Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a Root Cert method to the CA interface, and implement it. #287

Merged
merged 1 commit into from
Dec 21, 2021
Merged

Add a Root Cert method to the CA interface, and implement it. #287

merged 1 commit into from
Dec 21, 2021

Conversation

dlorenc
Copy link
Member

@dlorenc dlorenc commented Dec 20, 2021

This will make the ephemeral and HSM-based CAs easier to use, in addition
to giving us an API to retrieve the existing root cert. This isn't available
in-band today.

Signed-off-by: Dan Lorenc lorenc.d@gmail.com

Summary

Ticket Link

Fixes

Release Note

@dlorenc
Copy link
Member Author

dlorenc commented Dec 20, 2021

I don't really know if this is the best idea, but right now the ephemeral certs and the HSM stuff can be tricky to use if you don't remember the cert you loaded in. In the case of the GCP pools, the root certs can actually get created dynamically as well, with no way for anyone to know which are used.

This is particularly important when automating setup with the CT log - where you need to configure the CT log with this set of certs.

I'm open to other ideas here, just wanted to try this out as a prototype.

@dlorenc
Add a Root Cert method to the CA interface, and implement it.
1f37281 
This will make the ephemeral and HSM-based CAs easier to use, in addition
to giving us an API to retrieve the existing root cert. This isn't available
in-band today.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
@haydentherapper
Copy link
Contributor

I like this idea. CA Service implements something similar, FetchCaCerts.

What do you think of changing the method from rootCert to caCertChain or something that returns a list of certificates, so when there's more support for intermediates, it won't require a new API method?

@dlorenc
Copy link
Member Author

dlorenc commented Dec 20, 2021

What do you think of changing the method from rootCert to caCertChain or something that returns a list of certificates, so when there's more support for intermediates, it won't require a new API method?

I thought about that - but would that work? The chain could vary per reach issued leaf, and we have a spot for that in the API already I think.

Would it be something like "return the currently active chain"?

@haydentherapper
Copy link
Contributor

Yea, the currently active chain. For previously issued certificates, like you said, you'd be able to verify as long as you've persisted the chain used to issue that cert. This would just be for clients that want the latest chain.

@dlorenc dlorenc changed the title WIP: Add a Root Cert method to the CA interface, and implement it. Add a Root Cert method to the CA interface, and implement it. Dec 21, 2021
@dlorenc
Copy link
Member Author

dlorenc commented Dec 21, 2021

Renamed so we can return them all!

@vaikas
Copy link
Contributor

vaikas commented Dec 21, 2021

Fantastic! LGTM

mattmoor
mattmoor approved these changes Dec 21, 2021
View reviewed changes
Copy link
Member

@mattmoor mattmoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add this to the client and api_test.go as well.

@dlorenc dlorenc merged commit 18b4650 into sigstore:main Dec 21, 2021
@dlorenc dlorenc deleted the addcert branch December 21, 2021 02:08
@haydentherapper
Copy link
Contributor

@dlorenc You mentioned you renamed the method, it doesn't look like that change got included?

@vaikas vaikas mentioned this pull request Dec 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattmoor mattmoor mattmoor approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dlorenc @haydentherapper @vaikas @mattmoor