TLS With Certificate Management for PVXS #92
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ments - Introduced `clientOCSPCallback` to handle OCSP stapled responses. - Modified `CertStatusManager::subscribe` to accept a `ossl_ptr<X509> &&ctx_cert` instead of a raw certificate pointer. - Updated `SecurityClient::canWrite` to check `std::any_of` instead of `std::all_of`. - Added `lock` to `SSLContext` to ensure thread-safe modifications. - Overhauled `ContextImpl::enableTls` and `disableTls` to handle certificate state changes more robustly. - Removed debug output in `pvacms.cpp` related to prior approval status. - Introduced new delay dispatch method `evbase::_delayedDispatch`. - Added `is_initialized` flag to `ConfigCommon`. - Implemented `serverOCSPCallback` in `openssl.cpp` to correctly staple OCSP responses. - Adjusted `STATUS_WAIT_TIME_SECONDS` definition for clearer configuration. - Improved various methods to handle cert status changes and improved debuggability.
- Introduced `tls_disable_status_check` option for easier control of TLS status checks. - Removed redundant serial number extraction functions in `CertStatusManager`. - Updated OCSP status validity check to 5 seconds; added validation for revoked certificates without revocation time. - Enhanced logging functions to handle multi-line messages. - Added comprehensive tests for OCSP status responses and PVACMS status requests. - Refactored certificate status management, moved ASN1 to uint64 conversion to `CertStatusFactory`. - Improved error handling and debugging output throughout the TLS and certificate status modules.
- Introduced `tls_disable_status_check` option for easier control of TLS status checks. - Removed redundant serial number extraction functions in `CertStatusManager`. - Updated OCSP status validity check to 5 seconds; added validation for revoked certificates without revocation time. - Enhanced logging functions to handle multi-line messages. - Added comprehensive tests for OCSP status responses and PVACMS status requests. - Refactored certificate status management, moved ASN1 to uint64 conversion to `CertStatusFactory`. - Improved error handling and debugging output throughout the TLS and certificate status modules.
- Introduced `CertifiedCertificateStatus` as a lightweight alternative to `CertificateStatus`. - Simplified test logic by removing unnecessary exception handling. - Minor improvements for error logging in OpenSSL integration. - Updated test case initializations and cleanup routines to use heap allocation and deallocation for `Tester` class.
…ks in testtlsstatus.cpp - Removed unused `monitor_test` variable. - Introduced `CertifiedCertificateStatus` checks for client, server, and CA status tests. - Simplified and reorganized PV posting logic to handle open/closed states more effectively. - Removed redundant code and streamlined `postCertificateStatus` function in pvacms.cpp to use `CertStatus::getStatusPrototype()` directly.
…atus` across the project for improved clarity and consistency in naming conventions.
…Status to UnknownCertificateStatus. - Updated various certificate status checks to cast PVACertificateStatus and OCSPStatus to CertificateStatus. - Implemented new boolean attribute 'certified' in the CertificateStatus structure. - Introduced operator overloading for casting OCSPStatus to CertificateStatus. - Changed the constructor of CertificateStatus, and now it accounts for the new 'certified' attribute. - Renamed UncertifiedCertificateStatus to UnknownCertificateStatus for clarity and consistency.
- Implement equality operators for PVACertificateStatus and OCSPStatus structures. - Rename test methods for clarity: `response` to `makeStatusResponse` and `request` to `makeStatusRequest`. - Add comprehensive assertion checks in test cases to cover various comparison scenarios.
- Implement `==` and `!=` operators for `ocspcertstatus_t` and `certstatus_t` with `PVACertificateStatus` and `OCSPStatus`. - Refactor `test/testtlsstatus.cpp` to reduce namespace usage redundancy. - Add comprehensive tests for status conversions and comparisons.
- Remove redundant constructors in `OCSPStatus` and `PVACertificateStatus`. - Change `PVACertificateStatus` and `CertifiedCertificateStatus` to use `final`. - Use shared pointers for managing certificate statuses across the project. - Separate `getStatus` and `getPVAStatus` methods for obtaining certificate status appropriately. - Adjust event handler macros and methods to use the proper status retrieval methods. - Modify `CertStatusManager` to handle certificate status with shared pointers.
