image signature verification does not verify certificates
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Wishlist
|
Unassigned |
Bug Description
Cinder supports image signature verification, as described in this spec: https:/
This implementation, however, does not support strong certificate validation for certificates used to generate image signatures. In other words, while cinder will verify that the retrieved image data has been signed by the cert that's available in Barbican, cinder doesn't verify that the certificate is that of someone whom the user trusts, which enables an attack vector outlined in this nova spec:
https:/
So you'll note that Nova has already implemented certificate validation for image signature verification. Cinder should implement similar functionality. In particular, the Block Storage API changes should be consistent with Compute API v.2.63. Also, Cinder should probably implement Nova's 'enable_
Certificate utils were added to the cursive library, which cinder uses, by change I8d7f43fb4c0573.
The entire set of nova implementation patches is here:
https:/
(though I don't think the cinder implementation will need to be so elaborate).
Since fixing this will require a REST API change, this will need a spec. See
https:/
if you're not familiar with the specs process.
This is related to Antelope PTG discussion[1]
[1] https:/ /etherpad. opendev. org/p/antelope- ptg-cinder# L219