Reorder groups in cert Subjects #18837
Conversation
openshift-ci-robot
added
the
size/XS
|
@martinpitt PTAL |
|
/lgtm |
|
If there is a bug in Go itself, should not we fix this generically in: origin/pkg/cmd/server/crypto/crypto.go Line 595 in 3addbb0 by forcing the ordering that DER expects? Otherwise any other cert we generate with more than one organization will have this issue. |
|
We might do that as well, let's see if the bug goes away with this simple fix first. |
If the Go bug gets fixed today, it will take 3 - 6+ months to show up in origin. |
|
Thanks, this looks like an okay first bandaid! This still feels a bit unpredictable, though - is there any chance this could not be a set (using the |
The DER encoding is handled by the Go standard library, which uses the SET notation and is not configurable. |
|
@martinpitt I see no reason why we are trying to use multivalued RDNs, @liggitt may know if there is a good reason. We could certainly just have many RDNs and a deeper tree, but this PR fixes the iimediate Pain in an easy backportable way. |
| @@ -145,7 +145,7 @@ func DefaultClusterAdminClientCertInfo(certDir string) ClientCertInfo { | |||
| }, | |||
| UnqualifiedUser: "admin", | |||
| User: "system:admin", | |||
| Groups: sets.NewString(bootstrappolicy.ClusterAdminGroup, bootstrappolicy.MastersGroup), | |||
| Groups: sets.NewString(bootstrappolicy.MastersGroup, bootstrappolicy.ClusterAdminGroup), | |||
There was a problem hiding this comment.
A string set is an order independent map. You cannot depend on order in a go map. This could easily change in different go versions or in different invocations (map iteration order is randomized per invocation)
There was a problem hiding this comment.
It can never be simple :-)
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
@liggitt would it be ok to change ClientCertInfo to use []string instead of sets.String ? |
can you clarify the bug here? either order should result in a valid x509 cert, right? |
userToSubject isn't involved... the code that turns ClientCertInfo into a cert template for creation is at |
It is the last thing we do to set the cert subject, but the order fixing could be done elsewhere. For example: origin/pkg/cmd/server/crypto/crypto.go Line 740 in 95e2620 could have the fixup logic. |
|
@liggitt you need to go deeper, that code ends up calling https://github.com/openshift/origin/blob/master/pkg/cmd/server/crypto/crypto.go#L555 which ends up calling userToSubject() in signCertificate() |
|
can you clarify the bug here? either order should result in a valid x509 cert, right?
If golang crypto correctly implemented DER encoding for certs then we
wouldn't have to do anything special on our side.
Unfortunately golang's pkix.Name defines RelativeDistinguishedNameSET
as a simple SET instead of a SET OF and then does *not* order it
according to DER rules. DER requires SET OF to be ordered (by length of
string in this case, shortest strings first).
|
userToSubject just passes through whatever order was set in CreateClientCertOptions, it doesn't impose any ordering at all |
|
@LiGgit I know userToSubject() does not impose any ordering, but it is the place where all caller of signCertificate ends up into. If I change only CreateClientCertOptions I may miss some code paths. |
I see. Something like: func userToSubject(u user.Info) pkix.Name {
// Sort shortest first to workaround go DER encoding bug
groups := u.GetGroups()
sort.Slice(groups, func(i, j int) bool {
if l := len(groups[i]) - len(groups[j]); l != 0 {
return l < 0
}
return groups[i] < groups[j]
})
return pkix.Name{
CommonName: u.GetName(),
SerialNumber: u.GetUID(),
Organization: groups,
}
} |
|
I don't object to that. if you do that, please reference the go issue and reproducer so we don't lose track of it |
|
@liggitt Yeah that's what I was planning with a big FAT comment on why it is needed |
openshift-ci-robot
added
size/M
|
@LiGgit PTAL and lift hold if you are ok with this |
|
@liggitt [damn fingers stop messing with is name :-)] PTAL |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
Flake #16832 |
pkg/cmd/server/crypto/crypto.go
Outdated
| // between the encoding of two group RDNs will end up being the encoded | ||
| // length which is directly related to the group name's length. So we'll | ||
| // sort such that shortest names come first. | ||
| groups := u.GetGroups() |
There was a problem hiding this comment.
actually, make a new slice and copy the groups into it, so we don't share memory and introduce the possibility of races.
This is to workaround Bug openshift#18715, which is caused by Golang Crypto's x509 certificate generation ordering Subjects RDN incorrectly *and* GNUTLS' bug that "fixes" client certs on read with the correct encoding. To avoid issues until both are fixed we set the correct ordering on our own... Signed-off-by: Simo Sorce <[email protected]>
|
/hold cancel |
openshift-ci-robot
added
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, mrogers950, simo5 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
Automatic merge from submit-queue (batch tested with PRs 18835, 18857, 18641, 18656, 18837). |
This is to workaround Bug #18715, which is caused by Golang Crypto's x509
certificate generation ordering Subjects RDN incorrectly and GNUTLS'
bug that "fixes" client certs on read with the correct encoding.
To avoid issues until both are fixed we set the correct ordering ourself
Fixes #18715
xref golang/go#24254 https://gitlab.com/gnutls/gnutls/issues/403#note_61687722