Include challenge password attribute if required by EST server #38
Conversation
Code refactoring : change Enroll(), Reenroll() and ServerKeyGen() csr argument type so that we don't depend on x509 package anymore, which today still ignores the challenge password attribute Inlcude tls unique if required by CA Add test cases Add sample Update readme and documentation
|
Thanks for opening this PR, I'll forward this to my team for review. |
|
[ ] Need to resolve conflicts after upgrading to Go 1.22.1... |
|
Thought the comment wasn't for me until I noticed the repo did get upgraded with a different version of go... |
|
Ah it wasn't actually! Just a reminder for when I had time to get around to this again, but thank you for addressing the changes needed! |
|
Looks like work on this PR has stalled - I wonder when is it going to be resumed? |
|
BTW, copying to |
|
Hi DDvO, unfortunately my team hasn't been able to spare the cycles to work on this repository for a while, so while I hesitate to recommend it you may want to fork and patch a clone of this repository if you need this functionality right away. Edit: I'll try to review this PR as soon as possible to avoid such scenario |
I agree with this, I'd prefer to see this functionality without including this dependency if possible. |
|
Sorry for such a long delay for reviewing this PR, I didn't prioritize it and it has been far to long so I apologize for that. Thank you for your contribution, but I don't think I can hit the merge button on this PR as it is now into the master, but I am happy to support it as a separate branch to support this use-case for now. Some critiques that are blocking this:
|
|
Hi guys, Thank you @DDvO for closing the previous PR, that's on me.
I too agree, I actually borrowed that code snippet from another repository, credit goes to micromdm. Meanwhile, unfortunately Go has still not taken action to address it, there is an open issue for it already. |
|
@toddgaunt-gs On a personal note: I thought I had to change the method signature but after a quick review, I start to think it can be done while keeping your methods signatures intact. That being said,
|
|
Hi guys, thank you for swiftly responding on this.
Looks like there is a glitch in the link you included and instead you meant
I've meanwhile had a closer look. |
* add challenge password to CSR as described in rfc 7030 section 3.5 * update cmd client test : if challenge password is to be included, CSR must be re-created. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Rob Casey <rcasey@gmail.com> Co-authored-by: Todd Gaunt <todd.gaunt@globalsign.com> Co-authored-by: Rob Casey <61131@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…sunique' into features/include_tlsunique
|
Hey guys, It appears Go hasn't moved much since, aside from labeling it
Also noticed the project hasn't moved since its creation date and the fact he did not respond to your remark aren't very good signs. At this point, I don't know if there are better alternatives
|
|
As for the current PR, i don't know how ok you'd be with code duplication related to adding the challenge password in the CSR (i understand). Of course, it's better for us if it gets merged as we would just use the package as is and wouldn't have to maintain a fork or anything. No rush - let me know when you can. |
|
Hey @mobe1, I think given the current situation with the upstream investigation not making much progress, some code duplication would be fine. I'll try to review this again sometime this week, if not today. |
There was a problem hiding this comment.
Unfortunately after further review I still don't think I'd like to merge this PR as is. Thank you for addressing prior feedback, but the following changes would need to be made before I merge this PR into the master branch.:
- Review comments addressed
- The
sampleprogram removed or rewritten into a directory containing a config file for the EST client and either a shell script or instructions for how to operate it for the use case it is demonstrating - The copied challenge password code found in parts of csr.go isolated into its own package with a clear README file indicating the source without any new or custom code included alongside it.
I understand that these changes I'm asking for may not be a priority for you as you have a functional fork of this repository working for you, and updates to this one are few and far between. Hopefully this review can at least benefit your own fork if you do decide you want to pursue these changes. Let me know if so and we can discuss in more detail each point to avoid misunderstanding any of the requested changes.
mobe1
left a comment
mobe1
left a comment
There was a problem hiding this comment.
Yes, i did miss a critical detail on PoP in the context of mTLS. I'll get back to it as soon as i can.
More details on the corresponding comment.
As for the /sample directory, I'll just drop it cause there is no straightforward way to show it added the challengePassword.
I used to verify it via the EST server. It was easy and quick for me to just go run it.
|
Hi @toddgaunt-gs, how you doing :) Sorry for the delay, I had some time off and realized I haven't updated my PR since. I closed the obvious comments :
Finally, I fixed the defect I was about to introduce, I left the comment open for reminding the context and the agreed solution. Let me know if something else needs to be done. |
mobe1
left a comment
mobe1
left a comment
There was a problem hiding this comment.
Noticed a few changes that are not longer required considering the latest solution that has been suggested/accepted.
I'll deal with them right away.
|
@toddgaunt-gs hi, I saw there hasn't been a tag yet in one of your packages. And, i'm not sure if it's relevant, but just in case, I made sure I didn't break anything in the CLI. 
I tested with a different CA to verify the final CSR the 
Tried with your testing server .exe as well, and it works just fine. |
|
Thanks for pinging me, sorry I'd been busy and haven't gotten back around to this. I'll take a look today. |
|
LGTM outside of a few small things. Feel free to address them if you have the time, though they aren't critical. I'll request another coworker to review in the meanwhile. |
toddgaunt-gs
requested review from
mara-soldan
and removed request for
tembio
|
Hi @mara-soldan welcome :) I don't know when you'll get the time to review the PR.
And of course, if you see something else, let me know and I'll address it as soon as I can. |
|
@mobe1 merged since I didn't want to hold this up needlessly. Thanks for the contribution, and for being patient and pleasant to work with during the review/feedback cycle! |
|
@toddgaunt-gs I can say the same. |
3 participants
The changes introduced come after the issue/feature requrest #30 has been opened.
They allow us to enroll a CSR that includes the TLS-unique value as recommended by the RFC 7030