…tatus prototype. - Commented out certificate file writing and trust store addition functions in `gen_test_certs.cpp`. - Removed unused logger initialization in `certstatusfactory.cpp`. - Simplified `handle_request` by removing unnecessary assignment in `authnjwt.cpp`. - Cleaned up redundant status equality checks in `testtlsstatus.cpp`. Updated test plan count.
- Add `testtlswithcms.cpp` to introduce tests for TLS interactions with CMS using mock servers. - Update `test/Makefile` to include new test and source files. - Fix typos and adjust function names in existing tests: e.g., `testtlstime.cpp`. - Improve TLS status and context handling in `src/client.cpp` and `src/openssl.cpp`. - Update utility makefiles and source files for better TLS cert status management.
- Introduced `tls_disable_stapling` flag in configurations. - Updated client and server code to respect the new flag. - Enhanced logging for certificate handling and connection establishment. - Removed redundant and outdated code sections from test files. - Ensured existing tests and structures adhere to the new `tls_disable_stapling` behavior.
…r and status subscriptions.
- Introduced `testtlswithstapling` and `testtlswithcmsandstapling` test files. - Modified `Makefile` to include new test products and dependencies.
- Deleted test/testtlswithstapling.cpp. - Updated Makefile to remove entries related to testtlswithstapling. - Enhanced log messages for OCSP stapling in serverconn.cpp and clientconn.cpp.
- Standardized TLS error logging messages for both client and server. - Improved memory management in client OCSP validation, added `to_free` parameter. - Enhanced OCSP response handling to log detailed client-specific messages. - Adjusted client setup to defer OCSP status callback, enabling dynamic memory allocation for the callback argument.
- Adjust TLS handling with consistent spacing and formatting - Improve OCSP stapling response management - Refactor SSLContext constructors for better readability - Enhance certificate and status monitoring logic - Miscellaneous code style adjustments based on coding standards
…n and comments - Updated IOC certificate references from IOC to IOC1 in testtlswithcmsandstapling.cpp. - Added extensive comments and documentation in testtlswithcms.cpp for clarity. - Introduced new macros and refactored certain parts of the code to improve readability. - Enhanced logging and added success messages in testcerts.h for better debugging and tracing.
Enhanced the `testtlswithcmsandstapling.cpp` tester with comprehensive documentation for the `Tester` class and its methods, detailing their purpose and parameters. Added new tests: - `testCMSUnavailable`: Validates behavior when CMS is unavailable. - `testClientStaplingNoServerStapling`: Verifies behavior when client requests stapling but server does not send it. - `testServerStaplingNoClientStapling`: Checks communication when the server sends stapling but the client is not expecting it. Updated `MAIN` function to include the new tests and ensured necessary definitions are moved to `testcerts.h`. Corrected minor issues in `certstatusmanager.h`
- Remove TEST_STATUS_REQUEST macros from test files to simplify setup. - Adjust test plans to reflect changes in status requests. - Introduce a `current_peer_status` field in SSL context for tracking peer certificate status. - Refine certificate status handling in client and server contexts, including peer certificate monitoring. - Add missing log statements for peer status in various client operations. - Split CertStatusManager::getStatusPvFromCert into two overloads. - Improve OCSP response handling in SSL context.
- Added `getExtension` method to extract custom status extension from certificates. - Added `statusMonitoringRequired` method to determine if status monitoring is needed for a certificate. - Refactored `getStatusPvFromCert` to use the new `getExtension` method. - Simplified client OCSP stapling setup by checking status monitoring requirement.
…ient only) - Introduced certVerifyCallback in openssl.cpp to verify peer certificate's revocation status. - Updated SSL context setup to use the new verification callback. - Removed redundant status monitoring check from clientconn.cpp.
