Parameterize PKI certs location #667
Conversation
mansishr
changed the title
mansishr
requested review from
psfoley,
itrushkin,
aleksandr-mokrov and
igor-davidyuk
| @@ -36,7 +36,13 @@ def aggregator(context): | |||
| default='plan/cols.yaml', type=ClickPath(exists=True)) | |||
| @option('-s', '--secure', required=False, | |||
| help='Enable Intel SGX Enclave', is_flag=True, default=False) | |||
| def start_(plan, authorized_cols, secure): | |||
| @option('-c', '--cert_path', | |||
There was a problem hiding this comment.
What if we allow user to provide paths to certificates and keys? This way we do not implicitly rely on the user certificate folder to replicate our internal structure. For example, we will not expect aggregator private key be in format {CERT_DIR}/server/agg_{common_name}.key
There was a problem hiding this comment.
I tried to keep the certs structure consistent but we can do that too. It would also involve users to provide a path where certs will be stored {CERT_DIR}/agg_{common_name}.key. @psfoley @itrushkin @aleksandr-mokrov what do you think?
There was a problem hiding this comment.
We should not force users to keep our internal PKI folder structure. I think it is better to split this argument and use paths for each file.
There was a problem hiding this comment.
Added separate paths to certs and keys to not rely on internal PKI folder structure.
mansishr
force-pushed
the
export_pki_certs
branch
from
871aa83 to
e6ff4fe
Compare
mansishr
force-pushed
the
export_pki_certs
branch
from
47c8632 to
5171c68
Compare
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
mansishr
force-pushed
the
export_pki_certs
branch
from
fadc304 to
e21a666
Compare
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
Signed-off-by: Mansi Sharma <[email protected]>
mansishr
requested review from
itrushkin,
igor-davidyuk,
aleksandr-mokrov and
psfoley
and removed request for
psfoley,
itrushkin,
aleksandr-mokrov and
igor-davidyuk
|
@mansishr can you please resolve the conflicts and request for review again? |
For manual PKI exchange, certificates are stored under 'cert' directory inside workspace by default. This PR decouples the location of certificates from workspace in that the user can now specify certificate path to store certs which can reside outside the workspace.
cert_dircan be passed, where all CA certs and keys can reside. To storesigning-ca.crt, certificate chain (cert_chain.crt) andsigning-ca.key, usecert_pathandkey_pathto specify locations.cert_pathandkey_pathto store aggregator (or collaborator) certificate and key, respectively.fx workspace participantsthat let's the CA/aggregator select a subset of certified collaborators for a federation by modifyingplan/cols.yaml.