solana icon indicating copy to clipboard operation
solana copied to clipboard

Published 20 hours ago verified publisher icon solana-labs

don't sign X.509 certs

Open lijunwangs opened this issue 1 year ago • 3 comments

Problem

This is to resurrect PR from https://github.com/solana-labs/solana/pull/34202 to address merge conflicts and some comments.

Summary of Changes

This get rid of 3rd party components rcgen in the path of private key access to make the code more secure.

Fixes #

lijunwangs avatar Jan 23 '24 00:01 lijunwangs

Codecov Report

Attention: 10 lines in your changes are missing coverage. Please review.

Comparison is base (a5c470d) 81.7% compared to head (5766457) 81.7%. Report is 72 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff            @@
##           master   #34896     +/-   ##
=========================================
- Coverage    81.7%    81.7%   -0.1%     
=========================================
  Files         826      826             
  Lines      223413   223357     -56     
=========================================
- Hits       182614   182553     -61     
- Misses      40799    40804      +5

codecov[bot] avatar Jan 23 '24 01:01 codecov[bot]

Can you push your commits directly to https://github.com/solana-labs/solana/pull/34202 so we have all the context and discussions in one place? These are some guides on how to do that: https://tighten.com/insights/adding-commits-to-a-pull-request/ https://stackoverflow.com/questions/22237609/

behzadnouri avatar Jan 24 '24 15:01 behzadnouri

Can you push your commits directly to #34202 so we have all the context and discussions in one place? These are some guides on how to do that: https://tighten.com/insights/adding-commits-to-a-pull-request/ https://stackoverflow.com/questions/22237609/

Unfortunately, I do not have permission to push to the firedancer repo. So the technique would not work.

The real change is c1bf6c0e5d1cb56e63bba38a862cb6d4178cc751 -- rest is just address merge conflicts.

Which is just restore the issuer common name back to "Solana node" from "Solana"

lijunwangs avatar Jan 25 '24 22:01 lijunwangs

Just for record keeping, the CERT looks like the following:

openssl x509 -in dummy.cer -inform DER -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 72340172838076673 (0x101010101010101) Signature Algorithm: ED25519 Issuer: CN = Solana node Validity Not Before: Jan 1 00:00:00 1970 GMT Not After : Jan 1 00:00:00 4096 GMT Subject: Subject Public Key Info: Public Key Algorithm: ED25519 ED25519 Public-Key: pub: 06:ab:db:0e:56:94:64:04:cc:ae:ab:56:87:55:da: 32:46:23:16:40:e7:ff:21:66:b8:23:94:7c:65:c1: 2f:1f X509v3 extensions: X509v3 Subject Alternative Name: critical DNS:localhost X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: ED25519 ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff

lijunwangs avatar Jan 29 '24 00:01 lijunwangs

Thank you @lijunwangs. So happy to see this go through. 🎉 I might do a follow up PR adding more tests today, just to be safe.

ripatel-fd avatar Jan 30 '24 13:01 ripatel-fd