NodeAttestor "aws_iid": failed signature verification in multiple regions

[IvMdlc]

time="2023-05-19T11:55:24-04:00" level=error msg="Invalid argument: nodeattestor(aws_iid): failed to verify the cryptographic signature: crypto/rsa: verification error" authorized_as=nobody authorized_via= caller_addr="x.x.x.x" method=AttestAgent node_attestor_type=aws_iid request_id=485e5352-2a35-406f-8437-655c839b6c71 service=agent.v1.Agent subsystem_name=api

Harcoded AWS CA certificate prevents successful attestation from multiple AWS regions due to failed signature verification.

func unmarshalAndValidateIdentityDocument(data []byte, pubKey *rsa.PublicKey)

takes a key from hardcoded certificate

https://github.com/spiffe/spire/blob/main/pkg/server/plugin/nodeattestor/awsiid/iid.go#L138

https://github.com/spiffe/spire/blob/main/pkg/server/plugin/nodeattestor/awsiid/awsca.go

which is valid on a number of regions, but not on

Hong Kong, Bahrain, UAE, Cape Town, Milan, Spain, Zurich, Jakarta, Melbourne, Hyderabad, China, and GovCloud.

See point 4 in

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html

Also note its expiry

Not After : Jun  5 14:28:02 2024 GMT

which is something to consider.

• Subsystem: pkg/server/plugin/nodeattestor/awsiid

[azdagron]

Hi @IvMdlc, we just merged a change last week that we believe addresses this (#4124). Can you see if you still have problems with the latest code on the main branch?

[IvMdlc]

Hi @azdagron Thanks, I've had a look at the changes in #4124 and see that you raised two points that we have some concers about:

1- Provide the cert(s) by operator via override. 2- Cert expiration in June 2024.

We feel that we could achive a seamless transition when AWS rotates the certificate if we had the ability to pass the certs: aws_iid uses the current one for signature verification and, whenever AWS publishes the new cert (well in advance, we hope) in their documention (this is just awful, but...), the operator can go ahead and add it along the current one. aws_iid would need to try both.

These are just our two cents on this issue anyway :)

[azdagron]

I think the key takeaway from #4124 is that SPIRE will now use the RSA 2048 signature for verification by default. The RSA 2048 signing certificates expire in 2195. The RSA 1024 signature is still sent by agents and is used only when the RSA 2048 signature is not present (this is for backcompat).

From that perspective, we didn't feel that we needed to provide a way to override. Is there something we're missing?

[IvMdlc]

Right, missed that. We'll try it once it's released.

[azdagron]

Awesome, we appreciate it :) We'll close this for now. If something comes up, please let us know!