Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

config: Support IPv6 with or without brackets #765

Merged
merged 3 commits into from
Mar 26, 2024
Merged

config: Support IPv6 with or without brackets #765

merged 3 commits into from
Mar 26, 2024
+834 −188

Conversation

ansasaki
Copy link
Contributor

This adds support for IPv6 addresses in the configuration with or without brackets.
The brackets are removed when the addresses are parsed and then added back when necessary.

This fixes the addition of IPv6 addresses in the mTLS certificate.

This also implements the builder pattern for the certificate generation.

Fixes: #583
Fixes: #753
Fixes: #755

@ansasaki ansasaki marked this pull request as draft March 22, 2024 17:09
@ansasaki ansasaki force-pushed the cert_san_fix branch 4 times, most recently from 248305d to 6b4d2ee Compare March 25, 2024 15:07
sarroutbi
sarroutbi reviewed Mar 25, 2024
View reviewed changes
keylime/src/crypto.rs Outdated
let r = CertificateBuilder::new()
.private_key(privkey)
.common_name("uuidB")
.add_ips(vec!["1.2.3.4".to_string()])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why has 1.2.3.5 address been removed in this call? The idea is to test with more than one IP in the vector. Apart from that, I recommend adding also a test with a list of IPv6 tests, if possible

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review! I moved the unit tests to keylime/crypto/x509.rs. I also added a test using IPv6 there.

@codecov Codecov
Copy link

codecov bot commented Mar 25, 2024

Codecov Report

Attention: Patch coverage is 53.44262% with 142 lines in your changes are missing coverage. Please review.

Project coverage is 62.02%. Comparing base (2f7b3ad) to head (1b5ded4).
Report is 4 commits behind head on master.

Additional details and impacted files
Flag Coverage Δ
e2e-testsuite 62.02% <53.44%> (+4.43%) ⬆️
upstream-unit-tests 62.02% <53.44%> (+11.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
keylime-agent/src/config.rs 87.46% <100.00%> (-0.04%) ⬇️
keylime/src/crypto.rs 66.30% <100.00%> (+1.56%) ⬆️
keylime-agent/src/registrar_agent.rs 97.05% <80.00%> (-1.06%) ⬇️
keylime-agent/src/error.rs 15.23% <50.00%> (-0.02%) ⬇️
keylime/src/ip_parser.rs 79.16% <79.16%> (ø)
keylime-agent/src/main.rs 27.64% <0.00%> (+1.62%) ⬆️
keylime/src/crypto/x509.rs 48.69% <48.69%> (ø)

... and 11 files with indirect coverage changes

@ansasaki ansasaki marked this pull request as ready for review March 25, 2024 17:21
@ansasaki ansasaki requested a review from ueno March 26, 2024 10:32
ueno
ueno approved these changes Mar 26, 2024
View reviewed changes
Copy link
Contributor

@ueno ueno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

keylime/src/crypto/x509.rs Outdated Show resolved Hide resolved
ansasaki added 3 commits March 26, 2024 14:59
@ansasaki
crypto: Implement CertificateBuilder to generate certificates
d0612de 
The CertificateBuilder struct follows the builder pattern to add desired
parameters incrementally before generating the certificate.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
keylime: Implement a simple IP parser to remove brackets
2c5eb10 
The goal of the parser is to support IPv6 addresses to be used in the
configuration file with or without brackets.

The provided IP addresses are validated using the standard
implementation of the IP parser.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
config: Support IPv6 with or without brackets
65fa56a 
This adds support to use IPv6 in configuraton file with or without
brackets. The brackets are removed when the IP is parsed and added back
when necessary.

This also fix the addition of IPv6 addresses to the mTLS certificate in
Subject Alternative Name extension.

Fixes: keylime#583
Fixes: keylime#753
Fixes: keylime#755

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki ansasaki merged commit 6087147 into keylime:master Mar 26, 2024
8 checks passed
@ansasaki ansasaki deleted the cert_san_fix branch March 26, 2024 15:22
This was referenced May 27, 2024
Closed
Open
@ansasaki ansasaki mentioned this pull request Jul 4, 2024
Closed
@ansasaki ansasaki added the configuration Involves changes to configuration file format label Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarroutbi sarroutbi sarroutbi left review comments

@ueno ueno ueno approved these changes

@THS-on THS-on Awaiting requested review from THS-on

@sergio-correia sergio-correia Awaiting requested review from sergio-correia

@ashcrow ashcrow Awaiting requested review from ashcrow

Assignees

@ashcrow ashcrow

@THS-on THS-on

@sergio-correia sergio-correia

Labels
configuration Involves changes to configuration file format enhancement
Projects
None yet
Milestone
No milestone
7 participants
@ansasaki @ueno @sarroutbi @ashcrow @THS-on @sergio-correia @keylime-bot