Walrus signature verification in image decryption bug

Bug #644482 reported by Jason Rudder on 2010-09-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Eucalyptus
New
Undecided
Neil Soman

Bug Description

Problem Summary:
The decryptImage(String, String, String, boolean) method of class WalrusImageManager attempts to verify the image signature before decrypting the image with the cloud private-key. The bug is that the signature is only checked against the latest user certificate. So, if multiple certificates have been generated (using "Download Credentials" from https://<cloud-ip>:8443/), any images bundled using previous certificates will fail upon signature verification.

Applies To:
Eucalyptus 2.0.0
06f8168cfc54215662fe5a9ac9fe77c5 ./eucalyptus-2.0.0-src-offline.tar.gz

Steps to Reproduce:
From a clean installation, the bug can be reproduced as follows:
1) Login to the admin site https://<cloud-ip>:8443/ and "Download Credentials"
2) Bundle, upload, and register a kernel, ramdisk, and machine image (such as the Eucalyptus-certified, x86_64 CentOS)
3) * Do not run an instance yet *
4) Login to the admin site again and "Download Credentials"
5) Now, euca-run-instance for the image

The Fix:
I have attached a zip containing the patch for WalrusImageManager.java. Essentially, in ./clc/modules/walrus/src/main/java/edu/ucsb/eucalyptus/cloud/ws/WalrusImageManager.java, instead of checking only the latest certificate like this:

{code}
  X509Certificate cert = user.getX509Certificate( );
  verified = canVerifySignature(sigVerifier, cert, signature, verificationString);
{/code}

check all certificates, like this:

{code}
  for(X509Certificate cert:user.getAllX509Certificates( )){
    verified = canVerifySignature(sigVerifier, cert, signature, verificationString);
    if(verified)
      break;
  }
{/code}

Related branches

Neil Soman (neilsoman) wrote :

Jason, thanks for the patch.

Have you looked at: http://open.eucalyptus.com/participate/contribute#code

Signing up as a contributor should only take a few minutes of your time.

thanks!
neil

Changed in eucalyptus:
assignee: nobody → Neil Soman (neilsoman)
Andy Grimm (agrimm) wrote :

This issue is now being tracked upstream at http://eucalyptus.atlassian.net/browse/EUCA-2733

Please watch that issue for further updates.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers