Project

General

Profile

Actions

Architecture #6355

closed

User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance

Agent should sign their inventory using their private key

Added by Benoît PECCATTE almost 10 years ago. Updated over 9 years ago.

Status:
Released
Priority:
N/A
Assignee:
-
Category:
System techniques
Target version:
Effort required:
Name check:
Fix check:
Regression:

Description

We should sign agent inventories with their private key.
The signature should be sent with the inventory in a manner that can be ignored by older inventory endpoints.

Suggestion: include them in a comment before or after the inventory and remove it before validation.
Other suggestion, use a separator that is ignored by the parser such as the ASCII record separator charatcter


Subtasks 9 (0 open9 closed)

Architecture #6477: Create a script to sign files using openssl on unixReleasedMatthieu CERDA2015-05-15Actions
Bug #6592: signature.sh is not in the final packageReleasedVincent MEMBRÉ2015-05-15Actions
Architecture #6510: Inventory technique should create a signature and send itReleasedVincent MEMBRÉ2015-04-16Actions
Architecture #6515: Add openssl command line on windows - toolsReleasedBenoît PECCATTE2015-04-17Actions
Architecture #6516: Add dependency to openssl command on debianReleasedBenoît PECCATTE2015-04-27Actions
Bug #6535: Cannot build rudder-agent-thin 3.1, cannot apply patchesReleasedVincent MEMBRÉ2015-04-27Actions
Bug #6687: bundle sendInventoryToCmdb tries to send .sign files to the endpointReleasedBenoît PECCATTE2015-06-03Actions
Bug #6692: Syntax error in site.cfReleasedMatthieu CERDA2015-06-03Actions
Bug #6551: signature.sh doesn't use absolute key pathReleasedVincent MEMBRÉ2015-05-04Actions

Related issues 1 (0 open1 closed)

Related to Rudder - User story #8053: Make signature problem easier to diagnoseReleasedVincent MEMBRÉ2016-05-17Actions
Actions #1

Updated by Benoît PECCATTE almost 10 years ago

  • Parent task set to #6363
Actions #2

Updated by Benoît PECCATTE over 9 years ago

Commands to create signature data:

# md4 md5 sha sha1 sha224 sha256 sha384 sha512 whirlpool
HASH=sha512
FILE=inventory.ocs
KEY=/var/rudder/cfengine-community/ppkeys/localhost.priv
openssl dgst -r -$HASH -hex -sign $KEY < $FILE
# Passphrase is: "Cfengine passphrase" 

Actions #3

Updated by Benoît PECCATTE over 9 years ago

Signature can only be verified using binary signature:

# remove the -hex from before 
openssl dgst -r -$HASH -sign $KEY < $FILE > $FILE.sign

# openssl command only read public keys in X509 format
PUBKEY=/var/rudder/cfengine-community/ppkeys/localhost_x509.pub
openssl rsa -in $KEY -pubout -out $PUBKEY

# verify using the new key and the binary form signature
openssl dgst -r -$HASH -verify $PUBKEY -signature $FILE.sign < $FILE

But these limitations are from the command line and can probably be removed on the server if we use libssl or something else directly.

Actions #4

Updated by Benoît PECCATTE over 9 years ago

The signature file format would be like this:

header=rudder-signature-v1
algorithm=sha512
digest=612bcb5fbfb0e9b5514dd4467d7f046f17656eb232f8777c919bfe337eb691a53efde83a7f685af88ad6fb48adfb55902198c2cb75e3638bfde33c7e94e66bae54332502b875e2e9ab518c90042f24e8e6a5d6e7fc7fa6953cec30890258d68a0e5bb715689323966081db279be68c4568cb3358e51e507455c0c0f289a105d623bf4d53df87e583ca4b86bf0e6105dcaf39a5111dd16299be9ae81c9272d041ba28949b5e819aa65a63f02da88cab6cd8522470861a4d78e8418683b6738195c56b1d22da3a0f28249f27103ffb971fb7d959c49496a89db20e5b198affb3a716b540359bd9f6dd6492e1b822971cf27d5778860b5ffd6ac4e5e99991ee9cd4

Actions #5

Updated by Benoît PECCATTE over 9 years ago

A comment to replace the conversion from the private key to a conversion from the public key that will be available on the server:

# openssl command only read public keys in X509/pkcs8 format
PKCS1PUB=/var/rudder/cfengine-community/ppkeys/localhost.pub
PUBKEY=/var/rudder/cfengine-community/ppkeys/localhost_x509.pub
openssl rsa -RSAPublicKey_in -in $PKCS1PUB -pubout -out $PUBKEY

Actions #6

Updated by Benoît PECCATTE over 9 years ago

To convert from hex to binary in shell:

echo -n -e $(tr -d '[:space:]' | sed 's/../\\x&/g')

Actions #7

Updated by Matthieu CERDA over 9 years ago

  • Status changed from New to Pending release
  • % Done changed from 40 to 100

[INCORRECT COMMIT, REMOVED]

Actions #8

Updated by Benoît PECCATTE over 9 years ago

[INCORRECT COMMIT, REMOVED]

Actions #9

Updated by Matthieu CERDA over 9 years ago

  • Status changed from Pending release to Discussion
Actions #10

Updated by Matthieu CERDA over 9 years ago

  • Status changed from Discussion to New
Actions #11

Updated by Benoît PECCATTE over 9 years ago

  • Parent task changed from #6363 to #6589
Actions #12

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Actions #13

Updated by Vincent MEMBRÉ over 9 years ago

  • Parent task deleted (#6589)
Actions #14

Updated by Vincent MEMBRÉ over 9 years ago

  • Parent task set to #6589
Actions #15

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from New to Pending technical review
  • Target version changed from 3.1.0~rc1 to 3.1.0~beta1
Actions #16

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from Pending technical review to 12
Actions #17

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from 12 to Pending release
Actions #18

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.1.0~beta1 which were released today.

Actions #19

Updated by Jonathan CLARKE over 8 years ago

Actions

Also available in: Atom PDF