Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Disabled certificates pass verification #1699

Closed
1 task done
duffney opened this issue Aug 9, 2024 · 4 comments
Closed
1 task done

[Bug] Disabled certificates pass verification #1699

duffney opened this issue Aug 9, 2024 · 4 comments
Assignees
@junczhu
Labels
bug Something isn't working
Milestone
v1.3.0

Comments

@duffney
Copy link
Contributor

duffney commented Aug 9, 2024
edited
Loading

What happened in your environment?

Ratify is using a disabled certificate to verify notation signatures.

time=2024-08-09T15:23:41.894773506Z level=info msg=verify result for subject s3cexampleacr1.azurecr.io/azure-voting-app-rust@sha256:ceacb1d776747f5163c45dd88f5823a022e90dcb2349dfabd13bc2b96c973bbc: {
  "isSuccess": true,
  "verifierReports": [
    {
      "subject": "s3cexampleacr1.azurecr.io/azure-voting-app-rust@sha256:ceacb1d776747f5163c45dd88f5823a022e90dcb2349dfabd13bc2b96c973bbc",
      "isSuccess": true,
      "name": "verifier-notation",
      "type": "notation",
      "message": "signature verification success",
      "extensions": {
        "Issuer": "CN=example.com,O=Notation,L=Seattle,ST=WA,C=US",
        "SN": "CN=example.com,O=Notation,L=Seattle,ST=WA,C=US"
      },
      "artifactType": "application/vnd.cncf.notary.signature"
    }
  ]
} component-type=server go.version=go1.22.5 namespace= trace-id=f7711ae6-4b7a-4143-939b-f1139eae153b

Screenshot from 2024-08-09 10-53-53
Screenshot from 2024-08-09 10-54-35

What did you expect to happen?

When a certificate is disabled, I expected the verifier to fail because only enabled certificates should pass verification.

What version of Kubernetes are you running?

1.28.3

What version of Ratify are you running?

v1.3.0

Anything else you would like to add?

This issue arises when a Key Management Provider (KMP) is configured with a certificate that is enabled at the time of the KMP resource's creation but later becomes disabled. If a new certificate version is created and no version is specified in the KMP resource spec then the issue resolves when the new (latest) certificate is added to the cert/key maps. However, if the old version is specified in the spec it will still pass verification because it's never removed from the map and it still has a valid public key from the cert stored.

To fix this, I'd suggest adding logic to purge the cert\key maps when the AKV provider encounters a disabled cert or key.

Are you willing to submit PRs to contribute to this bug fix?

  • Yes, I am willing to implement it.
@duffney duffney added bug Something isn't working triage Needs investigation labels Aug 9, 2024
@duffney duffney mentioned this issue Aug 9, 2024
Merged
19 tasks
@susanshi susanshi removed the triage Needs investigation label Aug 15, 2024
@susanshi susanshi added this to the v1.3.0 milestone Aug 15, 2024
@binbin-li
Copy link
Collaborator

It's probably fixed by a recent PR: #1710, @junczhu could you help verify if it works?

@junczhu
Copy link
Collaborator

junczhu commented Aug 28, 2024
edited
Loading

Test done. Checking if we can close this issue.

@junczhu
Copy link
Collaborator

junczhu commented Aug 28, 2024

image

@junczhu
Copy link
Collaborator

junczhu commented Aug 28, 2024

image

@junczhu junczhu closed this as completed Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@junczhu junczhu

Labels
bug Something isn't working
Projects
None yet
Milestone
v1.3.0
Development

No branches or pull requests
4 participants
@binbin-li @duffney @susanshi @junczhu