Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Use multiple CAs instead of a single self-signed root CA #327

Open
wants to merge 8 commits into
base: rolling
Choose a base branch
from
Open

Use multiple CAs instead of a single self-signed root CA #327

wants to merge 8 commits into from

Conversation

Santti4go
Copy link

@Santti4go Santti4go commented Dec 18, 2024
edited
Loading

Ticket #328

I added a new (optional) flag for the create_keystore command: --split-CA
This flag changes the Certificate Authorities structure creating two new CAs (Permissions CA and Identity CA) instead of using the same self-signed root CA with symlinks.
This is an optional flag and does not change default behavior.

More details in the ticket #328

@Santti4go Santti4go mentioned this pull request Dec 18, 2024
Open
@Santti4go Santti4go changed the title Use multiple CAs instead of a single self-signed root CA [DRAFT] Use multiple CAs instead of a single self-signed root CA Dec 19, 2024
fujitatomoya
fujitatomoya reviewed Dec 19, 2024
View reviewed changes
Copy link
Contributor

@fujitatomoya fujitatomoya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think these kind of new arguments or feature need to be supported in rolling 1st, and then we can consider backport for already released distros including humble.

@Santti4go
Copy link
Author

i think these kind of new arguments or feature need to be supported in rolling 1st, and then we can consider backport for already released distros including humble.

Sure, I targeted Humble because it's the branch I'm working on.
If we agree this is a feature we want to add I'll happily target Rolling instead.
WDYT? Do I have green light?

@fujitatomoya
Copy link
Contributor

to be honest, i am not sure. having this optional mode seems to be okay but i do not really maintain this repository. @mikaelarguedas could you take a look or ping someone else here?

@Santti4go
Copy link
Author

Friendly ping @mikaelarguedas

I've made a few more changes on my end. If we agree this is something we want to support I would happily push them here and target Rolling and then backport it. Let me know what you think.

@Santti4go Santti4go changed the title [DRAFT] Use multiple CAs instead of a single self-signed root CA Use multiple CAs instead of a single self-signed root CA Jan 21, 2025
@Santti4go Santti4go force-pushed the saupi/split-permissions-and-identity-ca branch from da6c16c to 6f8e599 Compare February 4, 2025 03:01
@Santti4go Santti4go changed the base branch from humble to rolling February 5, 2025 01:55
@Santti4go
Split Permissions and Identity CA
7638104 
Signed-off-by: Santti4go <santiaupi@gmail.com>
@Santti4go
Rename flag to --split-CA
b335218 
Signed-off-by: Santti4go <santiaupi@gmail.com>
@Santti4go
Fixes flake8
61d9aee 
Signed-off-by: Santti4go <santiaupi@gmail.com>
@Santti4go
Enhance PKI and add root ca key to the cert as to preserve full chain
e1bfb74 
Signed-off-by: Santti4go <santiaupi@gmail.com>
@Santti4go
Add certificate's duration days and path_length
3b9e16c 
Signed-off-by: Santti4go <santiaupi@gmail.com>
@Santti4go
Keep len(cert.pem extension) to 1
939cc6c 
Signed-off-by: Santti4go <santiaupi@gmail.com>
@Santti4go
Not use full chain for cert.pem until Fast-DDS supports it
a30b16d 
Signed-off-by: Santti4go <santiaupi@gmail.com>
@Santti4go Santti4go force-pushed the saupi/split-permissions-and-identity-ca branch from 5886336 to a30b16d Compare February 5, 2025 02:09
@Santti4go
Copy link
Author

So, I rebased into rolling as you @fujitatomoya asked. Then I would like to backport to Humble as well.
While I was here I also added a path_length attribute for the CA certificates and some other minor changes like adding full chain for Permissions and Identity CAs.

CC @mikaelarguedas

@Santti4go
Use single quotes
5d9f505 
Signed-off-by: Santti4go <santiaupi@gmail.com>
@fujitatomoya
Copy link
Contributor

@Santti4go i guess having the option for this should be okay, but i would like to recommend you to bring this topic to https://discourse.ros.org/t/security-working-group-meeting-february-2025/41957 security working group to discuss.

@audrow
Copy link
Member

audrow commented Feb 20, 2025

What were the outcomes of the security working group?

@Santti4go
Copy link
Author

What were the outcomes of the security working group?

Last week -Feb 11th- I raised the topic with Flor Cabral during the meeting. Since it was just the two of us, we decided to continue any discussion that might come up here.

Do you have any thoughts on the PR content? @audrow

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@fujitatomoya fujitatomoya Awaiting requested review from fujitatomoya

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Santti4go @fujitatomoya @audrow