Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CA-370082: Block multiple definitions of certificate-chain in xe cli #4824

Merged
merged 2 commits into from
Oct 20, 2022
Merged

CA-370082: Block multiple definitions of certificate-chain in xe cli #4824

merged 2 commits into from
Oct 20, 2022

Conversation

psafont
Copy link
Member

@psafont psafont commented Oct 17, 2022

User were allowed to define more than one certificate-chain when
installing a host certificate. The implementation picked the first one,
ignoring successive ones.

This could lead to a situation where the host served a certificate with
certificates missing in their chain of trust, making it unverifiable.

Instead detect the situation and block the operation immediately.

Signed-off-by: Pau Ruiz Safont pau.safont@citrix.com

lindig
lindig approved these changes Oct 20, 2022
View reviewed changes
ocaml/xapi-cli-server/cli_operations.ml Outdated Show resolved Hide resolved
ocaml/xapi-cli-server/cli_operations.ml
force the CLI to make choices the user didn't foresee. In those cases
raises an exception to warn the user to input it only once *)
let get_unique_param param params =
match List.find_all (fun (n, _) -> n = param) params with
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could also introduce a predicate is_unique_key for association lists that would check that property for any association list and a given key:

val is_unique_key: key:string -> (string, 'a) list -> bool

We would have to think about the value if the key does not exist.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a ternary choice here, I don't think a predicate can work to our advantage here

@psafont
CA-370082: Block multiple definitions of certificate-chain in xe cli
5d1601c 
User were allowed to define more than one certificate-chain when
installing a host certificate. The implementation picked the first one,
ignoring successive ones.

This could lead to a situation where the host served a certificate with
certificates missing in their chain of trust, making it unverifiable.

Instead detect the situation and block the operation immediately.

Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
@psafont
maintenance: avoid traversing lists twice when reading cli params
1f2023a 
Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
@psafont psafont merged commit 60856b1 into xapi-project:master Oct 20, 2022
@psafont psafont deleted the private/paus/multipla branch October 20, 2022 11:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robhoes robhoes robhoes approved these changes

@lindig lindig lindig approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@psafont @robhoes @lindig