[wicket] Add hostname and purpose checks to uploaded SSL certs (#4086)

This is a rework of #3436; I think it's enough different that it warrants a separate review. Many of the comments on the previous PR were on the bits where I was implementing the checks; this version leans much more heavily on OpenSSL to do those checks. This addresses the initial bit of #4045 (validating names on certs prior to RSS), but not the full bit: we should also validate names when creating silos. That didn't look completely trivial to plumb through, so I left a `TODO` and will try to tackle that in a followup PR.
oxidecomputer · Sep 14, 2023 · 22a0179 · 22a0179
1 parent aceb744
commit 22a0179
Show file tree

Hide file tree

Showing 13 changed files with 621 additions and 116 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -181,6 +181,7 @@ expectorate = "1.0.7"
 fatfs = "0.3.6"
 flate2 = "1.0.27"
 flume = "0.11.0"
+foreign-types = "0.3.2"
 fs-err = "2.9.0"
 futures = "0.3.28"
 gateway-client = { path = "gateway-client" }

diff --git a/certificates/Cargo.toml b/certificates/Cargo.toml
@@ -5,7 +5,14 @@ edition = "2021"
 license = "MPL-2.0"
 
 [dependencies]
+display-error-chain.workspace = true
+foreign-types.workspace = true
 openssl.workspace = true
+openssl-sys.workspace = true
 thiserror.workspace = true
 
 omicron-common.workspace = true
+
+[dev-dependencies]
+omicron-test-utils.workspace = true
+rcgen.workspace = true