CORE-4182: dt/tls: Create chain of CRLs #19865
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The TLSChainCACertManager class in ducktape is updated to chain CRLs for each individual CA. Signed-off-by: Michael Boquard <michael@redpanda.com>
michael-redpanda
requested review from
pgellert and
oleiman
and removed request for
a team
oleiman
reviewed
Jun 18, 2024
| # Now do the same for the CRLs | ||
| crl_files = [ca.crl for ca in self._cas] | ||
| crl_out = self._with_dir('ca', 'signing-crl-chain.crl') | ||
| pathlib.Path(out).touch() |
There was a problem hiding this comment.
actually, did you mean
Suggested change
| pathlib.Path(out).touch() | |
| pathlib.Path(crl_out).touch() |
There was a problem hiding this comment.
doesn't look like it matters, so I'm not sure what it was doing there previously 🤷
pgellert
approved these changes
Jun 18, 2024
| out = self._with_dir('ca', 'signing-ca-chain.pem') | ||
| pathlib.Path(out).touch() | ||
| with open(out, 'w') as outfile: | ||
| for fname in reversed(files): | ||
| for fname in reversed(ca_files): |
There was a problem hiding this comment.
question: I'm curious why reversed is needed here
There was a problem hiding this comment.
good question! The ordering does matter, we effectively want a chain of certs that ends with the root cert:
Issuer CA 1 --- signed by ---> Issuer CA 2 --- signed by ---> Root CA
I think RFC5280 deals with this but I can't find the right section to reference
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The TLSChainCACertManager class in ducktape is updated to chain CRLs for each individual CA.
This PR is required to fix DT tests before enabling OpenSSL in Seastar which will be done in a subsequent vtools PR
Backports Required
Release Notes