Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix broken node API x509 validation #655

Merged
merged 2 commits into from
Dec 20, 2018
Merged

fix broken node API x509 validation #655

merged 2 commits into from
Dec 20, 2018

Conversation

azdagron
Copy link
Member

The gRPC server TLS configuration was misconfigured to only request a
client certificate, but not perform validation. The implication is that
a certificate chained to any root with an expected SPIFFE ID could
impersonate a node SVID and obtain workload SVIDs.

@azdagron
fix broken node API x509 validation
4a95117 
The gRPC server TLS configuration was misconfigured to only request a
client certificate, but not perform validation. The implication is that
a certificate chained to any root with an expected SPIFFE ID could
impersonate a node SVID and obtain workload SVIDs.

Signed-off-by: Andrew Harding <[email protected]>
@azdagron azdagron force-pushed the fix-broken-node-x509-validation branch from 8e2f039 to 4a95117 Compare December 19, 2018 22:51
@mcpherrinm
Copy link
Contributor

Given the severity of this, I think I'd like to see a regression test added somewhere.

I've seen this exact bug pop up in half the Golang TLS client-cert projects I've worked on ....

@azdagron
Copy link
Member Author

azdagron commented Dec 19, 2018
edited
Loading

The unit tests ensure the TLS config is correct, but I agree, an explicit test using client TLS connections to the gRPC server would be a stronger assertion. I'll add such a test.

evan2645
evan2645 reviewed Dec 19, 2018
View reviewed changes
Copy link
Member

@evan2645 evan2645 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for this @azdagron. a functional test that actually starts the endpoints and tries to connect to them with various TLS configurations would go a long way I think.

we'll need to backport this one and cut some releases

pkg/server/endpoints/node/handler.go Outdated
if len(tlsInfo.State.PeerCertificates) == 0 {
return nil, errors.New("PeerCertificates was empty")
if len(tlsInfo.State.VerifiedChains) == 0 {
return nil, errors.New("VerifiedChains was empty")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this is similar to the previous error, but it would be good to be more descriptive here (and below as well)

evan2645
evan2645 approved these changes Dec 20, 2018
View reviewed changes
Copy link
Member

@evan2645 evan2645 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks again @azdagron

@azdagron azdagron merged commit 6402c88 into spiffe:master Dec 20, 2018
@azdagron azdagron deleted the fix-broken-node-x509-validation branch December 20, 2018 05:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evan2645 evan2645 evan2645 approved these changes

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo

@MarcosDY MarcosDY Awaiting requested review from MarcosDY

@martincapello martincapello Awaiting requested review from martincapello

@walmav walmav Awaiting requested review from walmav

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@azdagron @mcpherrinm @evan2645