cyberark · ismarc · Dec 13, 2021 · Oct 21, 2021 · Oct 21, 2021 · Oct 21, 2021
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Added check to stop hosts from setting passwords 
  [#1920](https://github/cyberark/conjur/issues/1920)
 
+### Security
+- Bump gems related to openid_connect stack for improving the certificate validation procedure during
+ the OIDC keys discovery process [cyberark/ONYX-13304](https://ca-il-jira.il.cyber-ark.com:8443/browse/ONYX-13304)
+
 ## [1.14.1] - 2021-11-05
 
 ### Fixed

diff --git a/Dockerfile b/Dockerfile
@@ -37,6 +37,9 @@ RUN bundle --without test development
 
 COPY . .
 
+# removing CA bundle of httpclient gem
+RUN find / -name httpclient -type d -exec find {} -name *.pem -type f -delete \;
+
 RUN ln -sf /opt/conjur-server/bin/conjurctl /usr/local/bin/
 
 ENV RAILS_ENV production

diff --git a/Dockerfile.fpm b/Dockerfile.fpm
@@ -17,6 +17,10 @@ COPY Gemfile \
 COPY gems/ gems/
 
 COPY . .
+
+# removing CA bundle of httpclient gem
+RUN find / -name httpclient -type d -exec find {} -name *.pem -type f -delete \;
+
 ADD debify.sh /
 
 WORKDIR /src
diff --git a/Dockerfile.ubi b/Dockerfile.ubi
@@ -71,6 +71,9 @@ RUN bundle --without test development
 
 COPY . .
 
+# removing CA bundle of httpclient gem
+RUN find / -name httpclient -type d -exec find {} -name *.pem -type f -delete \;
+
 RUN ln -sf /opt/conjur-server/bin/conjurctl /usr/local/bin/
 
 COPY LICENSE.md /licenses/

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -255,7 +255,7 @@ GEM
  racc (~> 1.4)
  nokogiri (1.12.5-x86_64-darwin)
  racc (~> 1.4)
- openid_connect (1.2.0)
+ openid_connect (1.3.0)
  activemodel
  attr_required (>= 1.0.0)
  json-jwt (>= 1.5.0)
@@ -284,7 +284,7 @@ GEM
  nio4r (~> 2.0)
  racc (1.5.2)
  rack (2.2.3)
- rack-oauth2 (1.11.0)
+ rack-oauth2 (1.19.0)
  activesupport
  attr_required
  httpclient
@@ -409,7 +409,7 @@ GEM
  actionpack (>= 4.0)
  activesupport (>= 4.0)
  sprockets (>= 3.0.0)
- swd (1.1.2)
+ swd (1.3.0)
  activesupport (>= 3)
  attr_required (>= 0.0.5)
  httpclient (>= 2.4)
@@ -428,7 +428,7 @@ GEM
  validate_url (1.0.8)
  activemodel (>= 3.0.0)
  public_suffix
- webfinger (1.1.0)
+ webfinger (1.2.0)
  activesupport
  httpclient (>= 2.4)
  websocket (1.2.8)

diff --git a/NOTICES.txt b/NOTICES.txt
@@ -43,7 +43,7 @@ Section 4: MIT
 >>> https://rubygems.org/gems/mini_racer/versions/0.2.9
 >>> https://rubygems.org/gems/net-ldap/versions/0.16.2
 >>> https://rubygems.org/gems/nokogiri/versions/1.12.5
->>> https://rubygems.org/gems/openid_connect/versions/1.2.0
+>>> https://rubygems.org/gems/openid_connect/versions/1.3.0
 >>> https://rubygems.org/gems/rack-rewrite/versions/1.5.1
 >>> https://rubygems.org/gems/rails/versions/5.2.6
 >>> https://rubygems.org/gems/rake/versions/13.0.1
@@ -681,7 +681,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
->>> https://rubygems.org/gems/openid_connect/versions/1.2.0
+>>> https://rubygems.org/gems/openid_connect/versions/1.3.0
 
 Copyright (c) 2011 nov matake
 

diff --git a/ci/oauth/keycloak/fetch_certificate b/ci/oauth/keycloak/fetch_certificate
@@ -1,18 +1,18 @@
 #!/bin/sh
 
-# This script retrieves a certificate from the keycloak OIDC provider.
+# This script retrieves a certificate from the keycloak OIDC provider
+# and puts it to a trusted operating system store.
 # It is needed to communicate with the provider via SSL for validating ID tokens
 
-httpclient_pem_location="/var/lib/ruby/lib/ruby/gems/2.5.0/gems/httpclient-2.8.3/lib/httpclient"
+openssl s_client \
+ -showcerts \
+ -connect keycloak:8443 \
+ -servername keycloak \
+ </dev/null | \
+ openssl x509 \
+ -outform PEM \
+ >/etc/ssl/certs/keycloak.pem
 
-{
- echo "keycloak cert"
- echo ===============
- echo | openssl s_client -showcerts -connect keycloak:8443 -servername keycloak 2>/dev/null | openssl x509 -outform PEM
-} >> "$httpclient_pem_location/cacert.pem"
+hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
 
-{
- echo "keycloak cert"
- echo ===============
- echo | openssl s_client -showcerts -connect keycloak:8443 -servername keycloak 2>/dev/null | openssl x509 -outform PEM
-} >> "$httpclient_pem_location/cacert1024.pem"
+ln -s /etc/ssl/certs/keycloak.pem /etc/ssl/certs/$hash.0
diff --git a/dev/Dockerfile.dev b/dev/Dockerfile.dev
@@ -28,6 +28,9 @@ COPY gems/ gems/
 
 RUN bundle
 
+# removing CA bundle of httpclient gem
+RUN find / -name httpclient -type d -exec find {} -name *.pem -type f -delete \;
+
 RUN rm /etc/service/sshd/down
 RUN ln -sf /src/conjur-server/bin/conjurctl /usr/local/bin/