Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate upstream signed CA chain #2644

Merged
merged 4 commits into from
Jan 4, 2022
Merged

Validate upstream signed CA chain #2644

merged 4 commits into from
Jan 4, 2022

Conversation

azdagron
Copy link
Member

@azdagron azdagron commented Dec 1, 2021

This change introduces a validation step in the server CA before accepting an upstream signed intermediate which ensures that an SVID signed with that chain is valid. This prevents two kinds of misconfigurations: 1) the upstream authority did not return an intermediate chain that chains back to the upstream authority provided root, 2) the upstream authority produced a chain with invalid constraints (e.g. inappropriate key usage for certificate signing, missing CA bit, etc.)

@azdagron
Validate upstream signed CA chain
2036bca 
This change introduces a validation step in the server CA before
accepting an upstream signed intermediate which ensures that an SVID
signed with that chain is valid. This prevents two kinds of
misconfigurations: 1) the upstream authority did not return an
intermediate chain that chains back to the upstream authority provided
root, 2) the upstream authority produced a chain with invalid
constraints (e.g. inappropriate key usage for certificate signing,
missing CA bit, etc.)

Signed-off-by: Andrew Harding <aharding@vmware.com>
@azdagron azdagron mentioned this pull request Dec 1, 2021
Closed
3 tasks
@azdagron azdagron added this to the 1.1.2 milestone Dec 2, 2021
amartinezfayo
amartinezfayo reviewed Dec 6, 2021
View reviewed changes
pkg/server/ca/ca.go Outdated Show resolved Hide resolved
MarcosDY
MarcosDY reviewed Dec 6, 2021
View reviewed changes
pkg/server/ca/upstream_client.go Show resolved Hide resolved
pkg/server/ca/upstream_client_test.go Outdated Show resolved Hide resolved
pkg/server/ca/validation.go Outdated Show resolved Hide resolved
@azdagron
Address PR comments
024af70 
Signed-off-by: Andrew Harding <aharding@vmware.com>
@azdagron azdagron modified the milestones: 1.1.2, 1.2.0 Dec 9, 2021
evan2645
evan2645 previously approved these changes Jan 4, 2022
View reviewed changes
@azdagron
Fix slightly inaccurate comment
3c1b2e2 
Signed-off-by: Andrew Harding <aharding@vmware.com>
evan2645
evan2645 approved these changes Jan 4, 2022
View reviewed changes
Copy link
Member

@evan2645 evan2645 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👛 🌄

@azdagron azdagron merged commit 47d67c7 into spiffe:main Jan 4, 2022
@azdagron azdagron deleted the validate-upstream-signed-ca-chain branch January 4, 2022 23:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amartinezfayo amartinezfayo amartinezfayo left review comments

@MarcosDY MarcosDY MarcosDY left review comments

@evan2645 evan2645 evan2645 approved these changes

@APTy APTy Awaiting requested review from APTy

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees

@evan2645 evan2645

@amartinezfayo amartinezfayo

Labels
None yet
Projects
None yet
Milestone
1.2.0
Development

Successfully merging this pull request may close these issues.
4 participants
@azdagron @evan2645 @MarcosDY @amartinezfayo