Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ca] Include a signing profile for cross-signing CA certs externally #2212

Merged
merged 1 commit into from
Jun 2, 2017
Merged

[ca] Include a signing profile for cross-signing CA certs externally #2212

merged 1 commit into from
Jun 2, 2017

Conversation

cyli
Copy link
Contributor

@cyli cyli commented Jun 1, 2017
edited
Loading

When we make an external CA request to cross-sign a certificate, include a particular signing profile that can be implemented by the external CA.

This way it will be easier for them to implement extra policies.

This is not urgent, but would be good to make this part of the input external CAs that interact with swarm should expect.

cc @diogomonica @aaronlehmann @jlhawn

@cyli cyli force-pushed the simplify-external-ca-cross-signing branch from 57f5a4b to ca6214e Compare June 1, 2017 22:35
@cyli cyli changed the title [ca] Include a signing profile for cross-signing CA certs exernally [ca] Include a signing profile for cross-signing CA certs externally Jun 1, 2017
@cyli cyli mentioned this pull request Jun 1, 2017
Closed
@codecov
Copy link

codecov bot commented Jun 1, 2017
edited
Loading

Codecov Report

Merging #2212 into master will decrease coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #2212      +/-   ##
==========================================
- Coverage   60.24%   60.22%   -0.02%     
==========================================
  Files         124      124              
  Lines       20114    20115       +1     
==========================================
- Hits        12117    12114       -3     
- Misses       6639     6643       +4     
  Partials     1358     1358

@cyli
Copy link
Contributor Author

cyli commented Jun 2, 2017
edited
Loading

Actually, this would be useful for folks running the default CFSSL server (such as me when I'm testing) and so would probably be good to include in 17.06.

In our sample external signing server, we run our own TLS server and write our own HTTP handler, which unmarshalls the signing request directly from JSON: https://github.com/docker/swarmkit/blob/master/ca/testutils/externalutils.go#L200

In the CFSSL server, the request is first unmarshalled to an intermediary object, which does not support the SignRequest.Extensions field. Without the extensions field, we cannot tell the server that we want this to be a CA other than by using the signing profile (and we may want to use the CA profile name instead, since a lot of folks may have that, as it's documented in https://github.com/cloudflare/cfssl/blob/master/doc/cmd/cfssl.txt#L184).

I'll submit a PR upstream to CFSSL to support the SignRequests.Extensions field in the intermediary object, but it may be useful to include the profile name in the sign request as well in case people are using a pinned version that wouldn't have that change (if it gets accepted), since the intermediary object does support the profile name.

@cyli
Include a signing profile for cross-signing CA certs when making a re…
8d11a94 
…quest to external CAs.

This way it will be easier for them to implement extra policies.

Signed-off-by: Ying Li <ying.li@docker.com>
@cyli cyli force-pushed the simplify-external-ca-cross-signing branch from ca6214e to 8d11a94 Compare June 2, 2017 03:05
diogomonica
diogomonica approved these changes Jun 2, 2017
View reviewed changes
ca/testutils/externalutils.go
"github.com/docker/swarmkit/ca"
"github.com/pkg/errors"
)

var crossSignPolicy = config.SigningProfile{
Usage: []string{"cert sign", "crl sign"},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't need crl sign, but there is nothing wrong with including it.

@aaronlehmann aaronlehmann merged commit 54d696b into moby:master Jun 2, 2017
@cyli cyli deleted the simplify-external-ca-cross-signing branch June 2, 2017 16:47
@cyli cyli added this to the 17.06 milestone Jun 2, 2017
tiborvass pushed a commit to aluzzardi/docker-ce that referenced this pull request Jun 6, 2017
@aluzzardi
Re-vendor SwarmKit to 4b872cfac8ffc0cc7fff434902cc05dbc7612da5
0efdcc4 
Includes:
- moby/swarmkit#2203
- moby/swarmkit#2210
- moby/swarmkit#2212

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
@aluzzardi aluzzardi mentioned this pull request Jun 6, 2017
Merged
This was referenced Jun 6, 2017
Closed
Closed
silvin-lubecki pushed a commit to silvin-lubecki/docker-ce that referenced this pull request Feb 3, 2020
@aluzzardi
Re-vendor SwarmKit to 4b872cfac8ffc0cc7fff434902cc05dbc7612da5
31c0839 
Includes:
- moby/swarmkit#2203
- moby/swarmkit#2210
- moby/swarmkit#2212

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
silvin-lubecki pushed a commit to silvin-lubecki/engine-extract that referenced this pull request Feb 3, 2020
@aluzzardi @silvin-lubecki
Re-vendor SwarmKit to 4b872cfac8ffc0cc7fff434902cc05dbc7612da5
bef9917 
Includes:
- moby/swarmkit#2203
- moby/swarmkit#2210
- moby/swarmkit#2212

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
silvin-lubecki pushed a commit to silvin-lubecki/engine-extract that referenced this pull request Mar 10, 2020
@aluzzardi @silvin-lubecki
Re-vendor SwarmKit to 4b872cfac8ffc0cc7fff434902cc05dbc7612da5
baf11a1 
Includes:
- moby/swarmkit#2203
- moby/swarmkit#2210
- moby/swarmkit#2212

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
silvin-lubecki pushed a commit to silvin-lubecki/engine-extract that referenced this pull request Mar 23, 2020
@aluzzardi @silvin-lubecki
Re-vendor SwarmKit to 4b872cfac8ffc0cc7fff434902cc05dbc7612da5
bd04a75 
Includes:
- moby/swarmkit#2203
- moby/swarmkit#2210
- moby/swarmkit#2212

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@diogomonica diogomonica diogomonica approved these changes

Assignees
No one assigned
Labels
process/cherry-picked
Projects
None yet
Milestone
17.06
Development

Successfully merging this pull request may close these issues.
3 participants
@cyli @diogomonica @aaronlehmann