Add wildcard certificate storage to the file backend.

 






 

 


  Review Request #13266
  —
  Created Sept. 7, 2023 and submitted  — Latest diff uploaded 

 


















 

  

   Information

  





 
 

  chipx86
 









 
 

  Review Board
 









 
 

  release-6.x
 









 
 

  
 









 
 

  
 






 




 

  

   Reviewers

  





 
 

  reviewboard
 









 
 

  
 






 








 





  


 
 

  
This updates the file backend to allow wildcard certificates to be

stored and fetched, and to use them as a fallback if a specific

certificate cannot be found.


Normal certs are now stored in the form of {hostname}__{port}.{ext},

and wildcard certs are stored as __.{hostname}__{port}.{ext}. This

avoids issues with naming a file with a wildcard, and _ is not a valid

character in domains so it's safe to use.


Wildcards are only permitted as the first character in the name.


When fetching a certificate, the backend checks first for an an exact

hostname match. If not found, it checks for a wildcard certificate. The

resulting Certificate object will use the specific hostname, but will

refer to the wildcard storage ID.


Wildcards are not supported nor needed for CA bundles and fingerprints.


There's also no special handling of certificates that list multiple

domains without using wildcards. In this case, administrators should

upload the cert for each hostname they need individually. We don't

expect this will come up much in real usage.

 








  


 
 

  
All unit tests pass.

 







 









 





  








 




 







   

    
    
Changes between revision 1 and 2



    

 

 

 

 
orig
1
2

 



    


    

      
Commits

      

 

 

  
   
  
  Summary
  ID
  Author
 



 
  
 
 
  
   
    

     Add wildcard certificate storage to the file backend.
     
This updates the file backend to allow wildcard certificates to be
stored and fetched, and to use them as a fallback if a specific
certificate cannot be found.

Normal certs are now stored in the form of `{hostname}__{port}.{ext}`,
and wildcard certs are stored as `__.{hostname}__{port}.{ext}`. This
avoids issues with naming a file with a wildcard, and `_` is not a valid
character in domains so it's safe to use.

Wildcards are only permitted as the first character in the name.

When fetching a certificate, the backend checks first for an an exact
hostname match. If not found, it checks for a wildcard certificate. The
resulting `Certificate` object will use the specific hostname, but will
refer to the wildcard storage ID.

Wildcards are not supported nor needed for CA bundles and fingerprints.

There's also no special handling of certificates that list multiple
domains without using wildcards. In this case, administrators should
upload the cert for each hostname they need individually. We don't
expect this will come up much in real usage.

    

   
  		
  c34667b1ecc04a9af7805d2cad36ff15556c46b0
  Christian Hammond
 


 
  
 
 
  
   
    

     Add wildcard certificate storage to the file backend.
     
This updates the file backend to allow wildcard certificates to be
stored and fetched, and to use them as a fallback if a specific
certificate cannot be found.

Normal certs are now stored in the form of `{hostname}__{port}.{ext}`,
and wildcard certs are stored as `__.{hostname}__{port}.{ext}`. This
avoids issues with naming a file with a wildcard, and `_` is not a valid
character in domains so it's safe to use.

Wildcards are only permitted as the first character in the name.

When fetching a certificate, the backend checks first for an an exact
hostname match. If not found, it checks for a wildcard certificate. The
resulting `Certificate` object will use the specific hostname, but will
refer to the wildcard storage ID.

Wildcards are not supported nor needed for CA bundles and fingerprints.

There's also no special handling of certificates that list multiple
domains without using wildcards. In this case, administrators should
upload the cert for each hostname they need individually. We don't
expect this will come up much in real usage.

    

   
  		
  2691715230e4fbefabfddf5df213f66a7692698b
  Christian Hammond
 




    


    
    

   

  

 









 

  

   
    

     
      
      reviewboard/certs/tests/test_file_storage_backend.py
     
    

   
  

 



 

  

   
    

     
      
      reviewboard/certs/tests/testdata/file_storage/certs/reviewboard.eng.example.com__443.crt
     
    

   
  

 



 

  

   
    

     
      
      reviewboard/certs/tests/testdata/file_storage/certs/reviewboard.eng.example.com__443.key
     
    

   
  

 










     

    

   

  

  

   
   Loading...