Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

creds/aws: Add support for DSA signature verification for EC2 #12340

Merged
merged 8 commits into from Aug 19, 2021

Conversation

jasonodonnell
Copy link
Contributor

DSA support was dropped in Go 1.16 which is used by the EC2 auth method for verifying signatures. Since this was dropped from a core library and EC2 needs DSA support until we can switch to RSA, I needed to bring in the external package we were using for verification and alter the code to add support. RSA adoption is a high priority task so we can formally deprecate the DSA support in Vault.

@vercel vercel bot temporarily deployed to Preview – vault August 17, 2021 19:16 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 17, 2021 19:16 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 17, 2021 19:34 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 17, 2021 19:34 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 17, 2021 20:07 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 17, 2021 20:07 Inactive
Copy link
Contributor

@sgmiller sgmiller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine to me, a straight lift of the PKCS7 routines we need.

@vercel vercel bot temporarily deployed to Preview – vault-storybook August 18, 2021 20:11 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 18, 2021 20:11 Inactive
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 18, 2021 20:32 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 18, 2021 20:32 Inactive
@kalafut kalafut added this to the 1.8.2 milestone Aug 18, 2021
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
@vercel vercel bot temporarily deployed to Preview – vault-storybook August 18, 2021 21:12 Inactive
@vercel vercel bot temporarily deployed to Preview – vault August 18, 2021 21:12 Inactive
@jasonodonnell jasonodonnell merged commit 01484ca into main Aug 19, 2021
@jasonodonnell jasonodonnell deleted the aws-dsa branch August 19, 2021 13:16
jasonodonnell added a commit that referenced this pull request Aug 19, 2021
* creds/aws: import pkcs7 verification package

* Add DSA support

* changelog

* Add DSA to correct verify function

* Remove unneeded tests

* Fix backend test

* Update builtin/credential/aws/pkcs7/README.md

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update builtin/credential/aws/path_login.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
jasonodonnell added a commit that referenced this pull request Aug 20, 2021
#12361)

* creds/aws: import pkcs7 verification package

* Add DSA support

* changelog

* Add DSA to correct verify function

* Remove unneeded tests

* Fix backend test

* Update builtin/credential/aws/pkcs7/README.md

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update builtin/credential/aws/path_login.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
jartek pushed a commit to jartek/vault that referenced this pull request Sep 11, 2021
…orp#12340)

* creds/aws: import pkcs7 verification package

* Add DSA support

* changelog

* Add DSA to correct verify function

* Remove unneeded tests

* Fix backend test

* Update builtin/credential/aws/pkcs7/README.md

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update builtin/credential/aws/path_login.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
ncabatoff pushed a commit that referenced this pull request Dec 14, 2021
* creds/aws: import pkcs7 verification package

* Add DSA support

* changelog

* Add DSA to correct verify function

* Remove unneeded tests

* Fix backend test

* Update builtin/credential/aws/pkcs7/README.md

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update builtin/credential/aws/path_login.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
ncabatoff added a commit that referenced this pull request Dec 14, 2021
* Move to Go 1.16.12 and newer cimg docker images for CI. (#13422)
* Update MongoDB tests to not fail in Go 1.16 (#11533)
* Upgrade snappy to fix panic with identity/packer on Go 1.16+arm64. (#12371) (#12375)
* creds/aws: Add support for DSA signature verification for EC2 (#12340)
jcharum pushed a commit to grailbio/base that referenced this pull request Jun 2, 2022
Summary:
AWS Identity Documents are signed with DSA-with-SHA1 signatures, and DSA is
removed from x509/crypto as of Go 1.16. This follows an approach done
by hashicorp/vault#12340, by forking in
https://github.com/mozilla-services/pkcs7 and applying the DSA fix
mozilla-services/pkcs7#50.

Test Plan: - Tested Bazel build and go build from within the folder

Reviewers: aeiser, dborcherding, sdunn, anguyen, gvitta, bbentson

Reviewed By: dborcherding, sdunn

Subscribers: jcharumilind, dnicolaou, pboyapalli, smahadevan

Differential Revision: https://phabricator.grailbio.com/D66326

fbshipit-source-id: cafa39b
swenson added a commit that referenced this pull request Dec 22, 2022
This was not copied over when the this code was
copied in #12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
swenson added a commit that referenced this pull request Dec 22, 2022
This was not copied over when the this code was
copied in #12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
joshbrand pushed a commit that referenced this pull request Jan 11, 2023
This was not copied over when the this code was
copied in #12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
AnPucel pushed a commit that referenced this pull request Jan 14, 2023
This was not copied over when the this code was
copied in #12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
dhuckins pushed a commit that referenced this pull request Jan 19, 2023
This was not copied over when the this code was
copied in #12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
dhuckins pushed a commit that referenced this pull request Jan 19, 2023
This was not copied over when the this code was
copied in #12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
AnPucel pushed a commit that referenced this pull request Jan 25, 2023
This was not copied over when the this code was
copied in #12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
AnPucel pushed a commit that referenced this pull request Feb 3, 2023
This was not copied over when the this code was
copied in #12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
jayant07-yb pushed a commit to jayant07-yb/hashicorp-vault-integrations that referenced this pull request Mar 15, 2023
This was not copied over when the this code was
copied in hashicorp#12340.

Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants