TLS With Certificate Management for PVXS #92
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rename generated CONFIG_SITE to TOOLCHAIN
Still need to check Auth methods
…ff not organised correctly yet
…ff not organised correctly yet
…ff not organised correctly yet
Add issuer and certid fields to cert responses If validUntilRevoked change validity end date to 2038
Add issuer and certid fields to cert responses If validUntilRevoked change validity end date to 2038
Add util to call cert create pv
Implement get status completely using wildcards Reject creation when skid matches of subject matches existing certs Add cert ID and status and revoke PVs to cert creation responses Verify that issuer ID matches when returning status Fix timezone bug for not_before and not_after times in certificates Change positional parameters to named parameters in SQL queries Add onFirstWildcardConnect() to SharedPV API to handle wildcard get requests
Add cert revoke
…when they think the value is already there
- Modify `writeRootPemFile` to handle failure and prevent exit on errors. - Update constructor and method documentation in `certfactory.h` for clarity. - Simplify keychain and key handling logic in `configcms.cpp`. - Implement more robust root certificate extraction and error checks in `p12filefactory.cpp`. - Provide detailed instructions for trusting root certificates on various OS platforms.
- Introduced `PEMFileFactory` class for handling PEM format certificates. - Updated `certs/Makefile` to include `pemfilefactory.cpp` and `certfilefactory.cpp`. - Refactored certificate retrieval and key management logic. - Enhanced certificate creation functions to handle missing certificates and keys more robustly. - Integrated `CertFileFactory` as a unified interface for handling both PEM and PKCS#12 (P12) files. - Updated `createCaCertificate` and `ensureServerCertificateExists` functions to utilize the new factory classes. - Modified error handling and logging for certificate operations.
…ibility. - Introduced `CertFileFactory::createReader` to simplify certificate and key file reading. - Replaced explicit PKCS#12 and PEM file handling functions with a flexible factory-based approach. - Removed redundant PKCS#12 and PEM certification functions in favor of common interface. - Migrated cross-cutting concerns such as error checking and private key handling within factory methods. - Added required inclusions and build configurations for the new modular setup in Makefile and source files.
- Enhanced `PEMFileFactory` and `P12FileFactory` constructors to include optional password and shared `KeyPair`. - Allowed PEM files to be optionally password-protected. - Removed redundant RSA seed generation code to streamline key pair creation. - Improved error reporting and consistency by refining error messages. - Adjusted internal logic to accommodate the changes in data handling for certificate and key management.
- Changed output file extension from .pem to .crt in pemfilefactory.cpp - Fixed syntax in documentation by escaping dollar sign for shell script commands in securepva.rst
… and error handling across multiple files.
… with additional safety flag 'false'. Improvements include explicit error messages for private key file access and updating file opening modes to binary where necessary.
error messages
…root certificate handling - Introduced CLI11 library as a submodule for improved command-line parsing. - Integrated the CLI11 library into the certificate management utility, replacing the legacy getopt-based approach with a modern API. - Added functionality to download and install root certificates. - Removed outdated references to certificate rotation and revocation in the codebase. - Renamed variables to follow consistent naming conventions (`p12PemString` to `p12_pem_string`). - Enhanced logging and error handling for better clarity and troubleshooting. - Adjusted Makefile to include the new CLI11 library's headers. - Streamlined code to improve readability and maintainability.
… option - Re-organized header includes for clarity and grouped logically related headers. - Enhanced the formatting of `actionToString` function using a multi-line ternary operator for readability. - Added a CLI optional argument `cert_id` for certificate identification. - Adjusted default value message for the `--limit` option. - Refined various code formatting and whitespace for consistency.
- Implement new environment variables for TLS keychain and password files. - Extend the command-line options to manage certificate usage, names, and organization details. - Update configurations to manage server and client certificates separately. - Improve help messages and ensure mandatory environment variables are set. - Revise documentation to reflect these changes.
Revise the `pvxcert` command's usage details to enhance clarity and consistency. Introduce labeled options, update positional arguments, and modify option flags for better usability.
- Replaced `make_unique` function and changed its name to `make_factory_ptr` for improved clarity and specificity. - Introduced `cert_factory_ptr` typedef to encapsulate `std::unique_ptr<CertFileFactory>`. - Updated method signatures to utilize `cert_factory_ptr` instead of `std::unique_ptr<CertFileFactory>`. - Enhanced `getExtension` function to handle filenames without extensions gracefully.
…isplaying "<none>" for empty extensions.
- Adjusted spacing in lambda function definition and key pair creation checks. - Refined argument alignment in CertFileFactory calls for consistent code style.
Updated method names and comments across multiple files to reflect the new `writeIdentityFile` function, which generalizes writing credentials files for private keys, X.509 certificates, CA chains, or both. Adjusted relevant function implementations to maintain compatibility with this change, ensuring the correct determination of format based on filename extension.
… consistency with identifier convention.
…ncement - Introduced `ossl::ensureTrusted` function to verify and ensure the trustworthiness of certificates efficiently. - Removed deprecated self-signed certificate acceptance. - Cleaned redundant CA certificate loading and adapted certificate existence checks during file operations. - Modified environment variable parsing logic to handle certificate password files more robustly. - Enhanced debugging logs and error handling to provide clearer insights during certificate validation processes.
- Updated log levels in pemfilefactory.cpp to differentiate information and warnings more clearly. - Enhanced console output format in cert.cpp for better readability when installing Root CA certificates.
…r to emphasize best practices for using distinct Key-Pairs.
…ionality - Remove outdated `backup.rst` documentation file. - Update comments in `conf.py` to reflect future tasks for SLAC input. - Refactor `pvacms.cpp` to clean up certificate creation logic, adjusting environment variable references (e.g., `EPICS_CA_DB` to `EPICS_PVACMS_DB`) for consistency. - Revise environment variable documentation and setup instructions in `securepva.rst`, including updated paths and initialization steps. - Enhance documentation by reorganizing setup steps for PVXS, introducing examples, and updating format for better readability.
- Add CLI11 include path to compiler flags in Makefile. - Fix whitespace and formatting issues across multiple files. - Remove unused constants and refactor conditional logic in `authnstd.cpp`. - Introduce new functions for default admin certificate creation in `pvacms.h`. - Enhance error handling and make error messages more informative. - Remove redundant and simplify conditional checks for certificate creation. - Update documentation and improve in-code comments for better clarity.
…documentation for improved clarity and option usage.
- Updated logger categories to reflect streamlined paths. - Added support for new environmental variables (EPICS_PVA_AUTH_STD_NAME, EPICS_PVA_AUTH_STD_ORG, etc.). These allow overriding default certificate fields like CN, O, OU, and C with custom values. - Consolidated logic for extracting country codes from system locales or environment variables. - Introduced helper methods for locale parsing and certificate customization. - Updated documentation with new configuration options and logger pathways.
- Implemented conditional logic to handle empty TLS private key filenames by using certificate filenames instead in `auth.cpp` and `authnstd.cpp`. - Simplified error messages in `pvacms.cpp` for improved clarity. - Updated `securepva.rst` documentation to reflect changes in environment variable names, command usage, and added instructions for combining server keys and certificates.
…dditionally, fix missing quotation and indentation issues in the securepva documentation. Comment out unused security client checks.
… `int asl` parameters. Replace in-place string modifications with more secure methods and relocate `PutOperationCache` destructor to header. Include `credentials.cpp` and `securityclient.cpp` in build system. Introduce `ASMember` struct management in `pvacms.cpp` to handle security access settings. Improve error handling and logging related to security configuration.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cert Management
Stapling
OCSP
Cert Status