Skip to content

feat: Support Private CA for server certificates. #408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 10, 2025
Merged

feat: Support Private CA for server certificates. #408

merged 1 commit into from
Jan 10, 2025

Conversation

@hessjcg
Copy link
Collaborator

@hessjcg hessjcg commented Dec 17, 2024
edited
Loading

Support TLS validation on instances configured with a customer-managed private CA. Includes integration test.

@hessjcg hessjcg requested a review from a team as a code owner December 17, 2024 20:09
@hessjcg hessjcg force-pushed the customer-ca-support branch 4 times, most recently from 2bb7dde to eba701f Compare January 8, 2025 21:08
jackwotherspoon
jackwotherspoon requested changes Jan 8, 2025
View reviewed changes
Copy link
Collaborator

@jackwotherspoon jackwotherspoon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make sure to add the integration test to all 3 flavors: .ts, .mjs and .cjs files

@hessjcg hessjcg force-pushed the customer-ca-support branch 2 times, most recently from a39c7fb to 2724b5e Compare January 8, 2025 23:19
@hessjcg hessjcg changed the base branch from main to system-test-ts-only January 8, 2025 23:20
@hessjcg hessjcg force-pushed the customer-ca-support branch from 2724b5e to b3e86ef Compare January 8, 2025 23:21
@hessjcg
Copy link
Collaborator Author

hessjcg commented Jan 8, 2025

The mjs & cjs system tests are no longer required thanks to #412

@hessjcg hessjcg force-pushed the customer-ca-support branch from b3e86ef to 183ff64 Compare January 9, 2025 18:41
@hessjcg hessjcg changed the base branch from system-test-ts-only to main January 9, 2025 18:42
@hessjcg hessjcg force-pushed the customer-ca-support branch from 183ff64 to 64a3d17 Compare January 9, 2025 18:48
@hessjcg hessjcg mentioned this pull request Jan 9, 2025
Merged
jackwotherspoon
jackwotherspoon approved these changes Jan 9, 2025
View reviewed changes
Copy link
Collaborator

@jackwotherspoon jackwotherspoon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✅

@jackwotherspoon
Copy link
Collaborator

jackwotherspoon commented Jan 9, 2025

Looks like tests are not happy...

jackwotherspoon
jackwotherspoon reviewed Jan 9, 2025
View reviewed changes
src/socket.ts Outdated
) {
return (hostname: string, cert: tls.PeerCertificate): Error | undefined => {
if (serverCaMode === 'GOOGLE_MANAGED_CAS_CA') {
if (!serverCaMode || serverCaMode !== 'GOOGLE_MANAGED_INTERNAL_CA') {
Copy link
Collaborator

@jackwotherspoon jackwotherspoon Jan 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i wonder if for this being undefined is causing issues potentially...

Copy link
Collaborator Author

@hessjcg hessjcg Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests were failing due to a logic error. I fixed it: !serverCaMode || serverCaMode === 'GOOGLE_MANAGED_INTERNAL_CA'

@hessjcg
feat: Support Private CA for server certificates.
c4a031c 
test: Integration test for Customer Private CA CAS instance.
@hessjcg hessjcg force-pushed the customer-ca-support branch from 64a3d17 to c4a031c Compare January 10, 2025 17:18
@hessjcg hessjcg merged commit 36f1304 into main Jan 10, 2025
26 checks passed
@hessjcg hessjcg deleted the customer-ca-support branch January 10, 2025 17:23
@release-please release-please bot mentioned this pull request Jan 10, 2025
Merged
hessjcg added a commit to GoogleCloudPlatform/cloud-sql-go-connector that referenced this pull request Jan 10, 2025
@hessjcg
chore: Simplify server cert validation logic to distinguish legacy fr…
e88d82a 
…om CA validation (#910)

Going forward, both GOOGLE_MANAGED_CAS_CA, CUSTOMER_MANAGED_CAS_CA, and future new kinds
of CA will use standard TLS domain name validation using the server certificate SAN records. The certificate
validation logic for the original GOOGLE_MANAGED_INTERNAL_CA is now the exception.

See implementation in other connectors:

feat: Support Private CA for server certificates. GoogleCloudPlatform/cloud-sql-nodejs-connector#408
feat: Support Customer CAS Private CA for server certificates. GoogleCloudPlatform/cloud-sql-jdbc-socket-factory#2095
@release-please release-please bot mentioned this pull request Jan 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jackwotherspoon jackwotherspoon jackwotherspoon approved these changes

Assignees

@jackwotherspoon jackwotherspoon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hessjcg @jackwotherspoon