AWS node attestor needs to use different cert for different regions

[xinlaini]

• Version: 3ee20c9
• Platform: GCP
• Subsystem: node attestor plugin for aws

We recently spun up an AWS vm in eu-south-1 (Milan), our existing spire-server (running from GCP) failed to attest the new VM with "cryptography signature verification failures".

It seems that the aws_iid plugin is using a hardcoded cert regardless of the region the aws vm lives in.

However, according to aws doc (for PKCS7 signature verification), milan region has a different DSA cert. I suspect the should have a different RSA cert for that region as well (which I believe is what aws_iid code is using).

It seems not correct to hard code the cert to be used for all region's node attestation.

[evan2645]

Thank you for opening this @xinlaini!

I remember when we implemented the aws_iid attestor, and being surprised that the validation cert was defined statically on the documentation website. I'm again surprised to find that there are now different certs for some regions :) I feel like that wasn't the case when the plugin was implemented.

At any rate, thanks again for opening this, I think it's clear that we need to pull in all the certs defined on the webpage you linked to, and choose the right cert based on region.

[azdagron]

Another interesting tidbit is that the current certificate expires next year. We'll need a plan in place for dealing with that as well. We'll go ahead and schedule this soon to give us time to come up with something.

[maxlambrecht]

I submitted a draft PR addressing the two aspects of this issue: lack of support for several regions and the expiration of the currently used certificate (in June next year)

The changes involve:

• adding all the AWS public certificates for the different regions.
• migrating the signature verification to use RSA-2048 public certificates which expire around the year 2195: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html
• selecting the public certificate to verify signatures using the region code from the attestation data.

The issue with these changes is that they break backward compatibility.

[maxlambrecht]

Update: the PR is ready, supports all regions, and is backward compatible.

[shashankram]

@maxlambrecht @evan2645 @azdagron is this fix available in 1.6.4 or will it only be available in 1.7.0? Also do we know which region the cert was hardcoded to previously?

[azdagron]

Answered in slack :) For posterity, this is 1.7.0 only and the key in reference is the main RSA key specified at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html.

The following AWS public certificate is for all AWS Regions, except Hong Kong, Bahrain, UAE, Cape Town, Milan, Spain, Zurich, Jakarta, Melbourne, Hyderabad, China, and GovCloud.