Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LiteralSubject: Add support for numeric OID subject attribute type #6775

Merged
merged 2 commits into from May 14, 2024
Merged

LiteralSubject: Add support for numeric OID subject attribute type #6775

merged 2 commits into from May 14, 2024

Conversation

inteon
Copy link
Member

@inteon inteon commented Feb 19, 2024
edited

This PR adds a missing feature to the UnmarshalSubjectStringToRDNSequence function: the ability to specify numeric OIDs as subject attribute type. Right now, an attribute type has to be chosen by name and only a small set of names is supported:

cert-manager/pkg/util/pki/subject.go

Lines 55 to 66 in 8d15b5e

var attributeTypeNames = map[string][]int{
"C": OIDConstants.Country,
"O": OIDConstants.Organization,
"OU": OIDConstants.OrganizationalUnit,
"CN": OIDConstants.CommonName,
"SERIALNUMBER": OIDConstants.SerialNumber,
"L": OIDConstants.Locality,
"ST": OIDConstants.Province,
"STREET": OIDConstants.StreetAddress,
"DC": OIDConstants.DomainComponent,
"UID": OIDConstants.UniqueIdentifier,
}

Kind

/kind feature

Release Note

Add support for numeric OID types in LiteralSubject. Eg. "1.2.3.4=String Value"

@jetstack-bot jetstack-bot added kind/feature Categorizes issue or PR as related to a new feature. release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/testing Issues relating to testing labels Feb 19, 2024
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from inteon. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Feb 19, 2024
@inteon inteon changed the title Support custom OID in literal subject & deprecate old ParseSubjectStringToRawDERBytes function Remove support for hex-encoded DER values in literalSubject and add support for OID types Feb 22, 2024
@inteon inteon changed the title Remove support for hex-encoded DER values in literalSubject and add support for OID types Remove support for hex-encoded DER values in literalSubject and add support for OID values Feb 23, 2024
@inteon inteon force-pushed the support_oid_in_literal_subject branch from 8d15b5e to 53aefb8 Compare February 23, 2024 08:39
@jetstack-bot jetstack-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Feb 23, 2024
@jetstack-bot
Copy link
Contributor

@inteon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cert-manager-master-make-test 53aefb8 link true /test pull-cert-manager-master-make-test
pull-cert-manager-master-e2e-v1-28 53aefb8 link true /test pull-cert-manager-master-e2e-v1-28

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@inteon inteon force-pushed the support_oid_in_literal_subject branch from 53aefb8 to e21529a Compare April 23, 2024 07:26
@cert-manager-prow cert-manager-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 23, 2024
@inteon inteon changed the title Remove support for hex-encoded DER values in literalSubject and add support for OID values Switch back to ldap's ParseDN and add support for literal OID subject keys Apr 23, 2024
@inteon inteon changed the title Switch back to ldap's ParseDN and add support for literal OID subject keys Switch back to ldap's ParseDN and add support for literal OID subject attribute type Apr 23, 2024
inteon
inteon commented Apr 23, 2024
View reviewed changes
pkg/util/pki/parse_test.go Outdated Show resolved Hide resolved
@inteon inteon force-pushed the support_oid_in_literal_subject branch 3 times, most recently from 86347fb to 6ea57de Compare April 23, 2024 09:11
@inteon
Copy link
Member Author

inteon commented Apr 23, 2024

/test pull-cert-manager-master-make-verify

@cert-manager-prow cert-manager-prow bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 29, 2024
@inteon inteon force-pushed the support_oid_in_literal_subject branch from 6ea57de to 5734179 Compare April 29, 2024 20:14
@cert-manager-prow cert-manager-prow bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 29, 2024
@inteon
Copy link
Member Author

inteon commented Apr 30, 2024

/retest

@inteon inteon force-pushed the support_oid_in_literal_subject branch 2 times, most recently from 27bbc96 to 5feb3dd Compare April 30, 2024 12:37
@inteon inteon force-pushed the support_oid_in_literal_subject branch from 5feb3dd to 5ffb9c4 Compare April 30, 2024 14:14
@inteon inteon requested a review from wallrj April 30, 2024 14:32
wallrj
wallrj reviewed May 7, 2024
View reviewed changes
Copy link
Member

@wallrj wallrj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be broken in to separate PRs for some further explanation and discussion:

  1. Revert removal of the openldap library. I'm really pleased to see the improvements that you've pushed upstream to openldap, and I'm pleased that we won't have to maintain our own subject parsing code. But previously you'd argued that the library was a liability; too large and too flawed for the sake of a single ParseDN function. Have you changed your mind?

  2. Remove deprecated function: I think all deprecations and removals should have a separate release note.

  3. Add fuzz and roundtrip tests and rename test file: I expected that the fuzz tests would obsolete some of the existing tests, and that those could be removed. In a separate PR explain with examples why the fuzz tests are required and why the original tests are still required.

