Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix pkcs7 parsing in some cases #12519

Merged
merged 3 commits into from Sep 10, 2021
Merged

Fix pkcs7 parsing in some cases #12519

merged 3 commits into from Sep 10, 2021

Conversation

maths22
Copy link
Contributor

@maths22 maths22 commented Sep 8, 2021
edited

Brings in mozilla-services/pkcs7#61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:

URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format

This fixes logins on those instances. Note we could not readily ascertain why
some instances have those certificates and others don't.

fixes #12520

@maths22
Fix pkcs7 parsing in some cases
d527f44 
brings in mozilla-services/pkcs7#61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```

This fixes logins on those instances.  Note we could not readily ascertain why
some instances have those certificates and others don't.
@maths22 maths22 requested a review from a team September 8, 2021 21:57
@vercel vercel bot temporarily deployed to Preview – vault-storybook September 8, 2021 21:57 Inactive
@vercel vercel bot temporarily deployed to Preview – vault September 8, 2021 21:57 Inactive
@vercel vercel bot temporarily deployed to Preview – vault September 8, 2021 22:27 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook September 8, 2021 22:27 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook September 8, 2021 22:31 Inactive
@vercel vercel bot temporarily deployed to Preview – vault September 8, 2021 22:31 Inactive
@jasonodonnell jasonodonnell merged commit 4469b56 into hashicorp:main Sep 10, 2021
@jasonodonnell jasonodonnell added this to the 1.8.3 milestone Sep 10, 2021
@jasonodonnell jasonodonnell added the bug Used to indicate a potential bug label Sep 10, 2021
@maths22 maths22 deleted the fix-aws-pkcs7 branch September 10, 2021 17:00
jartek pushed a commit to jartek/vault that referenced this pull request Sep 11, 2021
@maths22 @jartek
Fix pkcs7 parsing in some cases (hashicorp#12519)
cd3e3d3 
* Fix pkcs7 parsing in some cases

brings in mozilla-services/pkcs7#61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```

This fixes logins on those instances.  Note we could not readily ascertain why
some instances have those certificates and others don't.

* Add changelog entry

* Correct missed line
@ryanmt
Copy link

ryanmt commented Jan 31, 2022

@jasonodonnell I see this was added to the 1.8.3 milestone but wasn't picked, nor has it been added to any subsequent 1.8.X release.

Was that intentional or an oversight? I prefer to not skip a release, but my journey from 1.7 to 1.9 would be a lot easier if there was a fixed version of 1.8 released.

Thanks!

jasonodonnell pushed a commit that referenced this pull request Jan 31, 2022
@maths22 @jasonodonnell
Fix pkcs7 parsing in some cases (#12519)
756c0c3 
* Fix pkcs7 parsing in some cases

brings in mozilla-services/pkcs7#61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```

This fixes logins on those instances.  Note we could not readily ascertain why
some instances have those certificates and others don't.

* Add changelog entry

* Correct missed line
@jasonodonnell
Copy link
Contributor

Hi @ryanmt, thanks for the ping. This was an oversight, so I opened a PR to do so here: #13851.

jasonodonnell added a commit that referenced this pull request Feb 11, 2022
@jasonodonnell @maths22
Fix pkcs7 parsing in some cases (#12519) (#13851)
80244bc 
* Fix pkcs7 parsing in some cases

brings in mozilla-services/pkcs7#61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```

This fixes logins on those instances.  Note we could not readily ascertain why
some instances have those certificates and others don't.

* Add changelog entry

* Correct missed line

Co-authored-by: Jacob Burroughs <jburroughs@instructure.com>
@harsimranmaan
Copy link
Contributor

This seems to be affecting 1.7.9 too. Are there plans to backport the patch @jasonodonnell ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonodonnell jasonodonnell jasonodonnell approved these changes

Assignees
No one assigned
Labels
bug Used to indicate a potential bug
Projects
None yet
Milestone
1.8.3
Development

Successfully merging this pull request may close these issues.

EC2 Auth Fails on Some Instances
4 participants
@maths22 @ryanmt @jasonodonnell @harsimranmaan