wicket: Add additional cert validation

oxidecomputer / omicron

Omicron: Oxide control plane

Mozilla Public License 2.0

245 stars 38 forks source link

wicket: Add additional cert validation #3398

Closed jgallagher closed 8 months ago

jgallagher commented 1 year ago

When uploading cert/key pairs to wicket in preparation for running RSS, we do some basic validation that the key matches the cert, but do not validate:

that the cert is valid for the DNS name we expect to have
that the cert is the right kind of cert (which might be covered by the previous check?)

Validation functions to support these should be added to CertificateValidator, and wicket should use them once added.

iliana commented 8 months ago

Did #4100 fix this?

jgallagher commented 8 months ago

It did! (Well, technically #4086 was the wicket one, and #4100 added the same checks to Nexus.) Thank you.