Set X509 SAN with local DNSname/IP/IPv6 #744
Conversation
sarroutbi
force-pushed
the
202402151915-set-subject-alternate-name
branch
10 times, most recently
from
8293088 to
6fd08a6
Compare
|
I have verified, by checking on certificates generated, that information is there. In case no additional IP is provided, certificate has next information: ...
X509v3 Subject Alternative Name:
DNS:localhost, DNS:localhost.domain, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
...Meanwhile, if I provide a pair of IPs, they are included appropriately: ...
X509v3 Subject Alternative Name:
DNS:localhost, DNS:localhost.domain, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:1.2.3.4, IP Address:1.2.3.5
... |
sarroutbi
force-pushed
the
202402151915-set-subject-alternate-name
branch
2 times, most recently
from
6201e99 to
6893f77
Compare
sarroutbi
changed the title
|
/packit retest-failed |
6 similar comments
|
/packit retest-failed |
|
/packit retest-failed |
|
/packit retest-failed |
|
/packit retest-failed |
|
/packit retest-failed |
|
/packit retest-failed |
|
/packit retest-failed |
sarroutbi
force-pushed
the
202402151915-set-subject-alternate-name
branch
from
6893f77 to
7f8238d
Compare
sarroutbi
changed the title
Codecov ReportAttention: Patch coverage is
Additional details and impacted files
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
@sarroutbi Sorry, I merged the other PR where I moved the |
Hello @ansasaki. No problem at all. This should be easily fixable. Thanks for noticing it |
sarroutbi
force-pushed
the
202402151915-set-subject-alternate-name
branch
4 times, most recently
from
650e1b0 to
34813a8
Compare
| crypto::generate_x509( | ||
| &nk_priv, | ||
| &agent_uuid, | ||
| Some(contact_ips), |
There was a problem hiding this comment.
Now that crypto::generate_x509 is part of the public API, it might make sense to consider switching to the builder pattern so we can maintain compatibility more easily in the future:
crypto::CertBuilder::new(&nk_priv, &agent_uuid)
.san(&config.agent.contact_ip)
.build()?There was a problem hiding this comment.
Hello @ueno . Thanks for suggestion. I'm a little bit lost regarding this ... where is this "CertBuilder" defined? I don't see it anywhere in the code ...
There was a problem hiding this comment.
Hello @ueno, I understand your proposal and I think it is a good idea. I'll create an issue for it and merge this PR as it is, then propose a PR to make the certificate generation to follow the builder pattern (before the next release).
There was a problem hiding this comment.
Created #755 to track this change
Set X509 Subject Alternative Name with local DNS names (localhost, localhost.domain) and local IPs (127.0.0.1, ::1). It will also include the contact IP stored in configuration Resolves: keylime#327 Signed-off-by: Sergio Arroutbi <[email protected]>
sarroutbi
force-pushed
the
202402151915-set-subject-alternate-name
branch
from
34813a8 to
60572f5
Compare
Set X509 Subject Alternative Name with local DNS names (localhost, localhost.domain) and local IPs (127.0.0.1, ::1). It will also include the contact IP stored in configuration
Resolves: #327