  4. New feature: the ability to specify literal OIDs as subject attribute type. This should have it's own PR with a release note and a real-world example Certificate in the PR description to demonstrate the use-case. It should probably have a website PR too, to update the literalSubject docs with an example.

@inteon
Copy link
Member Author

inteon commented May 7, 2024

  1. Revert removal of the openldap library. I'm really pleased to see the improvements that you've pushed upstream to openldap, and I'm pleased that we won't have to maintain our own subject parsing code. But previously you'd argued that the library was a liability; too large and too flawed for the sake of a single ParseDN function. Have you changed your mind?

I still think it is overkill, but I agree with you that it is non-ideal to maintain a separate version. Also, the openssf score is 5.8, which is not crazy bad: https://cert-manager.io/docs/announcements/AdaLogics-2023-cert-manager-audit-report.pdf.

I'll create some branched-out PRs.

This was referenced May 8, 2024
Merged
Merged
@cert-manager-prow cert-manager-prow bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 8, 2024
@inteon inteon force-pushed the support_oid_in_literal_subject branch from 5ffb9c4 to cb4e490 Compare May 10, 2024 07:22
@cert-manager-prow cert-manager-prow bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. release-note-none Denotes a PR that doesn't merit a release note. labels May 10, 2024
@inteon inteon changed the title Switch back to ldap's ParseDN and add support for literal OID subject attribute type LiteralSubject: Add support for literal OID subject attribute type May 10, 2024
@inteon inteon requested a review from wallrj May 10, 2024 07:25
@inteon
Copy link
Member Author

inteon commented May 10, 2024

@wallrj All branched-out PRs have been merged. Now, only the literal OID type support remains in this PR.

wallrj
wallrj requested changes May 10, 2024
View reviewed changes
Copy link
Member

@wallrj wallrj left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of questions about the changes.
And I suggest putting a real-world example in the release note.
Is there a real-world example?
Perhaps this:

$ curl -fsSL https://raw.githubusercontent.com/pyca/cryptography/main/vectors/cryptography_vectors/x509/belgian-eid-invalid-visiblestring.pem | step certificate inspect
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 21267647932559206558027296640314674717 (0x10000000000075040c80ae5b453c8e1d)
    Signature Algorithm: SHA256-RSA
        Issuer: C=BE,CN=Citizen CA,SERIALNUMBER=201623
        Validity
            Not Before: Aug 29 09:47:00 2016 UTC
            Not After : Aug 24 23:59:59 2026 UTC
        Subject: C=BE,CN=Else De Proft (Signature),UnknownOID=2.5.4.4,UnknownOID=2.5.4.42,SERIALNUMBER=69070338850

Has someone requested this in a GitHub issue?
If so, link to it.

The RFC doesn't talk about "literal" OID. It talks about "numeric" OID versus "named" OID, so I suggest using "numeric" OID in the PR title, description, and code.

pkg/util/pki/subject_test.go Outdated Show resolved Hide resolved
pkg/util/pki/subject.go
Comment on lines +84 to +90
// If the attribute type is not known, we try to parse it as an OID.
// If it is not an OID, we set Type=nil

oid, err = ParseObjectIdentifier(ldapATV.Type)
if err != nil {
oid = nil
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the significance of nil vs []int{}?
Isn't it going to be nil anyway (assuming ParseObjectIdentifier returns nil, err)?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, I think ParseObjectIdentifier returns nil, err.
I set oid = nil here to accentuate that we actually rely on this oid value being nil.
In

cert-manager/internal/apis/certmanager/validation/certificate.go

Lines 95 to 102 in 1035bb4

// Should not contain unrecognized OIDs
for _, rdns := range sequence {
for _, atv := range rdns {
if atv.Type.Equal(nil) {
el = append(el, field.Invalid(fldPath.Child("literalSubject"), crt.LiteralSubject, fmt.Sprintf("Literal subject contains unrecognized key with value [%s]", atv.Value)))
}
}
}
we actually rely on this Type == nil setup.

pkg/util/pki/subject_test.go Show resolved Hide resolved
@inteon inteon changed the title LiteralSubject: Add support for literal OID subject attribute type LiteralSubject: Add support for numeric OID subject attribute type May 10, 2024
@inteon
LiteralSubject: add support for literal oid type values
9d1c959 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon
improve tests based on review
0a45298 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon inteon force-pushed the support_oid_in_literal_subject branch from cb4e490 to 0a45298 Compare May 10, 2024 18:45
@inteon inteon requested a review from wallrj May 14, 2024 10:18
wallrj
wallrj approved these changes May 14, 2024
View reviewed changes
Copy link
Member

@wallrj wallrj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great.

/lgtm
/approve

@cert-manager-prow cert-manager-prow bot added the lgtm Indicates that a PR is ready to be merged. label May 14, 2024
@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 14, 2024
@cert-manager-prow cert-manager-prow bot merged commit 1e0a1ae into cert-manager:master May 14, 2024
6 checks passed
@inteon inteon mentioned this pull request May 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wallrj wallrj wallrj approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@inteon @jetstack-bot @wallrj