Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add client certificate, require client certificate verification #1924

Merged
merged 11 commits into from
Oct 24, 2023

Conversation

anodar
Copy link
Contributor

@anodar anodar commented Oct 16, 2023

No description provided.

@cla-bot cla-bot bot added the s Automatically added by the CLA bot if the creator of a PR is registered as having signed the CLA. label Oct 16, 2023
@anodar anodar changed the title Add client certificate, require to verify client cert Add client certificate, require client certificate verification Oct 16, 2023
@anodar anodar marked this pull request as ready for review October 16, 2023 15:36
@anodar anodar requested a review from PlasmaPower October 16, 2023 15:37
Base automatically changed from external-signer-mtls to master October 17, 2023 18:52
@@ -175,22 +175,32 @@ func NewDataPoster(ctx context.Context, opts *DataPosterOpts) (*DataPoster, erro
}

func rpcClient(ctx context.Context, opts *ExternalSignerCfg) (*rpc.Client, error) {
rootCrt, err := os.ReadFile(opts.RootCA)
clientCert, err := tls.LoadX509KeyPair(opts.ClientCert, opts.ClientPrivateKey)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think running in such a configuration would be generally advisable, but could we make the client certificate optional just in case?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, can we default to reading the private key from the cert file if the private key option isn't separately specified? It's just a slight quality of life improvement, as often times the cert and key are in the same file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed client certificate to be optional.

As for private key being in the same file as cert file, I think this is generally discouraged since private key and certificate files should generally have different access controls. Although if we have justification why we need it anyway, I'll add it.

@PlasmaPower
Copy link
Collaborator

I think this PR might have accidentally updated the nitro-testnode submodule

@anodar anodar requested a review from PlasmaPower October 19, 2023 13:31
PlasmaPower
PlasmaPower previously approved these changes Oct 21, 2023
Copy link
Collaborator

@PlasmaPower PlasmaPower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@PlasmaPower PlasmaPower enabled auto-merge October 21, 2023 17:18
Copy link
Collaborator

@PlasmaPower PlasmaPower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@anodar anodar merged commit 923a852 into master Oct 24, 2023
7 checks passed
@anodar anodar deleted the external-signer-mtls-client branch October 24, 2023 04:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
s Automatically added by the CLA bot if the creator of a PR is registered as having signed the CLA.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants