-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(core): Add mTLS certificates for each request #5636
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There also seems to be another create_identity_from_certificate_and_key()
defined in crates/router/src/core/admin.rs
file?
crates/router/Cargo.toml
Outdated
@@ -93,7 +93,7 @@ rand = "0.8.5" | |||
rand_chacha = "0.3.1" | |||
rdkafka = "0.36.2" | |||
regex = "1.10.4" | |||
reqwest = { version = "0.11.27", features = ["json", "native-tls", "__rustls", "gzip", "multipart"] } | |||
reqwest = { version = "0.11.27", features = ["json", "__rustls", "rustls-tls", "gzip", "multipart"] } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be sufficient to use rustls-tls
alone, since that internally enables __rustls
.
@@ -105,7 +105,8 @@ pub fn create_identity_from_certificate_and_key( | |||
let certificate_key = String::from_utf8(decoded_certificate_key) | |||
.change_context(errors::ApiClientError::CertificateDecodeFailed)?; | |||
|
|||
reqwest::Identity::from_pkcs8_pem(certificate.as_bytes(), certificate_key.as_bytes()) | |||
let key_chain = format!("{}{}", certificate_key, certificate); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can move create_identity_from_certificate_and_key()
and create_certificate()
to crates/router/src/services/api/client.rs
file.
…-key-check * 'main' of github.com:juspay/hyperswitch: feat(core): Add mTLS certificates for each request (#5636) refactor(open_banking): Added merchant data update in mca update (#5655) feat: add test_mode for quickly testing payout links (#5669) refactor: introduce a domain type for profile ID (#5687) ci(cypress): update paybox configs (#5664) feat(openapi): Add open api routes for routing v2 (#5686) feat(connector): [NOVALNET] Add template code (#5670) feat(user): business email update (#5674) chore(config): add production connector-configs for netcetera external 3ds flow (#5698) chore(version): 2024.08.27.0 refactor(euclid): make the disabled node's relation as negative (#5701) feat: populate payment method details in payments response (#5661) build(deps): bump `diesel` to `2.2.3` and `sqlx` to `0.8.1` (#5688) feat(customer_v2): added list customer v2 end point (#5517) feat(business_profile): add tax_connector_id column in business_profile table (#5576) chore: create v2 route for organization (#5679) refactor(payments_response): remove setter from payments response (#5676) feat(payment_methods_v2): Payment methods v2 API models (#5564) chore(version): 2024.08.26.0
* 'main' of github.com:juspay/hyperswitch: feat(connector): [FISERVEMEA] Integrate cards (#5672) ci(cypress): Add routing testcases (#5571) fix(router): skip external three_ds flow for recurring payments (#5730) refactor(customer_v2): fixed customer_v2 create panic issue (#5699) feat(user_roles): support switch for new hierarchy (#5692) refactor(router): add domain type for merchant_connector_account id (#5685) refactor(cypress_tests): handle api keys check in api key list call (#5719) feat(connector): [NEXIXPAY] Add template code (#5684) refactor(connector): [itau] refactor error reason and code mapping for itau (#5718) fix(core): fix merchant connector account create for v2 (#5716) chore(version): 2024.08.28.0 fix(routing): fix routing routes to deserialise correctly (#5724) feat(euclid): add a new variant in payment type i.e ppt_mandate (#5681) feat(core): Add mTLS certificates for each request (#5636)
Type of Change
Description
Itau bank needs mTLS in production for verification of the request. Certificates (rootCA and pubkey) needs to be passed along with each request for Itau to verify.
Note: To send the certificates, all related certificates needs to be concatenated and put into .pem extenstion and then should be base64 encoded
Private key should also be base64 encoded before passing into the field
Additional Changes
Motivation and Context
How did you test it?
This can only be tested in production since sandbox doesn't support mTLS.
Note: Apple pay (with any enabled connector), Netcetera and normal payment (with any connector) should be tested in sandbox since it affects there flows.
The above flows have been sanity tested on integ environment for this PR
Checklist
cargo +nightly fmt --all
cargo clippy