-
Notifications
You must be signed in to change notification settings - Fork 512
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate root rotations against trust pinning where appropriate #800
Conversation
// At this point, we assume that we have already trusted previous root data and so will not perform any | ||
// additional trust pinning checks on this new certificate | ||
if !firstBootstrap { | ||
logrus.Debug("TOFU is disabled but previous root data exists, skipping disable TOFU restriction") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I'm wondering if this log message might be confusing, since it's not exactly doing a TOFU check, since it's not first use. It's just that no other trust pinning has been specified. In which case maybe this check can just be combined with the previous conditional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good, I'll combine them into a !trustPinConfig.DisableTOFU || !firstBootstrap
case
LGTM after nits! Thanks for making sure the new roots conform to trust pinning too! |
12529db
to
1f6f68d
Compare
1f6f68d
to
a05717f
Compare
a05717f
to
7ebb93b
Compare
7ebb93b
to
9794f17
Compare
// If TOFUs is not disabled or we already have previous trusted root data for this GUN (even with TOFUs disabled), | ||
// use TOFUs. It's ok if we have previous root data with TOFUs disabled because we've already | ||
// bootstrapped the first use of trust | ||
if !trustPinConfig.DisableTOFU || !firstBootstrap { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's apply De Morgan's and invert the check so we have:
if DisableTOFU && firstBootstrap {
return error
}
return tofusCheck
After one comment, looks great! First person to check in after CI passes should merge 👍 |
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
a29e483
to
30752d9
Compare
Check new roots against the trust pinning when performing validation, but do not reject the new root if TOFUs is disabled because we've already trusted a previous root.
Closes #735.
Signed-off-by: Riyaz Faizullabhoy riyaz.faizullabhoy@docker.com