Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update AWS auth method certificates #15719

Merged
merged 2 commits into from
Jun 1, 2022
Merged

Update AWS auth method certificates #15719

merged 2 commits into from
Jun 1, 2022

Conversation

swenson
Copy link
Contributor

@swenson swenson commented May 31, 2022

Add tests that the rsa2048 document can also be verified using the
pkcs7 field for AWS auth.

Due to the use of SHA-1-based signatures for the identity and pkcs7
methods, we want to encourage moving toward using the RSA 2048 workflow,
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html

This doesn't require code changes for Vault necessarily, but adding in
the (many) certificates will help end users.

Also adds rsa2048 option to API to fetch the RSA 2048 signature.

I will make a PR to update to the AWS auth docs to document the RSA 2048
flow soon after this.

I ran the AWS acceptance tests manually to verify that the RSA 2048 flow works as expected.

Update AWS auth method certificates
8c4454c 
Add tests that the `rsa2048` document can also be verified using the
`pkcs7` field for AWS auth.

Due to the use of SHA-1-based signatures for the `identity` and `pkcs7`
methods, we want to encourage moving toward using the RSA 2048 workflow,
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html

This doesn't require code changes for Vault necessarily, but adding in
the (many) certificates will help end users.

Also adds `rsa2048` option to API to fetch the RSA 2048 signature.

I will make a PR to update to the AWS auth docs to document the RSA 2048
flow soon after this.
@swenson swenson requested a review from a team May 31, 2022 22:18
austingebauer
austingebauer reviewed Jun 1, 2022
View reviewed changes
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few comments and questions. Generally looks good to me.

api/auth/aws/aws.go Show resolved Hide resolved
builtin/credential/aws/certificates.go Outdated
// Copied from:
// curl https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-pkcs7.html | pcregrep -M -o -e '(?s)-----BEGIN CERTIFICATE-----[^>]*-----END CERTIFICATE-----'
// Last updated: 2022-05-31
var pkcs7RawCerts = `-----BEGIN CERTIFICATE-----
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: perhaps can use const for these?

builtin/credential/aws/certificates.go

// These certificates are for verifying RSA 2048 signatures.
// Copied from:
// curl https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html | pcregrep -M -o -e '(?s)-----BEGIN CERTIFICATE-----[^>]*-----END CERTIFICATE-----'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! I was going to ask if you automated pulling these into the code somehow 😄

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Crafting the right grep was a challenge on macOS :)

api/auth/aws/aws.go
@@ -42,6 +42,7 @@ const (
ec2Type = "ec2"
pkcs7Type = "pkcs7"
identityType = "identity"
rsa2048Type = "rsa2048"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can add this type to the comment on AWSAuth.signatureType

austingebauer
austingebauer approved these changes Jun 1, 2022
View reviewed changes
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@swenson
Copy link
Contributor Author

swenson commented Jun 1, 2022

Thanks!

@swenson swenson merged commit df79e2c into main Jun 1, 2022
@swenson swenson deleted the vault-6394/aws-auth-sha1 branch June 1, 2022 17:26
@swenson swenson added this to the 1.11.0-rc1 milestone Jun 1, 2022
Merged
Gabrielopesantos pushed a commit to Gabrielopesantos/vault that referenced this pull request Jun 6, 2022
@swenson @Gabrielopesantos
Update AWS auth method certificates (hashicorp#15719)
75f81a2 
Update AWS auth method certificates

Add tests that the `rsa2048` document can also be verified using the
`pkcs7` field for AWS auth.

Due to the use of SHA-1-based signatures for the `identity` and `pkcs7`
methods, we want to encourage moving toward using the RSA 2048 workflow,
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html

This doesn't require code changes for Vault necessarily, but adding in
the (many) certificates will help end users.

Also adds `rsa2048` option to API to fetch the RSA 2048 signature.

I will make a PR to update to the AWS auth docs to document the RSA 2048
flow soon after this.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@austingebauer austingebauer austingebauer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.11.0-rc1
Development

Successfully merging this pull request may close these issues.
2 participants
@swenson @austingebauer