Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UI: catch error when verifying certificates with unsupported signature algorithms #21926

Merged

Conversation

hellobontempo
Copy link
Contributor

The pki.js library doesn't support the ed25519 key type source code so our verify() function was failing when checking whether or not a certificate is a root.

This wraps the verify function in a try...catch so if the verify function fails, we instead check the authority key ID includes the signature key ID.

@hellobontempo hellobontempo added ui bug Used to indicate a potential bug backport/1.14.x hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed labels Jul 18, 2023
@hellobontempo hellobontempo added this to the 1.14.1 milestone Jul 18, 2023
Comment on lines 147 to 148
// ed25519 is an unsupported signature algorithm
// catch the error and instead check the AKID (authority key ID) includes the SKID (subject key ID)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should i move this comment to the catch block? 🤔

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think moving it makes sense!

Copy link
Contributor

@hashishaw hashishaw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick turnaround! Just one small change, otherwise looks good (and thanks for the test!)

I think maybe we could also add one more acceptance test ensuring that viewing a ed25519 issuer renders fine on the page

try {
// ed25519 is an unsupported signature algorithm
// catch the error and instead check the AKID (authority key ID) includes the SKID (subject key ID)
return await child.verify(parent);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need await here, we can just return child.verify directly and even remove async on the method since we're just returning the promise

Copy link
Contributor Author

@hellobontempo hellobontempo Jul 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't hit the error block without the await 🤔

@github-actions
Copy link

Build Results:
All builds succeeded! ✅

const skidExtension = parent.extensions.find((ext) => ext.extnID === OTHER_OIDs.subject_key_identifier);
const akidExtension = parent.extensions.find((ext) => ext.extnID === OTHER_OIDs.authority_key_identifier);
const skid = new Uint8Array(skidExtension.parsedValue.valueBlock.valueHex);
const akid = new Uint8Array(akidExtension.extnValue.valueBlock.valueHex);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wanna add the note about why we did this? :-)

SKID is just the byte array of the key identifier, but AKID is a SEQUENCE-type extension which does include the key identifier but also potentially includes other information. This saves us a parse of AKID and is unlikely to return false-positives.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes! I was going to consult you about how to concisely explain :) thank you!

// catch the error and instead check the AKID (authority key ID) includes the SKID (subject key ID)
return await child.verify(parent);
} catch (error) {
const skidExtension = parent.extensions.find((ext) => ext.extnID === OTHER_OIDs.subject_key_identifier);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do think there's some (imported) certificates this could fail on due to them not conforming with RFC 5280; do we want to safe-guard this if there's a missing SKID or AKID extension? I think failing and returning false is fine here, IMO? At worse we have a false-negative, which should be less likely than the false-positive case if we return true.

Or, do the plumbing to make this return an unknown status, which seems like more work than its worth, tbh (since that's what this exception was doing, technically, and would mean handling that).

Just some thoughts :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that's a good idea, will return false as a fallback

@github-actions
Copy link

CI Results:

All Go tests passed! ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to indicate a potential bug hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed ui
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants