Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: rotate root CA #433

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

WIP: rotate root CA #433

wants to merge 15 commits into from

Commits on Oct 6, 2024

  1. Cleanup: move private functions to the bottom on x509/golang.go 

    This is a trivial change which makes the code layout more clear.
Further commits will make gradual changes to this module.
Hence, keeping the public interface on the top helps a lot.

Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    ac73fed View commit details
    Browse the repository at this point in the history

  2. Cleanup: spin up ca_utils.go and extract parseCerts into it 

    This starts making common CA routines more navigable.
There will me more functions added to it during the course of this PR

Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    3dd38cc View commit details
    Browse the repository at this point in the history

  3. Cleanup: add a function to define standard HSM flags 

    In 80% of use cases they are exactly the same for all PKI related commands.

Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    43f1a9d View commit details
    Browse the repository at this point in the history

  4. Cleanup: move HSM args validation into a better place 

    The x509 common package should not know anything about the argument parsing or validation.
That is a sole responsibility of the subcommands.

Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    154ffb7 View commit details
    Browse the repository at this point in the history

  5. Feature: a facade factory root renewal command 

    A command help and examples will be extended as new sub-commands are being added.

Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    1356e68 View commit details
    Browse the repository at this point in the history

  6. Feature: show currently active factory root CA 

    This is the Root CA that is used to sign Device CAs and TLS certificates.
Several factory root CAs can be valid at the same time, but only one of them can be active.

Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    b70fb03 View commit details
    Browse the repository at this point in the history

  7. Feature: a command to start root CA renewal process (w/o HSM) 

    This adds the first workflow command of the root CA renewal,
which generates the EST compliant CA renewal bundle and uploads it to the server.

This is a bare minimum implementation, further extended with auxiliary features in later commits.
For example, an HSM support is added in the next commit.
That approach allows to decrease the level of complexity while traversing commits.

Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    4043eb2 View commit details
    Browse the repository at this point in the history

  8. Feature: support HSM for the PKI root CA renewal 

    Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    ce002f2 View commit details
    Browse the repository at this point in the history

  9. Feature: write the root CA renewal bundle to file 

    This is useful from 2 perspectives:
1. A user may want to view the certificates (e.g. using openssl storeutl).
2. A user may need to (re-)upload this file to the API (e.g. while experimenting or fixing a broken PKI).

Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    0100578 View commit details
    Browse the repository at this point in the history

  10. Feature: commands to trigger root CA renewal on devices 

    This closely resembles the `rotate-cert` commands layout by adding two new commands:
- A `devices config renew-root` for device level config.
- A `config renew-root` for group and factory level configs.

The key difference is the support for factory-wide config change.
That is needed to facilitate the root CA renewal for group-less devices and devices (auto-)registered in the future.

The created config needs a correlation ID which is fetched from the server.
The server generates a new correlation ID upon any changes to the root CA bundle; entire change log is stored for audit.
This is needed so that config updates triggered for the same root CA renewal (but different devices) are counted as one.
That allows to accurately calculate a number of already updated devices, before proceeding to the next root CA renewal step.

I am not sure if the proposed layout is the best one from the user convenience perspective.
The other option was to add single command like `keys ca renewal deploy [-g | -d]`.
That has its pros and cons, so I am open to start a discussion on it.

Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    b2ce7fe View commit details
    Browse the repository at this point in the history

  11. Feature: a command to activate a specific root CA 

    This command can be used two-way to switch between old and new root CA.
It is made a standalone command to give the user a better grasp of what is going on.

Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    cbd3f21 View commit details
    Browse the repository at this point in the history

  12. Feature: a command to re-sign device CAs 

    Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    8dd4ef8 View commit details
    Browse the repository at this point in the history

  13. Feature: copy private key files for Device CAs during Root CA renewal 

    There are several sub-use cases here:
- A user may lose all or a part of Device CA private keys.
- A user may keep these private key files in different folders.
- A user may wish to not copy them into a new PKI folder.

All of the above use cases are supported by this extension.

Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    e51fd5a View commit details
    Browse the repository at this point in the history

  14. Feature: a command to re-sign TLS certificates 

    Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    7fec7d2 View commit details
    Browse the repository at this point in the history

  15. Feature: an ability to revoke an old Root CA 

    Signed-off-by: Volodymyr Khoroz <[email protected]>
    @vkhoroz
    vkhoroz committed Oct 6, 2024
    Configuration menu
    Copy the full SHA
    039da9f View commit details
    Browse the repository at this point in the history