Add optional mTLS support to the tang pin#566
Open
liyue32 wants to merge 1 commit into
Open
Conversation
Allow the tang pin to authenticate to the Tang server with mutual TLS. Three new optional config properties are accepted by clevis-encrypt-tang: cacert - CA bundle to verify the server certificate (curl --cacert) cert - client certificate for mTLS (curl --cert) key - private key for the client certificate (curl --key) When none are set, behaviour is unchanged. The paths are persisted into the JWE protected header so clevis-decrypt-tang reuses them for the recovery (POST /rec) request without extra configuration. Add a pin-tang-mtls integration test (TLS-fronted tangd via socat with mandatory client-cert verification) plus tang_generate_certs and tang_run_mtls helpers. The test skips cleanly when openssl or a socat built with OpenSSL support is unavailable.
Collaborator
|
/packit test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds optional mutual-TLS (mTLS) support to the Tang pin, allowing Clevis to authenticate to a Tang server (typically fronted by a TLS-terminating reverse proxy) with a client certificate, and to verify the server certificate against a custom CA.
The feature is fully opt-in: when none of the new properties are set, the pin behaves exactly as before (plain HTTP/HTTPS with the system's default CA trust). Existing JWEs and workflows are unaffected.
Motivation
Adding mTLS lets the Tang server (typically via a TLS-terminating reverse proxy) authenticate the client's identity through its client certificate. This unlocks per-machine access control on top of the existing network-binding model. In particular, single-machine revocation: revoking or refusing a specific client certificate immediately prevents that one machine from recovering its keys, without affecting any other machine or requiring key rotation on the server. This matches how we want to adopt Clevis out of the box at Meta: bind machines to Tang for automated unlock, and retain the ability to revoke an individual host's recovery access by its identity. It's also useful more generally for any deployment where the Tang server is fronted by HTTPS with client-certificate authentication, or uses a server certificate signed by a private/internal CA.
What changed
Three new optional config properties are accepted by clevis encrypt tang:
When any of above are set:
Example:
Backward compatibility
Tests