You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When using EC2 auth method, Vault uses AWS public certificate to verify instance identity document is valid, which uses SHA1 with DSA key pair. According to this document, DSA signature verification is no longer supported from Go 1.16(which Vault was compiled by), so Vault 1.8 version cannot authenticate with EC2 auth method anymore.
Below is the example code snippet, which is the exact same procedure to verify signature on Vault: link
package main
import (
"crypto/x509""encoding/pem""fmt""github.com/fullsailor/pkcs7"
)
funcmain() {
pkcs7B64:="sample signature"pkcs7BER, pkcs7Rest:=pem.Decode([]byte(pkcs7B64))
iflen(pkcs7Rest) !=0 {
panic("failed to decode the PEM encoded PKCS#7 signature")
}
// Parse the signature from asn1 format into a structpkcs7Data, err:=pkcs7.Parse(pkcs7BER.Bytes)
iferr!=nil {
panic(fmt.Errorf("failed to parse the BER encoded PKCS#7 signature: %w", err))
}
// AWS public certpubCertStr:=`-----BEGIN CERTIFICATE-----MIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0xMjAxMDUxMjU2MTJaFw0zODAxMDUxMjU2MTJaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCjkvcS2bb1VQ4yt/5eih5OO6kK/n1Lzllr7D8ZwtQP8fOEpp5E2ng+D6Ud1Z1gYipr58Kj3nssSNpI6bX3VyIQzK7wLclnd/YozqNNmgIyZecN7EglK9ITHJLP+x8FtUpt3QbyYXJdmVMegN6PhviYt5JH/nYl4hh3Pa1HJdskgQIVALVJ3ER11+Ko4tP6nwvHwh6+ERYRAoGBAI1jk+tkqMVHuAFcvAGKocTgsjJem6/5qomzJuKDmbJNu9Qxw3rAotXau8Qe+MBcJl/Uhhy1KHVpCGl9fueQ2s6IL0CaO/buycU1CiYQk40KNHCcHfNiZbdlx1E9rpUp7bnFlRa2v1ntMX3caRVDdbtPEWmdxSCYsYFDk4mZrOLBA4GEAAKBgEbmeve5f8LIE/GfMNmP9CM5eovQOGx5ho8WqD+aTebs+k2tn92BBPqeZqpWRa5P/+jrdKml1qx4llHWMXrs3IgIb6+hUIB+S8dz8/mmO0bpr76RoZVCXYab2CZedFut7qc3WUH9+EUAH5mwvSeDCOUMYQR7R9LINYwouHIziqQYMAkGByqGSM44BAMDLwAwLAIUWXBlk40xTwSw7HX32MxXYruse9ACFBNGmdX2ZBrVNGrN9N2f6ROk0k9K-----END CERTIFICATE-----`pubCertBER, _:=pem.Decode([]byte(pubCertStr))
cert, err:=x509.ParseCertificate(pubCertBER.Bytes)
iferr!=nil {
panic(err)
}
pkcs7Data.Certificates= []*x509.Certificate{cert}
// panics on Go 1.16+, but not in past versions.iferr:=pkcs7Data.Verify(); err!=nil {
panic(err)
}
}
Thanks for the report! We have this listed as a known issue for Vault 1.8.0 and 1.8.1, and are currently working on having this fixed in the next release of Vault.
Describe the bug
When using EC2 auth method, Vault uses AWS public certificate to verify instance identity document is valid, which uses SHA1 with DSA key pair. According to this document, DSA signature verification is no longer supported from Go 1.16(which Vault was compiled by), so Vault 1.8 version cannot authenticate with EC2 auth method anymore.
Below is the example code snippet, which is the exact same procedure to verify signature on Vault: link
Above code snippets panics on Go 1.16+, but not in past versions. After downgrading Vault server to 1.7.0, EC2 auth method works perfectly. Maybe using https://github.com/mozilla-services/pkcs7 instead of https://github.com/fullsailor/pkcs7 should resolve this issue(check out this pull request: mozilla-services/pkcs7#50)
Environment:
vault status
): 1.8.0vault version
): Vault v1.7.3 ('5d517c864c8f10385bf65627891bc7ef55f5e827+CHANGES')The text was updated successfully, but these errors were encountered: