refactor: add cert validation to the acquisition, remove old enrollment#2012
Draft
istankovic wants to merge 28 commits intomainfrom
Draft
refactor: add cert validation to the acquisition, remove old enrollment#2012istankovic wants to merge 28 commits intomainfrom
istankovic wants to merge 28 commits intomainfrom
Conversation
It's time. With CC 10, credentials are handled in an entirely different way.
The code there does not really have to do with acme at all. It contains functionality required by leaf certificate verification, and keeping it there would make error handling more complex. So just move it to the acquisition module, where it belongs.
This is where those errors belong and where they will be returned from.
This is for errors coming from x509_check.
It is not ideal that we're still depending on AcmeError, but the identity module needs it and while the error handling is a mess, we don't really want to rework it right now.
… field This is going to be used in certificate checks.
They really belong in the acquisition and we want to make it obvious that they're being performed as part of the acquisition process, rather than them being implied.
And a bunch of other legacy code.
It is now unused.
It is used in crypto. Ideally it would be only used internally in e2e-identity, but we're not at that point yet.
And add it to the credential configuration.
It is no longer optional.
… a trust anchor In this case, the status is going to be revoked, which is wrong. So just test for expiration of the second certificate.
…ror type This is going to be used in cases where an operation that requires a PKI environment is attempted, but no PKI environment is set.
If we're dealing with x509 credentials, the PKI must be provided, otherwise extract_identity will return an error. Previously this was not the case. It is unclear whether we even need WireIdentity in its current form, and, ideally, we should consider reworking it, but for now this should suffice. The whole thing around accessing the "inner" PKI environment is quite inelegant, due to a bunch of async locks.
istankovic
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This does a couple of things:
wire_e2e_identity::acmeoutside theacmemodule, because that module should deal only with general acme thingslegacyare mostly types that are still being used and are going to be reworked later