Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow empty x509 bundles to be sent in responses #288

Merged
merged 4 commits into from
Jun 17, 2024

Conversation

sorindumitru
Copy link
Contributor

Otherwise federating with a trust domain that publishes an empty trust bundle at some point will cause your workloads to stop being able to fetch SVIDs. The only result of that should be the inability to verify SVIDs from the federated trust domain.

The specifications already allows this to happen.

This causes the workload to be unable to fetch X509-SVIDs, even though its own trust domain still has a valid trust bundle

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
The specification already allows this to happen: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md\#413-keys

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
Copy link
Member

@azdagron azdagron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @sorindumitru, for catching this misalignment with what is allowed by the spec.

Just a few small nitpicks.

v2/bundle/x509bundle/bundle_test.go Outdated Show resolved Hide resolved
v2/workloadapi/client_test.go Outdated Show resolved Hide resolved
sorindumitru and others added 2 commits June 17, 2024 14:35
Co-authored-by: Andrew Harding <azdagron@gmail.com>
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
Co-authored-by: Andrew Harding <azdagron@gmail.com>
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
@azdagron azdagron merged commit 5460476 into spiffe:main Jun 17, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants