tls: add system and combined CA pool modules#7406
tls: add system and combined CA pool modules#7406mohammed90 merged 9 commits intocaddyserver:masterfrom
Conversation
| // LIMITATION: x509.CertPool doesn't expose its certificates, making it impossible | ||
| // to merge multiple pools. Return an error if multiple sources are configured. | ||
| if len(ccp.sources) > 1 { | ||
| return fmt.Errorf("combined CA pool currently supports only a single source due to x509.CertPool API limitations (got %d sources); to use multiple certificate sources, consider using a single 'file' source with multiple pem_file entries, or contribute a fix to expose certificate data from the CA interface", len(ccp.sources)) | ||
| } | ||
|
|
||
| // At this point we have exactly one source | ||
| ccp.pool = ccp.sources[0].CertPool() | ||
|
|
||
| return nil | ||
| } | ||
|
|
||
| // Syntax: | ||
| // | ||
| // trust_pool combined { | ||
| // source <module_name> { | ||
| // <module_config> | ||
| // } | ||
| // } | ||
| // | ||
| // LIMITATION: Currently only a single source is supported due to x509.CertPool | ||
| // API limitations. Specifying multiple sources will result in a provisioning error. | ||
| // To combine multiple certificate files, use a single 'file' source with multiple | ||
| // pem_file entries instead. |
There was a problem hiding this comment.
I have intentionally added limitation comments cause i wasnt aware how to proceed here.
|
"combined merges multiple roots sources" is not satisfied as per issue #7391 and i am erroring out as you see in above comment.
This approach which i think is a breaking change so i wanted to consult with my planned implementation |
|
Happy new year and i reviewed your code and i have two types of solutions type CA interface {
AppendTo(pool *x509.CertPool) error
}This is breaking change because not all CA pools can expose certificates. The second way is creating a secondary interface (non breaking change) type CertificateProvider interface {
Certificates() []*x509.Certificate
}The combined module would then check whether each source implements this interface and merge certificates only from those that do. |
|
Hello @FreyreCorona , thank you for the suggestions! will work on a non-breaking solution. lastly, sorry for the delayed response. forgot about this pr due to work |
|
Nice work on the implementation, let's wait for the review. No worries, we're all busy, and I've been pretty quiet around here these past few days too. |
|
When I first glanced at this, I wondered by I made it return a concrete type instead of an interface, but then remembered that I don't see the point of the Open to discuss this further though |
Thanks for the review! I'm confirming that this PR effectively implements the non-breaking, optional interface approach. To clarify:
|
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
There was a problem hiding this comment.
On a high level. It looks good. Please add adapt tests like the ones here:
https://github.com/search?q=repo%3Acaddyserver%2Fcaddy+trust_pool+language%3AText&type=code&l=Text
|
Hmm, noted. 🤔 |
* doing it for first time, so not sure if its right.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
There was a problem hiding this comment.
Life was busy in the past few months, and this area of the code proved itself critical, so I had to ensure I have clear mind to go through it before merging.
Hopefully this is the last round of review. I believe I've caught everything.
Definitely understandable. |
|
done the requested changes fad1950 |
This comment was marked as spam.
This comment was marked as spam.
|
Folks, please refrain from the pinging. It is on our list. We are very busy, especially the volunteers who have taken up this PR/issue. The more pinging that happens the more we dismiss the notification on the issue and it goes back to the end of the queue (that's just how GH notifications work, I dunno what other peoples' flows are, but that's mine). |
mohammed90
left a comment
mohammed90
left a comment
There was a problem hiding this comment.
Thank you for working on this and persevering through the multiple rounds of review! LGTM
mohammed90
changed the title
|
Thank you so much for guiding me along the process! |
4 participants
Summary
I've implemented the
systemtrust pool module which usesx509.SystemCertPool()and works as expected.However, the
combinedmodule has a fundamental limitation: Go'sx509.CertPooldoesn't expose its certificates, making it impossible to merge multiple pools.so should we modify the CA interface to add a method like
Certificates() []*x509.Certificateso sources can expose their certificates for merging? not sure how to proceed here... Would be happy to learn.Assistance Disclosure
I wrote the code, but Claude generated the tests.