Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-4.15] OCPBUGS-49392: Block Upgrades for CA-Signed Certs Using SHA1 #641

Open
wants to merge 1 commit into
base: release-4.15
Choose a base branch
from
Open

[release-4.15] OCPBUGS-49392: Block Upgrades for CA-Signed Certs Using SHA1 #641

wants to merge 1 commit into from

Conversation

gcs278
Copy link
Contributor

@gcs278 gcs278 commented Dec 4, 2024
edited
Loading

Previously, upgrades from 4.15 to 4.16 were only blocked for leaf certs using SHA1. However, in 4.16, any SHA1 cert that is CA-signed (not self-signed) is unsupported. As a result, we were incorrectly allowing upgrades for SHA1 intermediate certificates, while blocking upgrades for self-signed SHA1 leaf certificates.

This update refactors the upgrade validation plugin to address these issues by checking all certificates (server, CA, destinationCA) for SHA1 while excluding self-signed certificates from the validation.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Dec 4, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 4, 2024
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Dec 4, 2024
@openshift-ci-robot
Copy link
Contributor

@gcs278: This pull request references Jira Issue OCPBUGS-45290, which is invalid:

  • expected the bug to target the "4.15.z" version, but no target version was set
  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
  • expected Jira Issue OCPBUGS-45290 to depend on a bug targeting a version in 4.16.0, 4.16.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Previously, upgrades were blocked for SHA1 leaf certificates, while SHA1 root CA certificates were allowed. However, SHA1 intermediate certificates, are also rejected in 4.16.

This update adds the UnservableInFutureVersions condition when a route's spec.tls.caCertificate includes an intermediate certificate with SHA1. This blocks upgrades using the admin-ack mechanism.

WIP:
Need Unit tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Dec 4, 2024
@gcs278 gcs278 changed the title OCPBUGS-45290: Block Upgrades for SHA1 Intermediate Certs [WIP] OCPBUGS-45290: Block Upgrades for SHA1 Intermediate Certs Dec 4, 2024
@gcs278 gcs278 force-pushed the intermediate-sha1-cert branch from 6710e76 to 9e9d1fb Compare December 6, 2024 02:56
@openshift-ci-robot
Copy link
Contributor

@gcs278: This pull request references Jira Issue OCPBUGS-45290, which is invalid:

  • expected the bug to target either version "4.15." or "openshift-4.15.", but it targets "4.19.0" instead
  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
  • expected Jira Issue OCPBUGS-45290 to depend on a bug targeting a version in 4.16.0, 4.16.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Previously, upgrades were only blocked for leaf certs using SHA1. However, in 4.16, any SHA1 cert that is CA-signed (not self-signed) is unsupported.

Since such routes will be rejected in 4.16, this update extends the upgrade blocking mechanism to include these cases, utilizing the same admin-ack process through the UnservableInFutureVersions condition.

WIP:
Need Unit tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@gcs278 gcs278 force-pushed the intermediate-sha1-cert branch from 9e9d1fb to 027c83e Compare December 6, 2024 03:18
@gcs278 gcs278 changed the title [WIP] OCPBUGS-45290: Block Upgrades for SHA1 Intermediate Certs [WIP] OCPBUGS-45290: Block Upgrades for CA-Signed Certs Using SHA1 Dec 6, 2024
@gcs278 gcs278 force-pushed the intermediate-sha1-cert branch from 027c83e to bc6739c Compare January 27, 2025 20:17
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 27, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from gcs278. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gcs278 gcs278 force-pushed the intermediate-sha1-cert branch 3 times, most recently from 95000e6 to 558fcce Compare January 27, 2025 20:30
@gcs278 gcs278 changed the title [WIP] OCPBUGS-45290: Block Upgrades for CA-Signed Certs Using SHA1 [WIP] OCPBUGS-TBD: Block Upgrades for CA-Signed Certs Using SHA1 Jan 27, 2025
@openshift-ci-robot openshift-ci-robot removed jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Jan 27, 2025
@openshift-ci-robot
Copy link
Contributor

@gcs278: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

In response to this:

Previously, upgrades from 4.15 to 4.16 were only blocked for leaf certs using SHA1. However, in 4.16, any SHA1 cert that is CA-signed (not self-signed) is unsupported. As a result, we were incorrectly allowing upgrades for SHA1 intermediate certificates, while blocking upgrades for self-signed SHA1 leaf certificates.

