This is needed to support the root CA renewal feature.
During the initial phase of that renewal, a server needs to send clients:
- A new root CA,
- A cross-signed copy of that new CA, so that clients can validate the chain of trust using a previous root CA,
- And a previous root CA, so that clients can still trust the existing server TLS certificates during interregnum.
Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
The linter local variable was not initialized.
Also, put the linter version into sync with what the GitHub action uses.
Signed-off-by: Volodymyr Khoroz <volodymyr.khoroz@foundries.io>
We have users that go to production before they've taken ownership of
their PKI. This means the "issuer" of their devices is the Foundries
default online CA. We've added a new API to retrieve this so that users
can add this value to their allowed CAs list for their EST server.
Signed-off-by: Andy Doan <andy@foundries.io>
This happened to work because I usually test it with the "local-ca"
used by the est server *and* my factory registration reference server.
However, when you need to trust many client ca's, this was totally
broken.
Signed-off-by: Andy Doan <andy@foundries.io>
We had the right intentions with `validateRequest`. However, we weren't
handling its return value correctly when it actually failed.
Signed-off-by: Andy Doan <andy@foundries.io>
Before this change you could only rotate certs for devices that were
signed by the local-ca configured for this server. This allows you to
use a list of CAs (like we do for our managed instance)
Signed-off-by: Andy Doan <andy@foundries.io>
When we run in a multi-tenant mode, the http handlers must be able to
dynamically look up which est service instance to use based on the
server name.
Signed-off-by: Andy Doan <andy@foundries.io>
This project needs to be run in 2 different ways:
* Directly in a customer environment (typical TLS requirements)
* multi-tenant K8s in foundries backend (like our device-gateway and
ostree-hub).
In the multi-tenant case, we have special logic to look at the incoming
SNI information in the request and use the correct certs for a factory.
This commit introduces the abstraction and simple single-tenant
implementation. Foundries can then extend this project with their own
handler to satisfy their requirements.
Signed-off-by: Andy Doan <andy@foundries.io>
