AWS node attestor needs to use different cert for different regions

spiffe / spire

The SPIFFE Runtime Environment

https://spiffe.io

Apache License 2.0

1.79k stars 472 forks source link

AWS node attestor needs to use different cert for different regions #2126

Closed xinlaini closed 1 year ago

xinlaini commented 3 years ago

Version: 3ee20c95bbf2e96436646f56ef1e3f8508a61a37
Platform: GCP
Subsystem: node attestor plugin for aws

We recently spun up an AWS vm in eu-south-1 (Milan), our existing spire-server (running from GCP) failed to attest the new VM with "cryptography signature verification failures".

It seems that the aws_iid plugin is using a hardcoded cert regardless of the region the aws vm lives in.

However, according to aws doc (for PKCS7 signature verification), milan region has a different DSA cert. I suspect the should have a different RSA cert for that region as well (which I believe is what aws_iid code is using).

It seems not correct to hard code the cert to be used for all region's node attestation.

evan2645 commented 3 years ago

Thank you for opening this @xinlaini!

I remember when we implemented the aws_iid attestor, and being surprised that the validation cert was defined statically on the documentation website. I'm again surprised to find that there are now different certs for some regions :) I feel like that wasn't the case when the plugin was implemented.

At any rate, thanks again for opening this, I think it's clear that we need to pull in all the certs defined on the webpage you linked to, and choose the right cert based on region.

azdagron commented 1 year ago

Another interesting tidbit is that the current certificate expires next year. We'll need a plan in place for dealing with that as well. We'll go ahead and schedule this soon to give us time to come up with something.

maxlambrecht commented 1 year ago

I submitted a draft PR addressing the two aspects of this issue: lack of support for several regions and the expiration of the currently used certificate (in June next year)

The changes involve:

adding all the AWS public certificates for the different regions.
migrating the signature verification to use RSA-2048 public certificates which expire around the year 2195: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html
selecting the public certificate to verify signatures using the region code from the attestation data.

The issue with these changes is that they break backward compatibility.

maxlambrecht commented 1 year ago

Update: the PR is ready, supports all regions, and is backward compatible.

shashankram commented 1 year ago

@maxlambrecht @evan2645 @azdagron is this fix available in 1.6.4 or will it only be available in 1.7.0? Also do we know which region the cert was hardcoded to previously?

azdagron commented 1 year ago

Answered in slack :) For posterity, this is 1.7.0 only and the key in reference is the main RSA key specified at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html.

The following AWS public certificate is for all AWS Regions, except Hong Kong, Bahrain, UAE, Cape Town, Milan, Spain, Zurich, Jakarta, Melbourne, Hyderabad, China, and GovCloud.