TLS With Certificate Management for PVXS #92
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
and use enum Make sure we have PENDING or EXPIRED when approving certs Add approve and deny as well as posted revoke
and use enum Make sure we have PENDING or EXPIRED when approving certs Add approve and deny as well as posted revoke
and use enum Make sure we have PENDING or EXPIRED when approving certs Add approve and deny as well as posted revoke
…ntaining multiple certificates
…n status time is used and the status validity period comes from config. Also don't parse the response in order to post the status, as we've just created the response ourselves so we know its ok
Refactor ocsphelper into certstatus (creator and manager) EPICS_PVACMS_CERTS_REQUIRE_SUBSCRIPTION env added to comtrol addition of extension to certificates
Refactor out certstatus to be header only so it can be shared
…nces to use the enum instead of uint32_t Add in certstatusclient and certstatusfactory
…ow to wire them up
…. Updated SQL logic to verify DB existence before initialization and moved certificate DB creation message."
…certificate management logic for improved error handling and efficiency."
…consistency and potential ownership adjustments."
…clarity and functionality, updated APIs and data structures accordingly. Enhanced input validation and error handling in certificate status logic, and reformatted command-line tool usage documentation for better readability."
- Reorganise peer subscription code to be shared in conn.cpp/h - Reorganise peer statuses and monitors into a map whose keys are kept in the client and server peer connections that love them - Use status_pv to update certs, only those with a pv can be updated - Introduced `serial_number_t` type for certificate serials. - Refactored certificate status monitoring and subscriptions. - Added TLS support with `PVXS_ENABLE_OPENSSL` flag. - Improved logging, error handling, and code consistency. - Fixed typo: 'Vaidity' -> 'Validity'."
- Introduced OpenSSL-based constants for OCSP stapling result codes (`PVXS_OCSP_STAPLING_OK`, `ERR`, `NAK`). - Enhanced OCSP response and certificate status parsing with additional overloads handling both shared arrays and byte pointers. - Updated OCSP stapling callbacks (`clientOCSPCallback`, `serverOCSPCallback`) for streamlined memory usage, error handling, and logging improvements. - Refactored status management, API methods, and validation logic for better modularity and robustness during certificate verification. - Enabled proper OCSP response caching for server-side stapling."
…de, and update quickstart guide with environment variable setups.
…us Linux distros, replace hardcoded certificate IDs with placeholders, adjust image styling, and remove obsolete TODO in certs/p12filefactory.cpp."
…setup, certificate management, and error messaging. Ensure directory creation in cert utilities and adjust file handling consistency."
…ize command references. Add PATH export for pvxs binaries in multiple sections. Minor text fixes for clarity."
…ize command references. Add PATH export for pvxs binaries in multiple sections. Minor text fixes for clarity."
…flow. Added new CLI options for admin certificate name (--admin-keychain-regen) and centralized parameter handling through `readParameters` function. Updated `createDefaultAdminClientCert` to accept a dynamic admin name."
…ding admin users via CLI"
…rd file usage, and refine usage guide."
… adding admin users via CLI"
…rd file usage, and refine usage guide."
…d CA initialization handling and error resilience during admin creation."
… including Kerberos integration. Includes user setups, Supervisor configs, and build scripts for Docker images."
… including Kerberos integration. Includes user setups, Supervisor configs, and build scripts for Docker images."
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cert Management
Stapling
OCSP
Cert Status