Actions
Architecture #6356
closed
User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance
Inventory endpoint should validate agent signature
Status:
Released
Priority:
N/A
Assignee:
Category:
Web - Nodes & inventories
Target version:
Fix check:
Regression:
Description
The inventory endpoint should check that:
- the signature is valid
- the signature matches the key contained in the inventory
- the key matches the one currently in the ldap if there is one
Updated by Benoît PECCATTE over 9 years ago
- Category changed from 26 to Web - Nodes & inventories
Updated by Benoît PECCATTE over 9 years ago
Script to check signature:
#!/bin/bash
# To allow Rudder to provide its own version of openssl
export PATH=/opt/rudder/bin:$PATH
if openssl -h 2> /dev/null
then
true
else
echo "ERROR: openssl binary is missing !"
exit 1
fi
# the file to verify
FILE="$1"
if [ ! -e "${FILE}" ]
then
echo "Cannot verify: The file ${FILE} doesn't exist"
exit 2
fi
# Signature of this file
SIGNATURE="${FILE}.sign"
if [ ! -e "${SIGNATURE}" ]
then
echo "Cannot verify: The file ${SIGNATURE} doesn't exist"
exit 2
fi
# the public key to use for verification
PUBKEY="$2"
if [ ! -e "${PUBKEY}" ]
then
echo "Cannot verify: The file ${PUBKEY} doesn't exist"
exit 2
fi
# extract data from signature
if [ $(head -n1 "${SIGNATURE}") != "header=rudder-signature-v1" ]
then
echo "Not a valid signature file"
exit 3
fi
SIGN_HEX=$(sed -ne '/digest=/s/digest=//p' "${SIGNATURE}")
HASH=$(sed -ne '/algorithm=/s/algorithm=//p' "${SIGNATURE}")
# create binary signature file
SIGN=$(mktemp)
echo -ne $(echo "${SIGN_HEX}" | tr -d '[:space:]' | sed 's/../\\x&/g') > "${SIGN}"
# openssl command only read public keys in X509/pkcs8 format
PUBKEY8=$(mktemp)
openssl rsa -RSAPublicKey_in -in "${PUBKEY}" -pubout -out "${PUBKEY8}" 2> /dev/null
openssl dgst "-${HASH}" -verify "${PUBKEY8}" -signature "${SIGN}" < "${FILE}"
RET=$?
rm -f ${PUBKEY8} ${SIGN}
exit ${RET}
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from New to In progress
- Assignee set to Vincent MEMBRÉ
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Vincent MEMBRÉ to François ARMAND
- Pull Request set to https://github.com/Normation/ldap-inventory/pull/62
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 40 to 100
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from Pending release to 12
THis was pushed to Normation repo on branch ust_6356/endpoint_must_check_inventory_digest by mistake and is still in technical review
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from 12 to Pending technical review
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 60 to 100
Applied in changeset ldap-inventory|14956e37ca18276a6a9ca6bdb1d99e7f34b3e810.
Updated by François ARMAND over 9 years ago
Applied in changeset ldap-inventory|06615cdcfa1e855b9129a19916734af5bc4eaab7.
Updated by Benoît PECCATTE over 9 years ago
- Parent task changed from #6363 to #6589
Updated by Vincent MEMBRÉ over 9 years ago
- Related to Architecture #6502: Older versions of Rudder should ignore the signature file added
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 3.1.0~beta1 which were released today.
- Announcement 3.1
- Changelog 3.1
- Download information: https://www.rudder-project.org/site/get-rudder/downloads/
Updated by Benoît PECCATTE over 9 years ago
- Has duplicate User story #6250: Per-Host inventory upload keys / access restrictions added
Actions