Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

expand client cert search capabilities #380

Merged
merged 3 commits into from
Jan 11, 2024
Merged

expand client cert search capabilities #380

merged 3 commits into from
Jan 11, 2024

Conversation

kenjenkins
Copy link
Contributor

@kenjenkins kenjenkins commented Dec 12, 2023
edited
Loading

Summary

Replace the --client-cert-issuer-cn option with a new set of options:

  • --client-cert-from-store enables searching the OS cert store overall

  • --client-cert-issuer selects between multiple available certificates based on an attribute of the cert's Issuer name (e.g. "CN=Trusted CA Name")

  • --client-cert-subject selects between multiple available certificates based on an attribute of the cert's Subject name (e.g. "OU=Organization Unit Name"

If only the first option is set, the cert store will be searched based on any CA names provided in the TLS Certificate Request message. This will be sufficient for devices with only a single matching certificate. (Note that this does requires Pomerium v0.23 or later, as v0.22 and earlier do not advertise trusted CA names in the TLS handshake.)

Also set a finalizer on the Windows credential type to release OS resources automatically. (The macOS credential type already does this.)

Related issues

Checklist

  • reference any related issues
  • updated docs
  • updated unit tests
  • updated UPGRADING.md
  • add appropriate tag (improvement / bug / etc)
  • ready for review

@kenjenkins
expand client cert search capabilities
810a655 
Replace the --client-cert-issuer-cn option with a new set of options:

  --client-cert-from-store  enables searching the OS cert store

  --client-cert-issuer      selects between multiple available
certificates based on an attribute of the cert's Issuer name

  --client-cert-subject     selects between multiple available
certificates based on an attribute of the cert's Subject name

If only the first option is set, the cert store will be searched based
on any CA names provided in the TLS Certificate Request message.

Set a finalizer on the Windows credential type to release OS resources
automatically. (The macOS credential type already does this.)
@kenjenkins
darwin: search by issuers only if non-empty
01d8de6
@kenjenkins
windows: fix intendedKeyUsage
df9233b
@desimone desimone mentioned this pull request Dec 29, 2023
Closed
@kenjenkins kenjenkins marked this pull request as ready for review January 2, 2024 17:44
@kenjenkins kenjenkins requested a review from a team as a code owner January 2, 2024 17:44
@kenjenkins kenjenkins requested a review from wasaga January 2, 2024 17:44
@kenjenkins kenjenkins merged commit 42aa453 into main Jan 11, 2024
2 checks passed
@kenjenkins kenjenkins deleted the kenjenkins/cert-auto branch January 11, 2024 23:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calebdoxsey calebdoxsey calebdoxsey approved these changes

@wasaga wasaga Awaiting requested review from wasaga wasaga is a code owner automatically assigned from pomerium/dev-backend

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kenjenkins @calebdoxsey