You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
EC2 Vault login fails with failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format for some instances
To Reproduce
Steps to reproduce the behavior:
Run vault write -format=json "auth/aws/login" role="$role" pkcs7="$pkcs7" nonce="$nonce"
Get the error from above
This only happens on a subset of ec2 instances (those that include a certificate in the response from http://169.254.169.254/latest/dynamic/instance-identity/pkcs7) We could not find a pattern as to which instances did and didn't include the certificate, but the bug reliably happens if the certificate is included.
Expected behavior
It should not break
Environment:
Vault Server Version (retrieve with vault status): 1.8.2
Vault CLI Version (retrieve with vault version): 1.6.2
Describe the bug
EC2 Vault login fails with
failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER formatfor some instancesTo Reproduce
Steps to reproduce the behavior:
vault write -format=json "auth/aws/login" role="$role" pkcs7="$pkcs7" nonce="$nonce"This only happens on a subset of ec2 instances (those that include a certificate in the response from
http://169.254.169.254/latest/dynamic/instance-identity/pkcs7) We could not find a pattern as to which instances did and didn't include the certificate, but the bug reliably happens if the certificate is included.Expected behavior
It should not break
Environment:
vault status): 1.8.2vault version): 1.6.2Additional context
When #12340 / #12361 were pulled in, they happened before this upstream PR: mozilla-services/pkcs7#61
Without the upstream pr, certain valid BER files are rejected as invalid and are mis-parsed.
The text was updated successfully, but these errors were encountered: