TLS keys handling #894
Open
TLS keys handling #894
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Oct 10, 2024
Test the pre-shared key interchange format import/export function. Signed-off-by: Daniel Wagner <dwagner@suse.de>
The existing import/export function do not handle different version of the interchange format nor do the handle the HMAC independent of the version. Thus allow the caller to select version and HMAC independently when exporting resp. importing. This makes this interface also future proof when new HMAC or key lengths are added to the spec. Signed-off-by: Daniel Wagner <dwagner@suse.de>
Also test for nvme_{import|export}_tls_key_versioned API.
Signed-off-by: Daniel Wagner <dwagner@suse.de>
The pre-shared key interchange format also has 'no transform' option when the configured key should be used as retained key. Update the export/imports to support this case. Signed-off-by: Daniel Wagner <dwagner@suse.de>
Extend the test case also to check for the NONE and SHA2-384 algorithm Signed-off-by: Daniel Wagner <dwagner@suse.de>
The config-diff script is expecting a sysfs tar file besides an input and a output file. Let's make the sysfs tar file optional so we can use this config diff script more flexible. Signed-off-by: Daniel Wagner <dwagner@suse.de>
Use the inverse x-mas tree pattern for variable declarations. Signed-off-by: Daniel Wagner <dwagner@suse.de>
Extend the ctrl API to allow the users to set the tls_key/keyring on the ctrl object directly. Signed-off-by: Daniel Wagner <dwagner@suse.de>
When the JSON parser detects a TLS key it inserts it into the keystore. Keystore operations on the default '.nvme' keyring are privileged operations (root) thus the parser will fail. This will fail nvme-cli commands which are run as normal user. Let's move the key store operations to the connect call path where we need the right permission. A nice side benefit is that we also are able to pass in a configured key. Signed-off-by: Daniel Wagner <dwagner@suse.de>
Add a test case for the PSK API to ensure that the generated JSON is correct. Signed-off-by: Daniel Wagner <dwagner@suse.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Refactor and extend the PSK API and decouple the key store operations from the JSON parsing.
Fixes: #890