Skip to content

[ca] Validate the Root CA certificate before updating the security config#2234

Merged
aaronlehmann merged 1 commit intomoby:masterfrom
cyli:validate-root-ca-before-updating
Jun 9, 2017
Merged

[ca] Validate the Root CA certificate before updating the security config#2234
aaronlehmann merged 1 commit intomoby:masterfrom
cyli:validate-root-ca-before-updating

Conversation

@cyli
Copy link
Copy Markdown
Contributor

@cyli cyli commented Jun 9, 2017
edited
Loading

Validate the Root CA certificate before updating the security config with
a new RootCA, to be sure that the root CA certificate matches the TLS
credentials already in the SecurityConfig.

This will prevent, for instance, a manager from telling an agent to load
an invalid root certificate, as can happen if an agent connects to a
manager that is being caught up via raft and hence might be replaying
old root rotations.

Signed-off-by: Ying Li ying.li@docker.com

Without this change, a manager that is catching up (for instance if it has been promoted, or if it was behind) and replying raft messages might tell all the nodes connected to it to update their root CA to an older version. This will also prevent that manager from updating to an outdated root CA as it's catching up.

This is not the most ideal change, since we're only validating when updating the root CA in the security config, but would be a quick patch to fix the issue if we want to try to get this into 17.06.

Otherwise, maybe it'd make sense to refactor SecurityConfig a bit to store the x509.Certificate and key instead of just the tls.Certificate, so that validation for everything can be moved into the SecurityConfig?

cc @aaronlehmann @diogomonica

@cyli cyli force-pushed the validate-root-ca-before-updating branch from 04f2fb3 to 095842f Compare June 9, 2017 19:46
@codecov
Copy link
Copy Markdown

codecov bot commented Jun 9, 2017
edited
Loading

Codecov Report

Merging #2234 into master will increase coverage by 0.08%.
The diff coverage is 85.29%.

@@            Coverage Diff             @@
##           master    #2234      +/-   ##
==========================================
+ Coverage   60.16%   60.24%   +0.08%     
==========================================
  Files         124      124              
  Lines       20156    20184      +28     
==========================================
+ Hits        12127    12160      +33     
+ Misses       6661     6660       -1     
+ Partials     1368     1364       -4

aaronlehmann
aaronlehmann reviewed Jun 9, 2017
View reviewed changes
ca/config.go Outdated
for i, derBytes := range tlsKeyPair.Certificate {
parsed, err := x509.ParseCertificate(derBytes)
if err != nil {
return errors.Wrap(err, "could not validate new roots because could not parse TLS cert")
Copy link
Copy Markdown
Collaborator

@aaronlehmann aaronlehmann Jun 9, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could not validate new root certificates due to parse error?

@aaronlehmann
Copy link
Copy Markdown
Collaborator

aaronlehmann commented Jun 9, 2017

LGTM

@cyli
Validate the Root CA certificate before updating the security config …
088c952 
…with

a new RootCA, to be sure that the root CA certificate matches the TLS
credentials already in the SecurityConfig.

This will prevent, for instance, a manager from telling an agent to load
an invalid root certificate, as can happen if an agent connects to a
manager that is being caught up via raft and hence might be replaying
old root rotations.

Signed-off-by: Ying Li <ying.li@docker.com>
@cyli cyli force-pushed the validate-root-ca-before-updating branch from 095842f to 088c952 Compare June 9, 2017 20:56
@aaronlehmann aaronlehmann merged commit cd32a7f into moby:master Jun 9, 2017
@cyli cyli deleted the validate-root-ca-before-updating branch June 10, 2017 02:05
This was referenced Jun 12, 2017
Closed
Closed
@andrewhsu andrewhsu mentioned this pull request Jun 12, 2017
Merged
silvin-lubecki pushed a commit to silvin-lubecki/docker-ce that referenced this pull request Feb 3, 2020
@andrewhsu
revendor github.com/docker/swarmkit to 6083c76
cd38044 
To get the changes:
* moby/swarmkit#2234
* moby/swarmkit#2237
* moby/swarmkit#2238

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
silvin-lubecki pushed a commit to silvin-lubecki/engine-extract that referenced this pull request Feb 3, 2020
@andrewhsu @silvin-lubecki
revendor github.com/docker/swarmkit to 6083c76
58471c2 
To get the changes:
* moby/swarmkit#2234
* moby/swarmkit#2237
* moby/swarmkit#2238

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
silvin-lubecki pushed a commit to silvin-lubecki/engine-extract that referenced this pull request Mar 10, 2020
@andrewhsu @silvin-lubecki
revendor github.com/docker/swarmkit to 6083c76
83aa94f 
To get the changes:
* moby/swarmkit#2234
* moby/swarmkit#2237
* moby/swarmkit#2238

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
silvin-lubecki pushed a commit to silvin-lubecki/engine-extract that referenced this pull request Mar 23, 2020
@andrewhsu @silvin-lubecki
revendor github.com/docker/swarmkit to 6083c76
dcbaad5 
To get the changes:
* moby/swarmkit#2234
* moby/swarmkit#2237
* moby/swarmkit#2238

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaronlehmann aaronlehmann aaronlehmann left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cyli @aaronlehmann