Add wildcard certificate storage to the file backend.

Review Request #13266 — Created Sept. 7, 2023 and submitted

Information

Review Board
release-6.x

Reviewers

This updates the file backend to allow wildcard certificates to be
stored and fetched, and to use them as a fallback if a specific
certificate cannot be found.

Normal certs are now stored in the form of {hostname}__{port}.{ext},
and wildcard certs are stored as __.{hostname}__{port}.{ext}. This
avoids issues with naming a file with a wildcard, and _ is not a valid
character in domains so it's safe to use.

Wildcards are only permitted as the first character in the name.

When fetching a certificate, the backend checks first for an an exact
hostname match. If not found, it checks for a wildcard certificate. The
resulting Certificate object will use the specific hostname, but will
refer to the wildcard storage ID.

Wildcards are not supported nor needed for CA bundles and fingerprints.

There's also no special handling of certificates that list multiple
domains without using wildcards. In this case, administrators should
upload the cert for each hostname they need individually. We don't
expect this will come up much in real usage.

All unit tests pass.

Summary ID
Add wildcard certificate storage to the file backend.
This updates the file backend to allow wildcard certificates to be stored and fetched, and to use them as a fallback if a specific certificate cannot be found. Normal certs are now stored in the form of `{hostname}__{port}.{ext}`, and wildcard certs are stored as `__.{hostname}__{port}.{ext}`. This avoids issues with naming a file with a wildcard, and `_` is not a valid character in domains so it's safe to use. Wildcards are only permitted as the first character in the name. When fetching a certificate, the backend checks first for an an exact hostname match. If not found, it checks for a wildcard certificate. The resulting `Certificate` object will use the specific hostname, but will refer to the wildcard storage ID. Wildcards are not supported nor needed for CA bundles and fingerprints. There's also no special handling of certificates that list multiple domains without using wildcards. In this case, administrators should upload the cert for each hostname they need individually. We don't expect this will come up much in real usage.
2691715230e4fbefabfddf5df213f66a7692698b
Description From Last Updated

line too long (80 > 79 characters) Column: 80 Error code: E501

reviewbotreviewbot
Checks run (1 failed, 1 succeeded)
flake8 failed.
JSHint passed.

flake8

chipx86
david
  1. Ship It!
  2. 
      
chipx86
Review request changed
Status:
Completed
Change Summary:
Pushed to release-6.x (f5957b2)