openbao icon indicating copy to clipboard operation
openbao copied to clipboard
verified publisher icon openbao

Add precise control of ssh certificate validity using absolute time.

Open vhespanha opened this issue 1 year ago • 2 comments

This PR introduces a new not_before_absolute field for SSH certificate roles, allowing users to specify the exact timestamp for when an SSH certificate should become valid. It should not be merged yet, as tests and documentation are lacking.

Key changes:

  1. Added the not_before_absolute field to the SSH role configuration.
  2. Modified the certificate signing process to use the not_before_absolute time when set.
  3. Included logic to give precedence to not_before_absolute over not_before_duration when both are present.
  4. Updated relevant structs and functions in the SSH package to accommodate the new field.
  5. Added error handling for invalid not_before_absolute time formats.

Rationale: To quote @mehmetakbulut on #24084:

  1. Many air-gapped systems without GPS and/or RTC boot up with their clocks set to the Unix epoch. These cannot accept a validity window starting at utc_now - not_before_duration.
  2. Certificates could be generated ahead of time for key rotation or other similar exercises with a future not_before date and remain invalid until rotation occurs.

The implementation maintains backward compatibility with the existing not_before_duration field, ensuring that current configurations continue to work as expected. I also deliberately chose to use the name not_before_absolute instead of just not_before as suggested in #485 and #24084. In my eyes, this seems a little less prone to confusion, but I can always change it if needed.

Next steps:

  • [ ] Include the new field in tests across the project and ensure code coverage.
  • [ ] Include usage examples in the project's documentation.

I decided to open this PR as is so I can check with the repo maintainers if everything is good so far with my commits since this is my first PR here. Work on tests and documentation will begin as soon as possible.

Resolves #485, #24084

1.14.7

vhespanha avatar Aug 24 '24 00:08 vhespanha

When you add unit tests, it would be great if you could add one for Unix epoch not_before="1970-01-01T00:00:00+00:00".

mehmetakbulut avatar Aug 24 '24 14:08 mehmetakbulut

Hey, sorry for the delay!!

I just reimplemented it from the ground up with your suggestions in mind, I'm now trying to implement the tests but I have almost no experience with that, so I'll make sure to push it all so anyone can help me if they spot any code smell.

vhespanha avatar Aug 28 '24 18:08 vhespanha

\o hey @vhespanha! Interested in finishing this up? Looks like our changes to ssh have caused this to conflict, sadly.

cipherboy avatar Oct 12 '24 17:10 cipherboy

Hey! Yeah i'm really interested in finishing it, I haven't been able to do much for some time since I had some problems with my machine, but I plan on going back to this feature soon, thanks for asking.

vhespanha avatar Oct 12 '24 17:10 vhespanha