Project

General

Profile

Actions

Architecture #6356

closed

User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance

Inventory endpoint should validate agent signature

Added by Benoît PECCATTE almost 10 years ago. Updated over 9 years ago.

Status:
Released
Priority:
N/A
Category:
Web - Nodes & inventories
Target version:
Effort required:
Name check:
Fix check:
Regression:

Description

The inventory endpoint should check that:
- the signature is valid
- the signature matches the key contained in the inventory
- the key matches the one currently in the ldap if there is one


Subtasks 8 (0 open8 closed)

Architecture #6506: Change send_clean to push signature along with inventoryReleasedMatthieu CERDA2015-04-16Actions
Architecture #6558: Update test in Rudder so it is ok with new inventory data modelReleasedFrançois ARMAND2015-05-05Actions
User story #6560: Display key used to sign inventory and if the Node is "Certified"ReleasedFrançois ARMAND2015-05-06Actions
Architecture #6567: Add a script to manage node keys on serverReleasedVincent MEMBRÉ2015-05-06Actions
Bug #6583: Can't validate inventory key stored with old formatReleasedNicolas CHARLES2015-05-13Actions
Bug #6584: Tests broken with wrong inventory schemaReleasedNicolas CHARLES2015-05-13Actions
Bug #6600: Cannot modify root server inventory after new installReleasedFrançois ARMAND2015-05-17Actions
Bug #6601: Remove invalid default public key for root serverReleasedFrançois ARMAND2015-05-17Actions

Related issues 2 (0 open2 closed)

Related to Rudder - Architecture #6502: Older versions of Rudder should ignore the signature fileReleasedMatthieu CERDA2015-04-13Actions
Has duplicate Rudder - User story #6250: Per-Host inventory upload keys / access restrictionsRejected2015-02-10Actions
Actions #1

Updated by Benoît PECCATTE almost 10 years ago

  • Parent task set to #6363
Actions #2

Updated by Benoît PECCATTE almost 10 years ago

  • Category changed from 26 to Web - Nodes & inventories
Actions #3

Updated by Benoît PECCATTE over 9 years ago

Script to check signature:

#!/bin/bash

# To allow Rudder to provide its own version of openssl
export PATH=/opt/rudder/bin:$PATH

if openssl -h 2> /dev/null
then
  true
else
  echo "ERROR: openssl binary is missing !" 
  exit 1
fi

# the file to verify
FILE="$1" 
if [ ! -e "${FILE}" ]
then
  echo "Cannot verify: The file ${FILE} doesn't exist" 
  exit 2
fi

# Signature of this file
SIGNATURE="${FILE}.sign" 
if [ ! -e "${SIGNATURE}" ]
then
  echo "Cannot verify: The file ${SIGNATURE} doesn't exist" 
  exit 2
fi

# the public key to use for verification
PUBKEY="$2" 
if [ ! -e "${PUBKEY}" ]
then
  echo "Cannot verify: The file ${PUBKEY} doesn't exist" 
  exit 2
fi
# extract data from signature
if [ $(head -n1 "${SIGNATURE}") != "header=rudder-signature-v1" ]
then
  echo "Not a valid signature file" 
  exit 3
fi
SIGN_HEX=$(sed -ne '/digest=/s/digest=//p' "${SIGNATURE}")
HASH=$(sed -ne '/algorithm=/s/algorithm=//p' "${SIGNATURE}")

# create binary signature file
SIGN=$(mktemp)
echo -ne $(echo "${SIGN_HEX}" | tr -d '[:space:]' | sed 's/../\\x&/g') > "${SIGN}" 

# openssl command only read public keys in X509/pkcs8 format
PUBKEY8=$(mktemp)
openssl rsa -RSAPublicKey_in -in "${PUBKEY}" -pubout -out "${PUBKEY8}" 2> /dev/null

openssl dgst "-${HASH}" -verify "${PUBKEY8}" -signature "${SIGN}" < "${FILE}" 
RET=$?

rm -f ${PUBKEY8} ${SIGN}

exit ${RET}

Actions #4

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from New to In progress
  • Assignee set to Vincent MEMBRÉ
Actions #5

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Vincent MEMBRÉ to François ARMAND
  • Pull Request set to https://github.com/Normation/ldap-inventory/pull/62
Actions #6

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 40 to 100
Actions #7

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from Pending release to 12

THis was pushed to Normation repo on branch ust_6356/endpoint_must_check_inventory_digest by mistake and is still in technical review

Actions #8

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from 12 to Pending technical review
Actions #9

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 60 to 100
Actions #11

Updated by Benoît PECCATTE over 9 years ago

  • Parent task changed from #6363 to #6589
Actions #12

Updated by Vincent MEMBRÉ over 9 years ago

  • Related to Architecture #6502: Older versions of Rudder should ignore the signature file added
Actions #13

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.1.0~beta1 which were released today.

Actions #14

Updated by Benoît PECCATTE over 9 years ago

  • Has duplicate User story #6250: Per-Host inventory upload keys / access restrictions added
Actions

Also available in: Atom PDF