Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client certs: Store pkcs12 in config, password in keychain #7048

Merged
merged 1 commit into from
Mar 14, 2019
Merged

Client certs: Store pkcs12 in config, password in keychain #7048

merged 1 commit into from
Mar 14, 2019

Conversation

ckamm
Copy link
Contributor

@ckamm ckamm commented Feb 19, 2019

It still reads and writes the old format too, but all newly stored
client certs will be in the new form.

For #6776 because Windows limits credential data to 512 bytes in older
versions.

@ckamm ckamm added this to the 2.6.0 milestone Feb 19, 2019
@ckamm ckamm self-assigned this Feb 19, 2019
@ckamm ckamm requested review from ogoffart and guruz February 19, 2019 11:05
@ckamm ckamm mentioned this pull request Feb 19, 2019
Closed
ogoffart
ogoffart approved these changes Feb 28, 2019
View reviewed changes
Copy link
Contributor

@ogoffart ogoffart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is quite some complicated logic for a seldom used feature. I wonder if we should not migrate the config, so we could simplify in future versions.

src/libsync/creds/httpcredentials.cpp Outdated
return;
}

// Old case: Read client cert and then key from keychain
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe mention the version (< 1.6)

src/libsync/creds/httpcredentials.cpp Outdated
_clientCertPassword.clear();
} else if (_account->credentialSetting(QLatin1String(clientCertBundleC)).isNull() && !_clientSslCertificate.isNull()) {
// Option 2, older configs: We used to store the raw cert/key in the keychain and
// still do so if no bundle is available.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So that means we are not migrating away from that setting?

@ckamm
Copy link
Contributor Author

ckamm commented Feb 28, 2019

I'd also prefer migrating. The issue is that I don't think we currently have functions for creating an encrypted pkcs12 bundle or some other strong symmetric encryption available.

@ckamm
Client certs: Store pkcs12 in config, password in keychain
d320cf9 
It still reads and writes the old format too, but all newly stored
client certs will be in the new form.

For #6776 because Windows limits credential data to 512 bytes in older
versions.
@ckamm ckamm merged commit d46f2fb into master Mar 14, 2019
@delete-merged-branch delete-merged-branch bot deleted the store-long-clientcert branch March 14, 2019 07:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ogoffart ogoffart ogoffart approved these changes

@guruz guruz Awaiting requested review from guruz

Assignees

@ckamm ckamm

Labels
None yet
Projects
None yet
Milestone
2.6.0
Development

Successfully merging this pull request may close these issues.
2 participants
@ckamm @ogoffart