[GitHub] [trafficcontrol] JBevillC edited a comment on issue #3382: Add enhanced X509 Certificate/Private RSA Key validation to Traffic Ops (AddSSLKeys Endpoint)

[GitBox <gi...@apache.org>]

JBevillC edited a comment on issue #3382: Add enhanced X509 Certificate/Private RSA Key validation to Traffic Ops (AddSSLKeys Endpoint)
URL: https://github.com/apache/trafficcontrol/pull/3382#issuecomment-478670333
 
 
   Latest branch provides the following changes:
   
   
   1) Merge in PR #3417 
   2) Adds ECDSA support for only DNS* delivery service types.
   3) Verification that both RSA and ECDSA private keys match the corresponding submitted x509 certificate. RSA verification ensures the public modulus N value matches the modulus N value in the x509 certificate. ECDSA verification ensures the curve set {name, public-X, public-Y} curve values are equal to those in the x509 certificate.
   4) There are 27 unit tests that verify both x509v3 and x509v1 certificate/key combinations (look at keys_test.go). Yes I'm aware the documentation is lacking, but it doesn't make sense for me to write a ton of docs if this PR gets rejected.  I can update the docs once this PR has been tested and the solution is accepted.
   5) Verification that ECDSA keys are only permitted on DNS* delivery services explicitly. 
   6) Reject all x509 + DSA certificates because no modern HTTPS client supports it

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services