Remove unnecessary actions #1
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cipherboy
force-pushed
the
add-test-actions
branch
9 times, most recently
from
876cef0
to
edfeb4d
Compare
2 tasks
cipherboy
force-pushed
the
add-test-actions
branch
8 times, most recently
from
5d7be74
to
a44d498
Compare
HashiCorp Vault v1.14.10 reports fixing the following security vulnerability: > auth/cert: compare public keys of trusted non-CA certificates with > incoming client certificates to prevent trusting certs with the same > serial number but not the same public/private key. [GH-25649] From this, we can deduce that there is an issue with validating the authenticity of leaf certificates. Luckily there is only one code path so the fix location is obvious. Note that the issue lies in how the check is performed: a client may present an arbitrary certificate from an arbitrary CA (even a self-signed one if it contains an AuthorityKeyId extension), which will be accepted, assuming it matches the AKID and Serial Number of a present, explicitly trusted leaf certificate. In particular, while the authenticity of the TLS connection is verified (insofar as the presented certificate matches the TLS channel via valid signature), the authorization check is malformed as it does not correctly tie the channel's connection key to the key contained in the certificate. This check is sufficient to differentiate certificates from different CAs, say, for the purpose of chain building, but is not strong enough for authentication and authorization. In the past, several CAs (such as the production grade Dogtag PKI or a manual OpenSSL CA) have defaulted to sequential serial numbers, though, AKIDs would likely still be unique unless key material was reused between different CAs (typically unlikely unless an intermediate CA was re-issued with the same key material but longer expiration). However, most CAs correspond to the CA/BF's guidelines which require at least 20 bits of entropy, and thus would be less likely to run into this organically, even with reused CA public keys. See also: https://github.com/hashicorp/vault/releases/tag/v1.14.10 See also: https://discuss.hashicorp.com/t/hcsec-2024-05-vault-cert-auth-method-did-not-correctly-validate-non-ca-certificates/63382 See also: https://cabforum.org/working-groups/server/baseline-requirements/documents/ Resolves: openbao#172 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
This retains the original HashiCorp upstream build & test pipelines, cleaning them up for OpenBao and removing HashiCorp internal tooling references that aren't necessary for us. The CI pipeline currently fails with test errors and commenting will need to be tested on the main repository with an appropriately scoped token. However, builds pass and produce usable, unsigned artifacts. This can form the basis of a proper (signed) release pipeline eventually, taking actions from the build stage of the tagged release commit and signing and verifying them. In order to fix CI, some changes to the Go modules were done, removing redundant tooling packages and re-adding the kubernetes integration tests. This also fixes CI to correctly run api & sdk tests, fixing openbao#61 again. Removed, unnecessary actions: - actionlint was used to allow-list actions upstream, - add-hashicorp-contributed-label was used to add a label to internal PRs for visibility, - backport was the tool to automatically backport PRs, - milestone-checker was used to ensure PRs had appropriate milestones prior to merge, - oss was used to classify issues against the specified label category - remove-labels was used to clean up issues & PRs - security-scan requires internal tooling not made public - test-ci-bootstrap & test-ci-cleanup are both part of the complex Enos integration tests, which were removed in 85455fb due to resource requirements. Resolves: openbao#31 Resolves: openbao#42 Resolves: openbao#152 Related: openbao#153 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
naphelps
force-pushed
the
add-test-actions
branch
from
a44d498
to
37a0b1b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Testing PR for GH Actions...