Fix parse authorized keys script to work with OpenSSL 3.0.2 (#39)

* Fix parse authorized keys script to work with OpenSSL 3.0.2 * update changelog Co-authored-by: Jacob Meisler <meislerj@amazon.com>
aws · May 9, 2022 · a6dbf0b · a6dbf0b
1 parent 5c7b25a
commit a6dbf0b
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 7 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.1-15
+1.1-17
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,11 @@
+ec2-instance-connect (1.1.17) xenial; urgency=high
+
+  * Ubuntu 22.04 upgrades OpenSSL to 3.0.2, which breaks strict x509 verification for one of our intermediate CA certificates.
+  * Only verify CA certificates that aren't already trusted in /etc/ssl/certs.
+  * OpenSSL 3.0.2 also changes the formatting of the SHA1 fingerprint of an x509 certificate. Switch to a case insensitive match to be backwards and forwards compatible between OpenSSL versions.
+
+-- Jacob Meisler <meislerj@amazon.com>  Mon, May 9 2022 12:30:00 -0400
+
 ec2-instance-connect (1.1.15) xenial; urgency=high
 
   * Change EIC Hostkeys Harvesting to be asynchronous from SSHD to improve instance boot time

diff --git a/integration-test/test/hostkey_test.sh b/integration-test/test/hostkey_test.sh
@@ -72,7 +72,7 @@ sudo chmod 644 /etc/ssh/ssh_host_rsa_key.pub
 pubkey=$(cat /etc/ssh/ssh_host_rsa_key.pub | awk '{$1=$1};1')
 
 echo "Retriggering host key harvesting"
-sudo systemctl restart ec2-instance-connect.service
+sudo systemctl restart ec2-instance-connect-harvest-hostkeys.service
 
 echo "Retrieving keys from service"
 sign () {

diff --git a/rpmsrc/SPECS/generic.spec b/rpmsrc/SPECS/generic.spec
@@ -157,6 +157,10 @@ fi
 
 
 %changelog
+* Mon May 9 2022 Jacob Meisler <meislerj@amazon.com> 1.1-17
+- OpenSSL 3.0.2 breaks strict x509 verification for one of our intermediate CA certificates.
+- Only verify CA certificates that aren't already trusted in /etc/ssl/certs.
+- OpenSSL 3.0.2 also changes the formatting of the SHA1 fingerprint of an x509 certificate. Switch to a case insensitive match to be backwards and forwards compatible between OpenSSL versions.
 * Thu Sep 9 2021 Vishrutha Konappa Reddy <vkreddy@amazon.com> 1.1-15
 - Change EIC Hostkeys Harvesting to be asynchronous from SSHD to improve instance boot time
 - Rename and enable ec2-instance-connect-harvest-hostkeys.service. Remove pointer to old ec2-instance-connect.service.

diff --git a/src/bin/eic_parse_authorized_keys b/src/bin/eic_parse_authorized_keys
@@ -50,7 +50,7 @@ removeprefix () {
 verifyocsp() {
     # First check if this cert is already trusted
     cname=$("${2}" x509 -noout -subject -in "${3}" 2>/dev/null | /bin/sed -n -e 's/^.*CN[[:blank:]]*=[[:blank:]]*//p')
-    fingerprint=$("${2}" x509 -noout -fingerprint -sha1 -inform pem -in "${3}"  2>/dev/null | /bin/sed -n 's/SHA1 Fingerprint[[:space:]]*=[[:space:]]*\(.*\)/\1/p' | tr -d ':')
+    fingerprint=$("${2}" x509 -noout -fingerprint -sha1 -inform pem -in "${3}"  2>/dev/null | /bin/sed -n 's/SHA1 Fingerprint[[:space:]]*=[[:space:]]*\(.*\)/\1/pI' | tr -d ':')
     ocsp_out=$("${2}" ocsp -no_nonce -issuer "${4}" -cert "${3}" -VAfile "${4}" -respin "${5}/${fingerprint}" 2>/dev/null)
     ocsp_exit="${?}"
     if [ "${ocsp_exit}" -ne 0 ] || ! startswith "${ocsp_out}" "${3}: good" ; then
@@ -143,10 +143,10 @@ if [ "${end}" -gt 0 ] ; then
 fi
 
 # Build the intermediate trust chain
-/bin/touch "${tmpdir}/ca-trust.pem"
-for i in $(/usr/bin/seq 1 "${end}") ; do
-  /bin/cat "${tmpdir}/cert${i}.pem" >> "${tmpdir}/ca-trust.pem"
-done
+# We only need to verify the first intermediate certificate since it's signed by Amazon Root CA 1, which
+# is already trusted by the system (in /etc/ssl/certs).
+/usr/bin/cp "${tmpdir}/cert1.pem" "${tmpdir}/ca-trust.pem"
+
 if [ -d "${ca_path}" ] ; then
     subject=$("${OPENSSL}" x509 -noout -subject -in "${tmpdir}/cert${end}.pem" | /bin/sed -n -e 's/^.*CN[[:space:]]*=[[:space:]]*//p')
     underscored=$(/bin/echo "${subject}" | /usr/bin/tr -s ' ' '_') 2>/dev/null