Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certificate-authority: validate identity CSRs against DB #926

Merged
merged 12 commits into from
Jun 14, 2023
Merged

certificate-authority: validate identity CSRs against DB #926

merged 12 commits into from
Jun 14, 2023

Conversation

jkralik
Copy link
Member

@jkralik jkralik commented Apr 21, 2023
edited
Loading

A device or user with ill intent is unable to obtain the identity certificate that has already been signed for a different device.

  • identity certifacate records are deleted ondemand (by device via signoff), or by deleting device from hub via grpc-gw, or via call to certificate-authority(http/grpc)
  • all other certficiates are deleted after they are not valid yet automatically or via call to certificate-authority(http/grpc)

@jkralik jkralik force-pushed the jkralik/feature/ca-check-device-identity-certificate branch 2 times, most recently from 0031d30 to a031488 Compare April 21, 2023 17:14
@jkralik jkralik force-pushed the jkralik/feature/ca-check-device-identity-certificate branch 3 times, most recently from 4f44f92 to 9c8efa3 Compare May 4, 2023 07:15
@jkralik jkralik marked this pull request as ready for review May 4, 2023 09:43
Danielius1922
Danielius1922 reviewed May 11, 2023
View reviewed changes
certificate-authority/store/mongodb/bulkWriter.go
if latest.GetCredential().GetDate() > toUpdate.GetCredential().GetDate() {
toUpdate.Credential = latest.GetCredential()
}
if latest.GetCreationDate() < toUpdate.GetCreationDate() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lines 115-124 are not used according to Sonar, can't we add a test case that verifies that this works properly?

@jkralik jkralik force-pushed the jkralik/feature/ca-check-device-identity-certificate branch from 69b7fb8 to 46b7996 Compare May 16, 2023 12:33
@Danielius1922 Danielius1922 self-requested a review May 24, 2023 08:58
@ondrejtomcik
Copy link
Member

A device or user with ill intent is unable to obtain the identity certificate that has already been signed for a different device.

  • identity certifacate records are deleted ondemand (by device via signoff), or by deleting device from hub via grpc-gw, or via call to certificate-authority(http/grpc)
  • all other certficiates are deleted after they are not valid yet automatically or via call to certificate-authority(http/grpc)

Is this part of our documentation? This behaviour should be documented there.

@jkralik
certificate-authority: validate identity CSRs against DB
39f6286 
A device or user with ill intent is unable to obtain the identity
certificate that has already been signed for a different device.
@jkralik
add ca client to grpc-gw
ced4781
@jkralik
add ca client to coap-gw
b8b43cc
@jkralik jkralik force-pushed the jkralik/feature/ca-check-device-identity-certificate branch from 46b7996 to 6cacc76 Compare June 14, 2023 05:59
@jkralik jkralik force-pushed the jkralik/feature/ca-check-device-identity-certificate branch from 6cacc76 to b378631 Compare June 14, 2023 06:02
@jkralik jkralik force-pushed the jkralik/feature/ca-check-device-identity-certificate branch 2 times, most recently from 6039a03 to b370a95 Compare June 14, 2023 07:39
@jkralik jkralik force-pushed the jkralik/feature/ca-check-device-identity-certificate branch from b370a95 to 1d4a97e Compare June 14, 2023 07:39
@sonarcloud
Copy link

sonarcloud bot commented Jun 14, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

81.0% 81.0% Coverage
1.1% 1.1% Duplication

@jkralik jkralik merged commit fe61180 into main Jun 14, 2023
@jkralik jkralik deleted the jkralik/feature/ca-check-device-identity-certificate branch June 14, 2023 10:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Danielius1922 Danielius1922 Danielius1922 approved these changes

@ondrejtomcik ondrejtomcik Awaiting requested review from ondrejtomcik

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jkralik @ondrejtomcik @Danielius1922