Skip to content

Add support for additional CAPI certificate context properties #873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
joshdrake wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Add support for additional CAPI certificate context properties #873

joshdrake wants to merge 9 commits into from
+169 −14

Conversation

@joshdrake
Copy link
Contributor

@joshdrake joshdrake commented Oct 14, 2025

This PR adds functionality to the capi KMS to support setting the "friendly name" and "description" certificate properties. The tpmkms passes these through as needed.

💔Thank you!

@joshdrake joshdrake marked this pull request as draft October 14, 2025 02:25
@CLAassistant
Copy link

CLAassistant commented Oct 14, 2025
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 2 committers have signed the CLA.

❌ joshdrake
❌ darkfronza
You have signed the CLA already but the status is still pending? Let us recheck it.

@joshdrake joshdrake requested a review from hslatman October 14, 2025 02:25
@hslatman hslatman changed the title Josh/capi set cert context props Add support for additional CAPI certificate context properties Oct 14, 2025
darkfronza
darkfronza reviewed Dec 2, 2025
View reviewed changes
kms/tpmkms/tpmkms.go Outdated
uv.Set("friendly-name", o.friendlyName)
case o.description != "":
uv.Set("description", o.description)
}
Copy link

@darkfronza darkfronza Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are those mutually exclusive?

Copy link
Contributor Author

@joshdrake joshdrake Jan 7, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might not make much sense, but if we're going off the underlying CAPI, they shouldn't be. In our calling code paths, we may want make to only ever provide one, so that we can ensure our desired property is used for retrieval (eg: the description), without worrying about the underlying implementation in capikms.

Copy link

@darkfronza darkfronza Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, makes sense.

joshdrake
joshdrake commented Jan 7, 2026
View reviewed changes
kms/capi/capi.go Outdated
Comment on lines 356 to 358
canLookupByIssuer := func() bool {
return issuerName != "" && (serialNumber != "" || subjectCN != "" || friendlyName != "" || description != "")
}
Copy link
Contributor Author

@joshdrake joshdrake Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why a function here, instead of eg: a const?

Copy link

@darkfronza darkfronza Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, this was relic from previous code when I was updating it, fixed here b78b8bb

joshdrake
joshdrake commented Jan 7, 2026
View reviewed changes
Copy link
Contributor Author

@joshdrake joshdrake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit/question, otherwise lgtm. Need another reviewer to be able to merge, cc @hslatman

joshdrake and others added 8 commits January 8, 2026 09:58
@joshdrake
Allow certificate retrieval by friendly name or description.
8f8bd18
@joshdrake
Improve friendly name and description CAPI getters.
7593fd6
@joshdrake
Correctly handle NOT_FOUND errors for CAPI certificate props.
be697db
@joshdrake
Add friendly name and description CAPI setters.
103f67b
@joshdrake
Pass through 'friendly-name' and 'description' URI params to CAPI KMS.
ec2d36d
@joshdrake
Handle additional parameters in Windows certificate chain loading.
52bc3a3
@darkfronza @joshdrake
Attempt to lookup certificate by issuer when key-id lookup fails
db7f200 
This fixes an issue with agent, where it was unable to find device
certificates due to using a key-id derived from a random string for
certificate lookups.

If the key-id lookup fails automatically attempt lookup by cert+attr
where attr can be one of the certificate atributes, serial number,
friendly-name, description, etc.
@darkfronza @joshdrake
turn canLookupByIssuer into variable
5505db4 
The function was a relic from past refactoring code, not necessary
anymore.
@joshdrake joshdrake force-pushed the josh/capi-set-cert-context-props branch from b78b8bb to 5505db4 Compare January 8, 2026 16:13
@darkfronza
Fix syntax and logic errors after rebasing
2d69037 
- Wrong variable names.
- Added missing forwarding issuer,description,friendly-name params to CAPI.
@darkfronza darkfronza marked this pull request as ready for review January 8, 2026 21:30
@joshdrake
Copy link
Contributor Author

joshdrake commented Jan 8, 2026

Looks good to me, just need @maraino or @hslatman to take a quick look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@darkfronza darkfronza darkfronza left review comments

@hslatman hslatman Awaiting requested review from hslatman

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

needs triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@joshdrake @CLAassistant @darkfronza