Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authority option WithX509SignerFunc #874

Closed
maraino opened this issue Mar 25, 2022 · 6 comments · Fixed by #879
Closed

Add authority option WithX509SignerFunc #874

maraino opened this issue Mar 25, 2022 · 6 comments · Fixed by #879
Labels
enhancement needs triage Waiting for discussion / prioritization by team

Comments

@maraino
Copy link
Contributor

maraino commented Mar 25, 2022
edited
Loading

Description

Caddy proposes adding a new function to be able to automatically replace the intermediate certificate in an authority using a function that returns the current certificate chain and signer to use. See caddyserver/caddy#4517.

The new option can be something like

func WithX509SignerFunc(func() (chain []*x509.Certificate, s crypto.Signer)) Option
or 
func WithX509SignerFunc(func() (chain []*x509.Certificate, s crypto.Signer, err error)) Option

Then SoftCAS if configured can use that to get the updated chain and signer.
@maraino maraino added enhancement needs triage Waiting for discussion / prioritization by team labels Mar 25, 2022
@francislavoie
Copy link

Maybe it should return an error too as the 3rd just to be safe

@maraino
Copy link
Contributor Author

maraino commented Mar 25, 2022

@francislavoie what do you think would be the behavior if there's an error? fail or use a cached version of the intermediate and signer?

@francislavoie
Copy link

I'd think fail the current operation 🤷‍♂️

@francislavoie
Copy link

To elaborate, currently for Caddy I think it wouldn't be possible to return an error for the intermediate cert, but if we moved the "sign with root" behaviour into the func then it could error technically because it would have to reload it from disk.

But I think what we'd probably do is use WithX509SignerFunc for intermediates, but WithX509Signer (not func) for "sign with root", so I guess it probably wouldn't make a difference for us whether an error can be returned or not.

maraino added a commit that referenced this issue Mar 29, 2022
@maraino
Add authority.WithX509SignerFunc
955d4cf 
This change adds a new authority option that allows to pass a callback
that returns the certificate chain and signer used to sign X.509
certificates.

This option will be used by Caddy, they renew the intermediate
certificate weekly and there's no other way to replace it without
re-creating the embedded CA.

Fixes #874
@maraino maraino mentioned this issue Mar 29, 2022
Merged
@maraino
Copy link
Contributor Author

maraino commented Mar 29, 2022

@francislavoie, @mholt
Are you ok with this #879?

@francislavoie
Copy link

Yeah, looks great to me! Thanks!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add authority.WithX509SignerFunc smallstep/certificates
2 participants
@maraino @francislavoie