Vault 1.8 cannot authenticate with AWS EC2 auth method

[skystar-p]

Describe the bug
When using EC2 auth method, Vault uses AWS public certificate to verify instance identity document is valid, which uses SHA1 with DSA key pair. According to this document, DSA signature verification is no longer supported from Go 1.16(which Vault was compiled by), so Vault 1.8 version cannot authenticate with EC2 auth method anymore.

Below is the example code snippet, which is the exact same procedure to verify signature on Vault: link

package main

import (
	"crypto/x509"
	"encoding/pem"
	"fmt"

	"github.com/fullsailor/pkcs7"
)

func main() {
	pkcs7B64 := "sample signature"
	pkcs7BER, pkcs7Rest := pem.Decode([]byte(pkcs7B64))
	if len(pkcs7Rest) != 0 {
		panic("failed to decode the PEM encoded PKCS#7 signature")
	}

	// Parse the signature from asn1 format into a struct
	pkcs7Data, err := pkcs7.Parse(pkcs7BER.Bytes)
	if err != nil {
		panic(fmt.Errorf("failed to parse the BER encoded PKCS#7 signature: %w", err))
	}
	// AWS public cert
	pubCertStr := `-----BEGIN CERTIFICATE-----
MIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkw
FwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYD
VQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0xMjAxMDUxMjU2MTJaFw0z
ODAxMDUxMjU2MTJaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9u
IFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNl
cnZpY2VzIExMQzCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCjkvcS2bb1VQ4yt/5e
ih5OO6kK/n1Lzllr7D8ZwtQP8fOEpp5E2ng+D6Ud1Z1gYipr58Kj3nssSNpI6bX3
VyIQzK7wLclnd/YozqNNmgIyZecN7EglK9ITHJLP+x8FtUpt3QbyYXJdmVMegN6P
hviYt5JH/nYl4hh3Pa1HJdskgQIVALVJ3ER11+Ko4tP6nwvHwh6+ERYRAoGBAI1j
k+tkqMVHuAFcvAGKocTgsjJem6/5qomzJuKDmbJNu9Qxw3rAotXau8Qe+MBcJl/U
hhy1KHVpCGl9fueQ2s6IL0CaO/buycU1CiYQk40KNHCcHfNiZbdlx1E9rpUp7bnF
lRa2v1ntMX3caRVDdbtPEWmdxSCYsYFDk4mZrOLBA4GEAAKBgEbmeve5f8LIE/Gf
MNmP9CM5eovQOGx5ho8WqD+aTebs+k2tn92BBPqeZqpWRa5P/+jrdKml1qx4llHW
MXrs3IgIb6+hUIB+S8dz8/mmO0bpr76RoZVCXYab2CZedFut7qc3WUH9+EUAH5mw
vSeDCOUMYQR7R9LINYwouHIziqQYMAkGByqGSM44BAMDLwAwLAIUWXBlk40xTwSw
7HX32MxXYruse9ACFBNGmdX2ZBrVNGrN9N2f6ROk0k9K
-----END CERTIFICATE-----`
	pubCertBER, _ := pem.Decode([]byte(pubCertStr))
	cert, err := x509.ParseCertificate(pubCertBER.Bytes)
	if err != nil {
		panic(err)
	}

	pkcs7Data.Certificates = []*x509.Certificate{cert}

	// panics on Go 1.16+, but not in past versions.
	if err := pkcs7Data.Verify(); err != nil {
		panic(err)
	}
}

Above code snippets panics on Go 1.16+, but not in past versions. After downgrading Vault server to 1.7.0, EC2 auth method works perfectly. Maybe using https://github.com/mozilla-services/pkcs7 instead of https://github.com/fullsailor/pkcs7 should resolve this issue(check out this pull request: mozilla-services/pkcs7#50)

Environment:

• Vault Server Version (retrieve with vault status): 1.8.0
• Vault CLI Version (retrieve with vault version): Vault v1.7.3 ('5d517c864c8f10385bf65627891bc7ef55f5e827+CHANGES')
• Server Operating System/Architecture: Linux (x86)

[calvn]

Thanks for the report! We have this listed as a known issue for Vault 1.8.0 and 1.8.1, and are currently working on having this fixed in the next release of Vault.

[DaspawnW]

I think there is a fix in 1.8.2 for it: #12340

[hsimon-hashicorp]

Thanks @DaspawnW! I'm going to go ahead and close this issue now, but if it's not resolved for you in 1.8.2, please feel free to reopen it. Thanks!