Update HTTP-TPC to ignore whether certificates have allowed namespace #68
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Motivation:
Namespace checking rejects certificates if the subject DN is not one of
the allowed values for that certificate's CA. A list of allowed subject
DNs is maintained by IGTF for their trust store.
There are two problems with this approach.
1. it is IGTF specific. There is no equivalent for CA/B, making
interoperability with CA/B-approved CAs non-trivial.
2. for HTTP-TPC, the check is pointless. It protects the
certificate's Subject DN, which plays no role in the identity of
the remote site. Instead, the X.509 v3 Subject Alternative Name is
used, instead.
Modification:
Update the SSLContext (which includes the certificate chain validation)
for the Apache HTTP client. There is (no longer) any namespace checking
for such certificates.
Note that the namespace checking for client X.509 certificates (which is
the intended target of namespace checking) is unaffected by this change.
Result:
HTTP-TPC now works with remote sites that have a CA/B certificate and
using the system standard trust store.
Closes: italiangrid#65
enricovianello
requested review from
giacomini,
expuss2000 and
enricovianello
enricovianello
approved these changes
Dec 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
Namespace checking rejects certificates if the subject DN is not one of the allowed values for that certificate's CA. A list of allowed subject DNs is maintained by IGTF for their trust store.
There are two problems with this approach.
it is IGTF specific. There is no equivalent for CA/B, making interoperability with CA/B-approved CAs non-trivial.
for HTTP-TPC, the check is pointless. It protects the certificate's Subject DN, which plays no role in the identity of the remote site. Instead, the X.509 v3 Subject Alternative Name is used, instead.
Modification:
Update the SSLContext (which includes the certificate chain validation) for the Apache HTTP client. There is (no longer) any namespace checking for such certificates.
Note that the namespace checking for client X.509 certificates (which is the intended target of namespace checking) is unaffected by this change.
Result:
HTTP-TPC now works with remote sites that have a CA/B certificate and using the system standard trust store.
Closes: #65