Skip to content

Commit

Permalink
microsoft/azure: allow empty certificate chain in PKCS12 file
Browse files Browse the repository at this point in the history
Azure is populating the certs endpoint even when an SSH key is not
provided. The certificate chain in the PKCS12 file is empty in this
case causing afterburn to fail with the current logic. Check if the
certificate chain is empty before retrieving the SSH public key
and handle this case as a valid option.

The more general `crypto/mod.rs` was updated here which also affected
the azurestack code. Update azurestack to accomodate the changes when
retrieving the SSH public key.
  • Loading branch information
marmijo committed Jun 19, 2024
1 parent f1c93ed commit 388b98d
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 23 deletions.
2 changes: 2 additions & 0 deletions docs/release-notes.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ Major changes:

Minor changes:

- Fix Azure SSH key fetching when no key provisioned

Packaging changes:


Expand Down
21 changes: 11 additions & 10 deletions src/providers/microsoft/azure/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ impl Azure {
}

// put it all together
fn get_ssh_pubkey(&self, certs_endpoint: String) -> Result<PublicKey> {
fn get_ssh_pubkey(&self, certs_endpoint: String) -> Result<Option<Vec<PublicKey>>> {
// we have to generate the rsa public/private keypair and the x509 cert
// that we use to make the request. this is equivalent to
// `openssl req -x509 -nodes -subj /CN=LinuxTransport -days 365 -newkey rsa:2048 -keyout private.pem -out cert.pem`
Expand All @@ -271,10 +271,13 @@ impl Azure {
.context("failed to decrypt cms blob")?;

// convert that to the OpenSSH public key format
let ssh_pubkey = crypto::p12_to_ssh_pubkey(&p12)
.context("failed to convert pkcs12 blob to ssh pubkey")?;
let ssh_pubkey = match crypto::p12_to_ssh_pubkey(&p12)
.context("failed to convert pkcs12 blob to ssh pubkey")? {
Some(key) => key,
None => return Ok(None)
};

Ok(ssh_pubkey)
Ok(Some(vec![ssh_pubkey]))
}

#[cfg(test)]
Expand Down Expand Up @@ -402,18 +405,16 @@ impl MetadataProvider for Azure {
let goalstate = self.fetch_goalstate()?;
let certs_endpoint = match goalstate.certs_endpoint() {
Some(ep) => ep,
None => {
warn!("SSH pubkeys requested, but not provisioned for this instance");
return Ok(vec![]);
}
None => return Ok(vec![]),
};

if certs_endpoint.is_empty() {
bail!("unexpected empty certificates endpoint");
}

let key = self.get_ssh_pubkey(certs_endpoint)?;
Ok(vec![key])
let key: Vec<PublicKey> = self.get_ssh_pubkey(certs_endpoint)?.unwrap_or(vec![]);

Ok(key)
}

fn boot_checkin(&self) -> Result<()> {
Expand Down
21 changes: 11 additions & 10 deletions src/providers/microsoft/azurestack/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -267,7 +267,7 @@ impl AzureStack {
}

// put it all together
fn get_ssh_pubkey(&self, certs_endpoint: String) -> Result<PublicKey> {
fn get_ssh_pubkey(&self, certs_endpoint: String) -> Result<Option<Vec<PublicKey>>> {
// we have to generate the rsa public/private keypair and the x509 cert
// that we use to make the request. this is equivalent to
// `openssl req -x509 -nodes -subj /CN=LinuxTransport -days 365 -newkey rsa:2048 -keyout private.pem -out cert.pem`
Expand All @@ -287,10 +287,13 @@ impl AzureStack {
.context("failed to decrypt cms blob")?;

// convert that to the OpenSSH public key format
let ssh_pubkey = crypto::p12_to_ssh_pubkey(&p12)
.context("failed to convert pkcs12 blob to ssh pubkey")?;
let ssh_pubkey = match crypto::p12_to_ssh_pubkey(&p12)
.context("failed to convert pkcs12 blob to ssh pubkey")? {
Some(key) => key,
None => return Ok(None)
};

Ok(ssh_pubkey)
Ok(Some(vec![ssh_pubkey]))
}

fn fetch_hostname(&self) -> Result<Option<String>> {
Expand Down Expand Up @@ -326,18 +329,16 @@ impl MetadataProvider for AzureStack {
let goalstate = self.fetch_goalstate()?;
let certs_endpoint = match goalstate.certs_endpoint() {
Some(ep) => ep,
None => {
warn!("SSH pubkeys requested, but not provisioned for this instance");
return Ok(vec![]);
}
None => return Ok(vec![]),
};

if certs_endpoint.is_empty() {
bail!("unexpected empty certificates endpoint");
}

let key = self.get_ssh_pubkey(certs_endpoint)?;
Ok(vec![key])
let key: Vec<PublicKey> = self.get_ssh_pubkey(certs_endpoint)?.unwrap_or(vec![]);

Ok(key)
}

fn boot_checkin(&self) -> Result<()> {
Expand Down
13 changes: 10 additions & 3 deletions src/providers/microsoft/crypto/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ pub fn decrypt_cms(smime: &[u8], pkey: &PKey<Private>, x509: &X509) -> Result<Ve
Ok(p12_der)
}

pub fn p12_to_ssh_pubkey(p12_der: &[u8]) -> Result<PublicKey> {
pub fn p12_to_ssh_pubkey(p12_der: &[u8]) -> Result<Option<PublicKey>> {
// the contents of that encrypted cms blob we got are actually a different
// cryptographic structure. we read that in from the contents and parse it.
// PKCS12 has the ability to have a password, but we don't have one, hence
Expand All @@ -65,7 +65,14 @@ pub fn p12_to_ssh_pubkey(p12_der: &[u8]) -> Result<PublicKey> {
// ParsedPKCS12_2 has three parts: a pkey, a main x509 cert, and a list of other
// x509 certs. The list of other x509 certs are called the `certificate chain`
// currently denoted as `ca`; there is only one cert in this `certificate chain`,
// which is the ssh public key.
// which is the ssh public key. The certs endpoint may still be populated even if
// an SSH public key hasn't been provided, which would lead to this code being
// executed. The certificate chain will be empty in this case, so just return
// None and handle it further up the stack.
if p12.ca.is_none() {
return Ok(None)
}

let ca = p12
.ca
.ok_or_else(|| anyhow!("failed to get chain from pkcs12"))?;
Expand All @@ -86,5 +93,5 @@ pub fn p12_to_ssh_pubkey(p12_der: &[u8]) -> Result<PublicKey> {
let n = ssh_pubkey_rsa.n().to_vec();
let ssh_pubkey = PublicKey::from_rsa(e, n);

Ok(ssh_pubkey)
Ok(Some(ssh_pubkey))
}

0 comments on commit 388b98d

Please sign in to comment.