feat: Implement remote signing for CAWG X509CredentialHolder#1865
feat: Implement remote signing for CAWG X509CredentialHolder#1865BadrTad wants to merge 19 commits intocontentauth:mainfrom
X509CredentialHolder#1865Conversation
# Conflicts: # Cargo.lock
BadrTad
force-pushed
the
feat/cawg-remote-signing
branch
from
496acb6 to
fa6bec5
Compare
scouten-adobe
left a comment
scouten-adobe
left a comment
There was a problem hiding this comment.
I'm leaving on vacation shortly and won't have time to do a full review before I go. I've asked @gpeacock to review it hopefully next week.
… of impl functions with RawSigner trait definition
|
The |
scouten-adobe
changed the title
X509CredentialHolder
scouten-adobe
left a comment
scouten-adobe
left a comment
There was a problem hiding this comment.
Looks great. A few tweaks I'd like to see, but I'm eager to see this land.
| Ok(self.cert_chain.clone()) | ||
| } | ||
|
|
||
| fn reserve_size(&self) -> usize { |
There was a problem hiding this comment.
Would you mind putting this back where it was? I'd prefer to keep the diffs as minimal as possible. (Applies to other signer implementations also.)
BTW, please consider ticking the box that says "Allow maintainers to edit this PR." I'd have made this change already if that was enabled.
There was a problem hiding this comment.
Unfortunately, the "Allow maintainers to edit this PR" is not supported for an organization repos type (see https://github.com/orgs/community/discussions/5634). Next time, I will make sure to make PRs from my personal repo.
As for the diffs, my intention was to make sure the implementing structs of a trait follow the same method definition order as that trait.
I understand that you want to keep the diffs minimal. I reverted these changes back.
| BoxedSigner, Error, Result, Signer, SigningAlg, | ||
| }; | ||
|
|
||
| /// Enum representing the CAWG X.509 signing mode: local (with private key) or remote (via URL). |
| self.0.reserve_size() | ||
| } | ||
|
|
||
| async fn ocsp_val(&self) -> Option<Vec<u8>> { |
There was a problem hiding this comment.
Same comment as on the RawSigner implementations earlier: Please avoid adding refactoring diffs.
|
@BadrTad I see Clippy has some warnings. Please add the necessary |
Merging this PR will improve performance by 10.24%
Performance Changes
Comparing 
Footnotes
|
|
Thank you @scouten-adobe once again for your review. I have made the requested changes. And looking forward for @gpeacock and @ok-nick 's reviews. |
fix unit tests fix clippy errors
|
Hi @scouten-adobe @gpeacock, to fix the tests I had to add a utility method to create Why not use
|
|
@ok-nick is asking why this is specific to OpenSSL. |
|
@scouten-adobe @gpeacock @ok-nick I am working on supporting rust native crypto provider and fix the failling tests |
- use certificate parsing and validation according to crypto provider - updates unit tests - fix cfg for wasm unittests
|
@scouten-adobe @gpeacock @ok-nick , raw remote signer now supports both rust native crypto and openssl providers. As stated in #1995, we are missing tests for wasm build because httpmock is not supported yet for wasm. |
# Conflicts: # sdk/src/settings/signer.rs
3 participants
Changes in this pull request
This PR implements CAWG remote signing (as requested in #1777 ) by introducing a new type
raw_signer:: RemoteRawSignerThe feature could be tested by enabling the "remote_signing" feature during compilation. and remote signers created with this new method
create_signer::from_remote_urlThe remote_signing is supported only for openssl crypto provider.
The code snippet that converts X509 certificates from PEM to DER in raw_signature::openssl crate was also refactored as a macro under
raw_signature::openssl::cert_chain::cert_chain_to_der!The remote signer could be created by providing a setting configuration to
Contextstruct or by instantiatingX509CredentialHolderfrom aopenssl::signers::remote_signer::RemoteRawSigner.Tests use the
httpmockcrate to create mock servers that responds with valid signature using a (local) signer instantiated withcreate_signer::from_keys.Checklist
TO DOitems (or similar) have been entered as GitHub issues and the link to that issue has been included in a comment.