Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS keys containing other pem blocks proceeding the private key are considered invalid #1702

Closed
mattalberts opened this issue Oct 15, 2019 · 6 comments · Fixed by #1707
Closed

TLS keys containing other pem blocks proceeding the private key are considered invalid #1702

mattalberts opened this issue Oct 15, 2019 · 6 comments · Fixed by #1707
Assignees
@youngnick

Comments

@mattalberts
Copy link

What steps did you take and what happened:
Created a secret whose EC PRIVATE KEY contains EC PARAMETERS. The function validatePrivateKey locates the EC PARAMETERS pem.Block, attempts to validate it as a private key, and rejects the secret as valid.

What did you expect to happen:
I expected the secret to be accepted as valid :)

Anything else you would like to add:
The private key pem struct is something like this

-----BEGIN EC PARAMETERS-----
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
-----END EC PRIVATE KEY-----

I did scan, but didn't find a similar issue.

Environment:

  • Contour version: v0.15.1 and master
  • Kubernetes version: (use kubectl version): N/A
  • Kubernetes installer & version: N/A
  • Cloud provider or hardware configuration: N/A
  • OS (e.g. from /etc/os-release): N/A
@mattalberts
Copy link
Author

I already have a patch, just working on a test :)

@jpeach
Copy link
Contributor

jpeach commented Oct 15, 2019

Does Envoy accept and use the additional PEM objects?

mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 15, 2019
internal/dag: scan pem for secret key
7103657 
Walk each PEM block to identify the PRIVATE KEY

closes projectcontour#1702
@mattalberts mattalberts mentioned this issue Oct 15, 2019
Closed
@mattalberts
Copy link
Author

mattalberts commented Oct 15, 2019
edited
Loading

@jpeach The certificates I've been using with contour versions v0.5.0 to v0.14.2 have contained EC PARAMETERS and were valid for both contour and envoy (e.g. I've been terminating TLS with them for ~2 years). I found this while upgrading to v0.15.1.

Technically, there is a similar flaw with the certificate handling (to less detriment). Currently, a secret will be accepted if the first cert in the PEM block is valid

mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 15, 2019
internal/dag: scan pem for secret key
114280f 
Walk each PEM block to identify the PRIVATE KEY

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 15, 2019
internal/dag: scan pem for secret key
d3e0d5b 
Walk each PEM block to identify the PRIVATE KEY

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 15, 2019
internal/dag: scan pem for secret key
89acac7 
Walk each PEM block to identify the PRIVATE KEY

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
@jpeach jpeach mentioned this issue Oct 15, 2019
Closed
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 15, 2019
internal/dag: validate each pem block
b5c392a 
During certificate validation, walk the PEM and validate each
appropriate block.

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
@mattalberts mattalberts mentioned this issue Oct 15, 2019
Merged
@youngnick youngnick self-assigned this Oct 15, 2019
@mattalberts
Copy link
Author

@youngnick I think #1707 makes more sense than #1704 (i was trying to keep this very small hoping for a back port .. but the other addresses both the cert and the private key).

@davecheney
Copy link
Contributor

davecheney commented Oct 16, 2019 via email

@youngnick
Copy link
Member

@mattalberts I agree, I'm going to check out #1707 properly now and, assuming it's all good (which a cursory inspection suggests), then I'll close out #1704.

@davecheney davecheney mentioned this issue Oct 16, 2019
Closed
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 16, 2019
internal/dag: validate each pem block
b236860 
During certificate validation, walk the PEM and validate each
appropriate block.

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 16, 2019
internal/dag: validate each pem block
70c8835 
During certificate validation, walk the PEM and validate each
appropriate block.

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 16, 2019
internal/dag: validate each pem block
aa61c23 
During certificate validation, walk the PEM and validate each
appropriate block.

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 16, 2019
internal/dag: validate each pem block
a329d2d 
During certificate validation, walk the PEM and validate each
appropriate block.

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 17, 2019
internal/dag: validate each pem block
bb0bd97 
During certificate validation, walk the PEM and validate each
appropriate block.

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 17, 2019
internal/dag: validate each pem block
cbbf7f8 
During certificate validation, walk the PEM and validate each
appropriate block.

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 17, 2019
internal/dag: validate each pem block
33c76af 
During certificate validation, walk the PEM and validate each
appropriate block.

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 17, 2019
internal/dag: validate each pem block
5157bdf 
During certificate validation, walk the PEM and validate each
appropriate block.

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 17, 2019
internal/dag: validate each pem block
19c3760 
During certificate validation, walk the PEM and validate each
appropriate block.

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 17, 2019
internal/dag: validate each pem block
8ee2d5f 
During certificate validation, walk the PEM and validate each
appropriate block.

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
mattalberts pushed a commit to mattalberts/contour that referenced this issue Oct 17, 2019
internal/dag: validate each pem block
1bcfbcb 
During certificate validation, walk the PEM and validate each
appropriate block.

closes projectcontour#1702

Signed-off-by: Matt Alberts <[email protected]>
davecheney pushed a commit that referenced this issue Oct 18, 2019
@davecheney
internal/dag: validate each pem block
cba7fe0 
During certificate validation, walk the PEM and validate each
appropriate block.

closes #1702

Signed-off-by: Matt Alberts <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@youngnick youngnick

Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@davecheney @jpeach @mattalberts @youngnick