Actions
Architecture #6356
closedUser story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance
Inventory endpoint should validate agent signature
Status:
Released
Priority:
N/A
Assignee:
Category:
Web - Nodes & inventories
Target version:
Fix check:
Regression:
Description
The inventory endpoint should check that:
- the signature is valid
- the signature matches the key contained in the inventory
- the key matches the one currently in the ldap if there is one
Updated by Benoît PECCATTE almost 10 years ago
- Category changed from 26 to Web - Nodes & inventories
Updated by Benoît PECCATTE over 9 years ago
Script to check signature:
#!/bin/bash # To allow Rudder to provide its own version of openssl export PATH=/opt/rudder/bin:$PATH if openssl -h 2> /dev/null then true else echo "ERROR: openssl binary is missing !" exit 1 fi # the file to verify FILE="$1" if [ ! -e "${FILE}" ] then echo "Cannot verify: The file ${FILE} doesn't exist" exit 2 fi # Signature of this file SIGNATURE="${FILE}.sign" if [ ! -e "${SIGNATURE}" ] then echo "Cannot verify: The file ${SIGNATURE} doesn't exist" exit 2 fi # the public key to use for verification PUBKEY="$2" if [ ! -e "${PUBKEY}" ] then echo "Cannot verify: The file ${PUBKEY} doesn't exist" exit 2 fi # extract data from signature if [ $(head -n1 "${SIGNATURE}") != "header=rudder-signature-v1" ] then echo "Not a valid signature file" exit 3 fi SIGN_HEX=$(sed -ne '/digest=/s/digest=//p' "${SIGNATURE}") HASH=$(sed -ne '/algorithm=/s/algorithm=//p' "${SIGNATURE}") # create binary signature file SIGN=$(mktemp) echo -ne $(echo "${SIGN_HEX}" | tr -d '[:space:]' | sed 's/../\\x&/g') > "${SIGN}" # openssl command only read public keys in X509/pkcs8 format PUBKEY8=$(mktemp) openssl rsa -RSAPublicKey_in -in "${PUBKEY}" -pubout -out "${PUBKEY8}" 2> /dev/null openssl dgst "-${HASH}" -verify "${PUBKEY8}" -signature "${SIGN}" < "${FILE}" RET=$? rm -f ${PUBKEY8} ${SIGN} exit ${RET}
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from New to In progress
- Assignee set to Vincent MEMBRÉ
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Vincent MEMBRÉ to François ARMAND
- Pull Request set to https://github.com/Normation/ldap-inventory/pull/62
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 40 to 100
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from Pending release to 12
THis was pushed to Normation repo on branch ust_6356/endpoint_must_check_inventory_digest by mistake and is still in technical review
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from 12 to Pending technical review
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 60 to 100
Applied in changeset ldap-inventory|14956e37ca18276a6a9ca6bdb1d99e7f34b3e810.
Updated by François ARMAND over 9 years ago
Applied in changeset ldap-inventory|06615cdcfa1e855b9129a19916734af5bc4eaab7.
Updated by Benoît PECCATTE over 9 years ago
- Parent task changed from #6363 to #6589
Updated by Vincent MEMBRÉ over 9 years ago
- Related to Architecture #6502: Older versions of Rudder should ignore the signature file added
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 3.1.0~beta1 which were released today.
- Announcement 3.1
- Changelog 3.1
- Download information: https://www.rudder-project.org/site/get-rudder/downloads/
Updated by Benoît PECCATTE over 9 years ago
- Has duplicate User story #6250: Per-Host inventory upload keys / access restrictions added
Actions