Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: make PKCS#12 truststores deterministic #455

Closed
wants to merge 1 commit into from

Conversation

erikgb
Copy link
Contributor

@erikgb erikgb commented Oct 12, 2024

This PR might appear a bit controversial, since it short-circuits the random generator for our PKCS#12 truststores. 🤠 But there is a reason! My end goal is to greatly simplify the Bundle controller by removing the needsUpdate-logic and replacing it with well-tuned, but unconditional, SSA requests.

@cert-manager-prow cert-manager-prow bot added the dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. label Oct 12, 2024
@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from erikgb. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Oct 12, 2024
@erikgb erikgb force-pushed the pkcs12-deterministic branch 4 times, most recently from 3b34d2d to 0049e69 Compare October 12, 2024 16:55
// Short-circuiting the rand generator to make our PKCS#12 truststores deterministic.
// This should allow use of unconditional SSA requests from controller.
// See: https://cert-manager.io/docs/faq/#why-are-passwords-on-jks-or-pkcs12-files-not-helpful
WithRand(rand.New(rand.NewSource(1))) //#nosec G404
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this behaviour be made optional/tunable by the user/administrator? I imagine some environments may require use of a secure randomness source even if the underlying algorithm is considered insecure, though I'm not sure. What does other software in this space do?

Copy link
Contributor Author

@erikgb erikgb Oct 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this behaviour be made optional/tunable by the user/administrator?

No, not without losing the opportunity to greatly simplify the controller (drop the needsUpdate-logic). Dropping a secure random source here is for sure controversial. But I think it could be worth it to simplify our code. Some additional arguments:

  • Our password-less PKCS#12 (the default) is deterministic.
  • We already stated (in our FAQ) that we support keystores/truststores for legacy reasons, and not because we consider them the recommended approach.
  • We already got a suggestion to include the truststore password just next to the truststore in the target configmap/secret. If we decide to implement anything in this direction, a requirement for a secure random source becomes even more meaningless.

What does other software in this space do?

No idea. I am pretty sure that any software producing PKCS#12 truststores with a password attempts to use a secure random source. But a password-less PKCS#12 is the new standard for truststores in Java - after they abandoned JKS.

@@ -21,6 +21,7 @@ import (
"crypto/sha256"
"encoding/hex"
"fmt"
"math/rand"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Completely separate from James' concern (which may be a blocker). Sorry for the hastily written comment below!

I think if we're going to do import math/rand it should be in a separate package entirely, so it's "quarantined". When we work on this file in the future we don't want to assume that rand means crypto/rand.

I'd create internal/insecurerand/insecurerand.go, have it expose var Rand io.Reader = rand.New(rand.NewSource(1)).

That was this file would import insecurerand.Rand and math/rand would be contained to one file only so it couldn't accidentally be used.

That said, math/rand.Reader says it's not safe for concurrent use:

Unlike the default Source used by top-level functions, this source is not safe for concurrent use by multiple goroutines.

Might that be an issue if a user has multiple bundles?

Further to that, is a seeded rand actually what we want? We want a deterministic io.Reader - could we create a bytes.Buffer with say N bytes all set to zero and use a reader on that instead? It looks like the use of rand doesn't actually need that many bytes: https://github.com/SSLMate/go-pkcs12/blob/v0.5.0/pkcs12.go#L705

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many good points here! Thanks Ash! I will update this PR - even if it's unlikely it will get merged.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have updated the PR now addressing some of your comments.

@erikgb erikgb force-pushed the pkcs12-deterministic branch from 0049e69 to 101312e Compare October 17, 2024 18:30
@cert-manager-prow cert-manager-prow bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 17, 2024
@erikgb erikgb force-pushed the pkcs12-deterministic branch 2 times, most recently from 67b2a69 to 918efc8 Compare October 17, 2024 18:35
@erikgb erikgb force-pushed the pkcs12-deterministic branch from 918efc8 to 5b8ec64 Compare October 17, 2024 18:37
@SgtCoDFish
Copy link
Member

I've asked Venafi's security team if they have any input on this relating to auditing / compliance concerns - will report back if I hear anything!

@SgtCoDFish
Copy link
Member

Feedback was that it's unlikely an auditor would know any context when they see something like this, and they're likely to just raise an issue that would create a bunch of extra work if they see this. They might not see it depending on how they scan, but in any case it feels like deterministic PKCS#12 might be a non-starter unfortunately 🙃

@erikgb
Copy link
Contributor Author

erikgb commented Oct 24, 2024

Thanks for all the input @SgtCoDFish @munnerz! I am going to close this PR now and shift my focus to how we can improve the current needsUpdate logic to be less error-prone. Handling data with randomness using SSA is not easy. 😅

@erikgb erikgb closed this Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants