Add CertificateManager, the main interface for SSL certificates.

Review Request #13270 — Created Sept. 11, 2023 and submitted

Information

Review Board
release-6.x

Reviewers

CertificateManager is a high-level interface for the SSL certificate
storage backends and verification, providing convenient functions for
adding, deleting, and fetching CA bundles, certificates, and verified
fingerprints.

These interface with the storage backend, switching backends if settings
are updated, to manage the storage of the data.

When adding certificates, their fingerprints are recorded in the
verified fingerprints store and cached for faster lookup. When deleting,
these are removed. This ensures that an uploaded certificate can be
checked either by fingerprints or by stored certificate, depending on
the needs of the consumer.

A utility function is available for creating a SSLContext
pre-populated with any relevant CA bundles, certificates, and private
keys. Another piggy-backs on that to provide urlopen() keyword
arguments relevant to the URL, making it easy to tie all requests in to
certificate storage.

There's room for further improvement, including enhanced caching. A TODO
has been left in intentionally to make note of this, and the
functionality will be introduced down the road.

Unit tests pass.

Tested some of this with in-progress code for hooking up SCMs.

Summary ID
Add CertificateManager, the main interface for SSL certificates.
`CertificateManager` is a high-level interface for the SSL certificate storage backends and verification, providing convenient functions for adding, deleting, and fetching CA bundles, certificates, and verified fingerprints. These interface with the storage backend, switching backends if settings are updated, to manage the storage of the data. When adding certificates, their fingerprints are recorded in the verified fingerprints store and cached for faster lookup. When deleting, these are removed. This ensures that an uploaded certificate can be checked either by fingerprints or by stored certificate, depending on the needs of the consumer. A utility function is available for creating a `SSLContext` pre-populated with any relevant CA bundles, certificates, and private keys. Another piggy-backs on that to provide `urlopen()` keyword arguments relevant to the URL, making it easy to tie all requests in to certificate storage. There's room for further improvement, including enhanced caching. A TODO has been left in intentionally to make note of this, and the functionality will be introduced down the road.
886bec220d909069eaa84334c102f38cf429998d
Description From Last Updated

'ssl.SSLContext' imported but unused Column: 1 Error code: F401

reviewbotreviewbot

'reviewboard.certs.cert.Certificate' imported but unused Column: 1 Error code: F401

reviewbotreviewbot

'reviewboard.certs.storage.base.BaseCertificateStorageBackend' imported but unused Column: 1 Error code: F401

reviewbotreviewbot
Checks run (1 failed, 1 succeeded)
flake8 failed.
JSHint passed.

flake8

chipx86
david
  1. Ship It!
  2. 
      
chipx86
Review request changed
Status:
Completed
Change Summary:
Pushed to release-6.x (61a4fdc)