0 
Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek pattivacek force-pushed the feat/OTA-5178/re-import-client-cert branch from 04edbfb to 8bf559a Compare August 21, 2020 14:04
@pattivacek
Copy link
Collaborator Author

I did a bunch of refactoring in order to be able to generate certificates so I could appropriately test the situation where a new certificate has a different device ID, which we've decided is not allowed.

zabbal
zabbal reviewed Aug 21, 2020
View reviewed changes
Copy link
Contributor

@zabbal zabbal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty neat overall.

src/libaktualizr/crypto/crypto.cc Outdated Show resolved Hide resolved
src/libaktualizr/crypto/crypto.cc Outdated Show resolved Hide resolved
src/libaktualizr/crypto/crypto.h Show resolved Hide resolved
src/libaktualizr/crypto/keymanager.cc Show resolved Hide resolved
src/libaktualizr/crypto/crypto.cc Show resolved Hide resolved
Raigi
Raigi previously approved these changes Aug 21, 2020
View reviewed changes
Copy link

@Raigi Raigi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OTF tests have passed:
test_06_replace_device_certificate_using_fleet_root_ca
test_07_invalid_certificate_not_accepted_by_backend
test_08_device_certificate_with_new_device_id_not_allowed

@pattivacek
Refactor cert generation, signing, and serialization into a separate …
c43736e 
…functions.

This allows for much easier reuse of the specific parts.

Also switch to exceptions instead of printing and returning false.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
Add option to self-sign a generated certificate.
a3bcf82 
This should only be used for testing, so it prints a message to tell you
that.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
Only re-import the client cert if the device ID is the same.
7e71c30 
Expand the test to check the negative case (with a different device ID)
as well.

Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek
Reuse Crypto::generateRSAKeyPairEVP() in generateCert().
dcad65b 
Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
@pattivacek pattivacek force-pushed the feat/OTA-5178/re-import-client-cert branch from 8bf559a to dcad65b Compare August 24, 2020 07:48
@zabbal
Copy link
Contributor

zabbal commented Aug 24, 2020

@Raigi is this still good with latest changes?

@pattivacek
Copy link
Collaborator Author

Raigi is this still good with latest changes?

She's away this week, but very little changed from the version she was testing. I think this is safe to merge.

@pattivacek pattivacek merged commit 3d4d39e into master Aug 25, 2020
@pattivacek pattivacek deleted the feat/OTA-5178/re-import-client-cert branch August 25, 2020 15:54
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@zabbal zabbal zabbal approved these changes

@Raigi Raigi Raigi left review comments

@xaviergully xaviergully Awaiting requested review from xaviergully

@kbushgit kbushgit Awaiting requested review from kbushgit

@MatthiasBerchner MatthiasBerchner Awaiting requested review from MatthiasBerchner

@aodukha aodukha Awaiting requested review from aodukha

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@pattivacek @codecov-commenter @zabbal @Raigi