This update refactors the upgrade validation plugin to address these issues by checking all certificates (server, CA, destinationCA) for SHA1 while excluding self-signed certificates from the validation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jan 27, 2025
@gcs278 gcs278 mentioned this pull request Jan 27, 2025
Merged
@gcs278 gcs278 changed the title [WIP] OCPBUGS-TBD: Block Upgrades for CA-Signed Certs Using SHA1 OCPBUGS-49392: Block Upgrades for CA-Signed Certs Using SHA1 Jan 27, 2025
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jan 27, 2025
@openshift-ci-robot
Copy link
Contributor

@gcs278: This pull request references Jira Issue OCPBUGS-49392, which is invalid:

  • expected dependent Jira Issue OCPBUGS-49391 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is New instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Previously, upgrades from 4.15 to 4.16 were only blocked for leaf certs using SHA1. However, in 4.16, any SHA1 cert that is CA-signed (not self-signed) is unsupported. As a result, we were incorrectly allowing upgrades for SHA1 intermediate certificates, while blocking upgrades for self-signed SHA1 leaf certificates.

This update refactors the upgrade validation plugin to address these issues by checking all certificates (server, CA, destinationCA) for SHA1 while excluding self-signed certificates from the validation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@gcs278 gcs278 marked this pull request as ready for review January 27, 2025 21:05
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 27, 2025
@openshift-ci openshift-ci bot requested review from alebedev87 and Miciah January 27, 2025 21:05
@Thealisyed
Copy link

/assign

@gcs278 gcs278 mentioned this pull request Jan 30, 2025
Open
@gcs278
OCPBUGS-45290: Block Upgrades for CA-Signed Certs Using SHA1
41db25b 
Previously, upgrades from 4.15 to 4.16 were only blocked for leaf certs
using SHA1. However, in 4.16, any SHA1 cert that is CA-signed (not
self-signed) is unsupported. As a result, we were incorrectly allowing
upgrades for SHA1 intermediate certificates, while blocking upgrades
for self-signed SHA1 leaf certificates.

This update refactors the upgrade validation plugin to address these
issues by checking all certificates (server, CA, destinationCA) for
SHA1 while excluding self-signed certificates from the validation.
@gcs278 gcs278 force-pushed the intermediate-sha1-cert branch from 558fcce to 41db25b Compare January 30, 2025 19:41
@gcs278
Copy link
Contributor Author

gcs278 commented Jan 30, 2025

@Miciah made me realize that we shouldn't be adding DSA SHA1 to our upgrade blocker for the router because DSA is already rejected by the lack of key parse logic for DSA. Thread with more details.

Since DSA SHA1 is already rejected in 4.15, we shouldn't be blocking upgrades for it as that may cause unnecessary for users that have lingering rejected DSA SHA1 routes (side note: I realize the extended validation does indeed come before the upgrade validation, so DSA SHA1 routes wouldn't block upgrades anyways, but better to be more precise and less confusing I suppose).

Thealisyed
Thealisyed reviewed Jan 31, 2025
View reviewed changes
Copy link

@Thealisyed Thealisyed left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’ve reviewed the PR and everything looks good to me. It is tied to this one that Miciah reviewed. I’d appreciate it if either @Miciah or @candita could take a second look to confirm as they both have a deeper understanding of this PR please.

pkg/router/routeapihelpers/validation.go
switch cert.SignatureAlgorithm {
case x509.SHA1WithRSA, x509.ECDSAWithSHA1:
sha1UnsupportedMsg := "OpenShift 4.16 does not support CA-signed certificates using SHA1 signature algorithms. This route " +
"will be rejected in OpenShift 4.16. To maintain functionality in OpenShift 4.16, generate a new certificate " +
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should there be a suggesting ref link on how to generate a new cert maybe?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea it's a good thought. My personal opinion, I think generating a cert is common procedure widely known enough to omit a specific link to reference. I don't disagree it might be useful to someone, but I think not useful enough to make the error more wordy.

@candita
Copy link
Contributor

candita commented Jan 31, 2025

�[36mINFO�[0m[2025-01-30T22:28:10Z] Running step e2e-aws-serial-openshift-e2e-test.
{"component":"entrypoint","file":"sigs.k8s.io/prow/pkg/entrypoint/run.go:169","func":"sigs.k8s.io/prow/pkg/entrypoint.Options.ExecuteProcess","level":"error","msg":"Process did not finish before 4h0m0s

It took 30 minutes to acquire an AWS Lease.

/test e2e-aws-serial

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 31, 2025

@gcs278: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@gcs278 gcs278 changed the title OCPBUGS-49392: Block Upgrades for CA-Signed Certs Using SHA1 [release-4.15] OCPBUGS-49392: Block Upgrades for CA-Signed Certs Using SHA1 Feb 2, 2025
@Miciah
Copy link
Contributor

Miciah commented Feb 5, 2025

/jira refresh

@openshift-ci-robot
Copy link
Contributor

@Miciah: This pull request references Jira Issue OCPBUGS-49392, which is invalid:

  • expected dependent Jira Issue OCPBUGS-49391 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is New instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Thealisyed Thealisyed Thealisyed left review comments

@alebedev87 alebedev87 Awaiting requested review from alebedev87

@Miciah Miciah Awaiting requested review from Miciah

Assignees

@Thealisyed Thealisyed

Labels
jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@gcs278 @openshift-ci-robot @Thealisyed @candita @Miciah