Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

creds/aws: Add support for DSA signature verification for EC2 #12340

Merged
merged 8 commits into from
Aug 19, 2021
Merged

creds/aws: Add support for DSA signature verification for EC2 #12340

merged 8 commits into from
Aug 19, 2021

Conversation

jasonodonnell
Copy link
Contributor

DSA support was dropped in Go 1.16 which is used by the EC2 auth method for verifying signatures. Since this was dropped from a core library and EC2 needs DSA support until we can switch to RSA, I needed to bring in the external package we were using for verification and alter the code to add support. RSA adoption is a high priority task so we can formally deprecate the DSA support in Vault.

@vercel vercel bot temporarily deployed to Preview – vault August 17, 2021 19:16 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 17, 2021 19:16 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 17, 2021 19:34 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 17, 2021 19:34 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 17, 2021 20:07 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 17, 2021 20:07 Inactive
sgmiller
sgmiller approved these changes Aug 18, 2021
View reviewed changes
Copy link
Collaborator

@sgmiller sgmiller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine to me, a straight lift of the PKCS7 routines we need.

@vercel vercel bot temporarily deployed to Preview – vault-storybook August 18, 2021 20:11 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 18, 2021 20:11 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 18, 2021 20:32 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 18, 2021 20:32 Inactive
@kalafut kalafut added this to the 1.8.2 milestone Aug 18, 2021
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 18, 2021 21:12 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 18, 2021 21:12 Inactive
@jasonodonnell jasonodonnell merged commit 01484ca into main Aug 19, 2021
@jasonodonnell jasonodonnell deleted the aws-dsa branch August 19, 2021 13:16
jasonodonnell added a commit that referenced this pull request Aug 19, 2021
@jasonodonnell @calvn
creds/aws: Add support for DSA signature verification for EC2 (#12340)
054e4fd 
* creds/aws: import pkcs7 verification package

* Add DSA support

* changelog

* Add DSA to correct verify function

* Remove unneeded tests

* Fix backend test

* Update builtin/credential/aws/pkcs7/README.md

Co-authored-by: Calvin Leung Huang <[email protected]>

* Update builtin/credential/aws/path_login.go

Co-authored-by: Calvin Leung Huang <[email protected]>

Co-authored-by: Calvin Leung Huang <[email protected]>
jasonodonnell added a commit that referenced this pull request Aug 20, 2021
@jasonodonnell @calvn
creds/aws: Add support for DSA signature verification for EC2 (#12340) (
407532f 
#12361)

* creds/aws: import pkcs7 verification package

* Add DSA support

* changelog

* Add DSA to correct verify function

* Remove unneeded tests

* Fix backend test

* Update builtin/credential/aws/pkcs7/README.md

Co-authored-by: Calvin Leung Huang <[email protected]>

* Update builtin/credential/aws/path_login.go

Co-authored-by: Calvin Leung Huang <[email protected]>

Co-authored-by: Calvin Leung Huang <[email protected]>

Co-authored-by: Calvin Leung Huang <[email protected]>
@DaspawnW DaspawnW mentioned this pull request Sep 8, 2021
Closed
@maths22 maths22 mentioned this pull request Sep 8, 2021
Closed
ncabatoff pushed a commit that referenced this pull request Dec 14, 2021
@jasonodonnell @calvn @ncabatoff
creds/aws: Add support for DSA signature verification for EC2 (#12340)
9a6cb65 
* creds/aws: import pkcs7 verification package

* Add DSA support

* changelog

* Add DSA to correct verify function

* Remove unneeded tests

* Fix backend test

* Update builtin/credential/aws/pkcs7/README.md

Co-authored-by: Calvin Leung Huang <[email protected]>

* Update builtin/credential/aws/path_login.go

Co-authored-by: Calvin Leung Huang <[email protected]>

Co-authored-by: Calvin Leung Huang <[email protected]>
ncabatoff added a commit that referenced this pull request Dec 14, 2021
@ncabatoff
Upgrade to Go 1.16.12. (#13417)
e10e350 
* Move to Go 1.16.12 and newer cimg docker images for CI. (#13422)
* Update MongoDB tests to not fail in Go 1.16 (#11533)
* Upgrade snappy to fix panic with identity/packer on Go 1.16+arm64. (#12371) (#12375)
* creds/aws: Add support for DSA signature verification for EC2 (#12340)
jcharum pushed a commit to grailbio/base that referenced this pull request Jun 2, 2022
@jcharum
[BENG-40] ec2util: future-proof aws identitiy document verify
53676e2 
Summary:
AWS Identity Documents are signed with DSA-with-SHA1 signatures, and DSA is
removed from x509/crypto as of Go 1.16. This follows an approach done
by hashicorp/vault#12340, by forking in
https://github.com/mozilla-services/pkcs7 and applying the DSA fix
mozilla-services/pkcs7#50.

Test Plan: - Tested Bazel build and go build from within the folder

Reviewers: aeiser, dborcherding, sdunn, anguyen, gvitta, bbentson

Reviewed By: dborcherding, sdunn

Subscribers: jcharumilind, dnicolaou, pboyapalli, smahadevan

Differential Revision: https://phabricator.grailbio.com/D66326

fbshipit-source-id: cafa39b
swenson pushed a commit that referenced this pull request Dec 22, 2022
Add LICENSE back to pkcs7
c113c71 
This was not copied over when the this code was
copied in #12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
@swenson swenson mentioned this pull request Dec 22, 2022
Merged
swenson pushed a commit that referenced this pull request Dec 22, 2022
Add LICENSE back to pkcs7 (#18527)
cf03a86 
This was not copied over when the this code was
copied in #12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
AnPucel pushed a commit that referenced this pull request Jan 14, 2023
@AnPucel
Add LICENSE back to pkcs7 (#18527)
a7ed245 
This was not copied over when the this code was
copied in #12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
AnPucel pushed a commit that referenced this pull request Feb 3, 2023
@AnPucel
Add LICENSE back to pkcs7 (#18527)
81e5d7f 
This was not copied over when the this code was
copied in #12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calvn calvn calvn approved these changes

@sgmiller sgmiller sgmiller approved these changes

@kalafut kalafut Awaiting requested review from kalafut

@briankassouf briankassouf Awaiting requested review from briankassouf

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.8.2
Development

Successfully merging this pull request may close these issues.
4 participants
@jasonodonnell @sgmiller @calvn @kalafut