Provide 2FA by client certificates

[de-jcup]

Situation

At the moment we only check for an API token to give user access. Reason is to make it simple and easy for integrations.

Wanted

We want to provide client certficates for a 2FA API communication

Solution

To make things easier at the moment we will introduce a new environment variable to enable/disable client certficate checks for API communication. So we do not need any global configuration caching etc. - so API communiation is not slowed down.

Usecases:

• UC_ADMIN_SETS_CLIENTCERTIFICATE_FOR_USER Administrator sets a public client key received from a user to the SecHub user account

More things to think about

• Concept about 2 client certifcates at same time for user?
• Automated client certificate updates?

Technical details for checks:

• we need to check client certificate trust (CA)
• we need to check client certificate still valid
• we need to check client certifcate equals to user related

[Jeeppler]

Another main concern is how to rotate client certificates. A rotation of the client certificate is necessary once the client certificate reaches the end of it's validity or a client certificate was compromised and needs to be changed. Regardless, of the reason for why the client certificate needs to be changed, changing the client certificate will cause downtime.

One solution would be to allow more then one client certificate to be active at the same time. This would make a zero downtime client certification possible.

The problem with having multiple certificates active at any given point in time is, that people might forget which certificate is active. To solve this issue, one should introduce a limitation where only two or three certificates can be active at any given point in time.