[PR #589] feat: allow validation of PIV certificate against a CA #597

New issue

Open

opened 2026-05-07 00:21:41 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-07 00:21:41 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/ovh/the-bastion/pull/589
Author: @jon4hz
Created: 9/19/2025
Status: 🔄 Open

Base: master ← Head: feat-piv-ca-validation

📝 Commits (2)

b1e4b25 feat: allow validation of PIV certificate against a CA
d4b3ddc chore: run tidy and perlcritic

📊 Changes

4 files changed (+218 additions, -73 deletions)

View changed files

📝 bin/plugin/open/selfAddIngressKey (+172 -71)
📝 etc/bastion/bastion.conf.dist (+5 -0)
📝 lib/perl/OVH/Bastion/configuration.inc (+17 -0)
📝 lib/perl/OVH/Bastion/ssh.inc (+24 -2)

📄 Description

Hi again,

This PR introduces an option to ensure users can only add ingress keys which have been signed by a predefined, trusted CA.

If an admin configures the new pivValidationCA to point to a CA certificate, the user will be prompted to upload his certificate, instead of the ssh public key. The Bastion then validates the certificated against the configured CA.

The yubico-piv-checker will generate the ssh pubkey based on the provided certificate and returns it in the JSON output. There's also a new prompt to ask for "from" IPs, since that information can't be passed with the certificate that easily.

A PR with the required changes for the yubico-piv-checker is here: https://github.com/ovh/yubico-piv-checker/pull/9

Currently everything is implemented in a none breaking way. Please let me know if you want any changes or have any suggestions.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/ovh/the-bastion/pull/589 **Author:** [@jon4hz](https://github.com/jon4hz) **Created:** 9/19/2025 **Status:** 🔄 Open **Base:** `master` ← **Head:** `feat-piv-ca-validation` --- ### 📝 Commits (2) - [`b1e4b25`](https://github.com/ovh/the-bastion/commit/b1e4b256428111194f2de5895980c2925c2070b0) feat: allow validation of PIV certificate against a CA - [`d4b3ddc`](https://github.com/ovh/the-bastion/commit/d4b3ddc29ee55e85901c1e8831a805477aa6d885) chore: run tidy and perlcritic ### 📊 Changes **4 files changed** (+218 additions, -73 deletions) <details> <summary>View changed files</summary> 📝 `bin/plugin/open/selfAddIngressKey` (+172 -71) 📝 `etc/bastion/bastion.conf.dist` (+5 -0) 📝 `lib/perl/OVH/Bastion/configuration.inc` (+17 -0) 📝 `lib/perl/OVH/Bastion/ssh.inc` (+24 -2) </details> ### 📄 Description Hi again, This PR introduces an option to ensure users can only add ingress keys which have been signed by a predefined, trusted CA. If an admin configures the new `pivValidationCA` to point to a CA certificate, the user will be prompted to upload his certificate, instead of the ssh public key. The Bastion then validates the certificated against the configured CA. The `yubico-piv-checker` will generate the ssh pubkey based on the provided certificate and returns it in the JSON output. There's also a new prompt to ask for "from" IPs, since that information can't be passed with the certificate that easily. A PR with the required changes for the `yubico-piv-checker` is here: https://github.com/ovh/yubico-piv-checker/pull/9 Currently everything is implemented in a none breaking way. Please let me know if you want any changes or have any suggestions. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>