Support skipping certificate private key check on request #475
Conversation
kms/tpmkms/tpmkms.go
Outdated
| @@ -786,7 +790,7 @@ func (k *TPMKMS) storeCertificateChainToWindowsCertificateStore(req *apiv1.Store | |||
| } | |||
|
|
|||
| if err := k.windowsCertificateManager.StoreCertificate(&apiv1.StoreCertificateRequest{ | |||
| Name: fmt.Sprintf("capi:sha1=%s;store-location=%s;store=%s;", fp, location, store), | |||
| Name: fmt.Sprintf("capi:sha1=%s;store-location=%s;store=%s;skip-find-certificate-key=%s", fp, location, store, skipFindCertificatKey), | |||
There was a problem hiding this comment.
Are location and store properly encoded to work on a URI?
There was a problem hiding this comment.
For existing and valid values they are, as they are plain strings and those are checked in the CAPI implementation. But I can change the implementation to uv.Set, or something similar, if preferred
Add support for removing certificates from TPM and CAPI KMS
kms/capi/capi.go
Outdated
| sha1Hash = strings.TrimPrefix(sha1Hash, "0x") // Support specifying the hash as 0x like with serial | ||
|
|
||
| sha1Bytes, err := hex.DecodeString(sha1Hash) | ||
| if err != nil { | ||
| return fmt.Errorf("%s must be in hex format: %w", HashArg, err) | ||
| } |
There was a problem hiding this comment.
We can add a func (u *URI) GetHexEncoded(key string) ([]byte, error) to the URI package we already have GetEncoded, but it is not strict and fallback to []byte(v). GetEncoded could use GetHexEncoded`.
We are using this several times in this package.
There was a problem hiding this comment.
Here, we could validate the number of bytes, as a SHA1 is known. It will probably fail with an obscure error later.
To support certificates that (usually) don't have a key present,
skip-find-certificate-key=truecan now be provided to an individual call for storing a certificate (chain). This can be helpful when storing an intermediate or root certificate in a specific store / store location.