From b8ab4b272c6c4de60f0575d2994dc23d026f862d Mon Sep 17 00:00:00 2001 From: Katyal Date: Tue, 22 May 2018 13:56:53 -0700 Subject: [PATCH] Revert "Add back in the verification of the certs by open SSL library" This reverts commit 9d13f1b64a637510b0b253b44eefc3e5202d5279. cr https://code.amazon.com/reviews/CR-2114105 --- .../plugins/codedeploy/deployment_specification.rb | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/lib/instance_agent/plugins/codedeploy/deployment_specification.rb b/lib/instance_agent/plugins/codedeploy/deployment_specification.rb index a7bbfb42..689da1ae 100644 --- a/lib/instance_agent/plugins/codedeploy/deployment_specification.rb +++ b/lib/instance_agent/plugins/codedeploy/deployment_specification.rb @@ -106,17 +106,8 @@ def self.parse(envelope) case envelope.format when "PKCS7/JSON" pkcs7 = OpenSSL::PKCS7.new(envelope.payload) - - # The PKCS7_NOCHAIN flag tells OpenSSL to ignore any PKCS7 CA chain that might be attached - # to the message directly and use the certificates from provided one only for validating the. - # signer's certificate. - # - # However, it will allow use the PKCS7 signer certificate provided to validate the signature. - # - # http://www.openssl.org/docs/crypto/PKCS7_verify.html#VERIFY_PROCESS - # - # The ruby wrapper returns true if OpenSSL returns 1 - raise "Validation of PKCS7 signed message failed" unless pkcs7.verify([], @cert_store, nil, OpenSSL::PKCS7::NOCHAIN) + pkcs7.verify([], @cert_store, nil, OpenSSL::PKCS7::NOVERIFY) + # NOTE: the pkcs7.data field is only populated AFTER pkcs7.verify() is called! parse_deployment_spec_data(pkcs7.data) when "TEXT/JSON" raise "Unsupported DeploymentSpecification format: #{envelope.format}" unless AWS::CodeDeploy::Local::Deployer.running_as_developer_utility?