Skip to content

Commit

Permalink
Improvements in DiskSigner and DiskVerifier and refactors for the…
Browse files Browse the repository at this point in the history 
… use of signing certificate chains. (#235)

Signed-off-by: Max Lambrecht <[email protected]>
  • Loading branch information
@maxlambrecht
maxlambrecht authored Jul 18, 2023
1 parent d34eae6 commit bad228f
Show file tree
Hide file tree
Showing 36 changed files with 929 additions and 697 deletions.
21 changes: 20 additions & 1 deletion conf/harvester/harvester_full.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,27 @@ providers {

# Enables the signing of bundles using a disk-based key pair.
BundleSigner "disk" {
ca_cert_path = "conf/harvester/dummy_root_ca.crt"
# ca_private_key_path: Path to the CA key file. Key files must
# contain a single PEM encoded key. The supported key types are EC
# (ASN.1 or PKCS8 encoded) or RSA (PKCS1 or PKCS8 encoded).
ca_private_key_path = "conf/harvester/dummy_root_ca.key"

# ca_cert_path: If the BundleSigner will use a self-signed CA, cert_file_path
# should specify the path to a single PEM encoded certificate
# representing the CA certificate. If not self-signed,
# ca_cert_path should specify the path to a file that must contain
# one or more certificates necessary to establish a valid certificate
# chain up the root certificates defined in bundle_file_path.
ca_cert_path = "conf/harvester/dummy_root_ca.crt"

# trust_bundle_path: If Galadriel is using a self-signed CA, bundle_file_path
# can be left unset. If not self-signed, then trust_bundle_path should
# be the path to a file that must contain one or more certificates
# representing the upstream root certificates and the file at
# ca_cert_path contains one or more certificates necessary to chain up
# the root certificates in bundle_file_path (where the first
# certificate in ca_cert_path is the CA certificate).
trust_bundle_path = ""
}

# BundleVerifier enables the verification of bundle signatures using selected implementations.
Expand Down
11 changes: 11 additions & 0 deletions doc/galadriel_harvester.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,17 @@ providers {
}
```

##### BundleSigner - disk

Configuration details for BundleSigner "disk":

| Option | Description |
|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `ca_private_key_path` | Path to the CA private key file in PEM format. This path can be relative or absolute. |
| `ca_cert_path` | Path to the CA certificate file in PEM format. If Galadriel is using a self-signed CA, cert_file_path should specify the path to a single PEM encoded certificate representing the CA certificate. If not self-signed, cert_file_path should specify the path to a file that must contain one or more certificates necessary to establish a valid certificate chain up the root certificates defined in bundle_file_path. This path can be relative or absolute. |
| `trust_bundle_path` | Required when the ca_cert_path does not contain a self-signed CA certificate. This is the path to the file containing one or more root CAs. This path can be relative or absolute. |
| `signing_cert_ttl` | The TTL of the signing certificate. This TTL should align with the TTL of the SPIRE bundle. |

#### BundleVerifier

This subsection explains the `BundleVerifier` options.
Expand Down
123 changes: 58 additions & 65 deletions pkg/common/api/schemas.gen.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit bad228f

Please sign in to comment.