- Introduced platform-specific socket includes and typedefs for cross-platform compatibility. - Enhanced `SSLContext` and `SSLPeerStatus` structs for better SSL/TLS peer management. - Added detailed Doxygen comments for better code documentation and maintainability. - Introduced functions to manage and cache peer statuses based on file descriptors. - Extended `CertStatusManager` with additional helper functions for obtaining certificate statuses from URIs. - Cleaned up code and improved encapsulation and type safety in certificate status structures.
…code utility. Replace SASL bind with simple bind. Improve memory management and string handling in encoding/decoding functions."
- Added expiration time for LDAP credentials (not_before and not_after fields). - Fixed incorrect parameter order in CertFactory::verifySignature. - Ensured consistent base64 decoding for signature and public keys. - Improved error messages for key-related exceptions. - Refactored `getPublicKey` to use `const` correctness and nullptr. - Renamed `publicKeyString` to `public_key_string` for consistency. These changes improve correctness, readability, and robustness."
…variables for improved readability and reusability across authentication modules."
…efactor variable initialization and improve GSSAPI error reporting"
…eros authentication. - Refactored `fromAuthNEnv` to `fromAuthEnv` for standardization across LDAP, JWT, and Kerberos configurations. - Introduced detailed documentation and comments for clarity in Kerberos authentication processes, including MIC verification, credential handling, and CCR validation. - Simplified formatting, enhanced error reporting, and ensured memory cleanup in Kerberos-related functions. - Added constants for Kerberos default configuration and improved logging for debugging. Ensures cleaner and more maintainable code with enhanced inline documentation.
…ticator' to 'Standard Authenticator', enhance documentation, refactor configuration handling, and add detailed Kerberos-specific options and logic."
…ation modules for improved client/server credential handling. Updates include documentation adjustments, method implementations, and corresponding usage in authentication workflows."
…tCredentials` for better client/server distinction. Introduced standardized naming for option-related methods and improved documentation for modularity and clarity. Removed unused files and redundant methods for cleaner structure."
…checks and context state initialization."
…S connections across all tools when OpenSSL is enabled."
…ness in certificate handling code - Refactored functions to remove `inline` specifier for clearer implementation and maintainability. - Enhanced const correctness across various methods and parameters. - Introduced a `cert_config_uri_base` member to support extended certificate configuration URIs. - Updated certificate and OCSP status handling to include better type safety and initialization improvements. - Refined static utility functions for certificate handling and time conversion."
…pdate usage in pvacms."
…ertificate retrieval logic" This commit introduces a new method `getNotAfterTimeFromCert` in `CertFactory` to extract the certificate expiration time. It updates key authentication flows (Standard, LDAP, and Kerberos) to validate certificate expiration in daemon mode before falling back to the existing certificate retrieval logic. Includes minor header adjustments for dependencies.
…unction definitions from headers to source files, ensuring cleaner and more maintainable code structure."
…unction definitions from headers to source files, ensuring cleaner and more maintainable code structure."
… simplify its initialization logic across authentication modules."
- Transitioned all references from `getIssuerId` to `getSkId` for consistency with the SKID terminology. - Modified related method signatures and implementations to align with the updated function name and logic. - Updated `getCertificate` methods to return a unified `CertData` structure instead of `X509` for improved clarity and modularity. - Adjusted function calls and logic in certificate handling, including in daemons, status updates, and configuration management. - Ensured `makeConfigURI` now uses `skid` instead of `serial` for better identifier integrity. Resolves inconsistent naming and improves maintainability for certificate-handling workflows.
… before running in daemon mode"
…tegration: - Updated certificate handling logic to address expiration, validation, and configuration. - Introduced new helper methods for SKID generation and certificate status URI construction. - Added `sslInit` for custom OIDs and centralized SSL initialization. - Improved code consistency through const correctness and formatting fixes. - Extracted `sslinit.cpp` for better modularity."
… better clarity, safety, and maintainability. Includes consistent `const` usage, `nullptr` over `NULL`, explicit type casting, and improved initializer syntax."
…ate logging for clearer error messages"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cert Management
Stapling
OCSP
Cert Status