StarlingX

system certificate-install deletes ca cert files that contains no private key

Bug #1945818 reported by Reinildes Oliveira
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Reinildes Oliveira

Bug Description

Brief Description
---------------------
The command "system certificate-install -m ssl_ca xxx.pem" will give a warning about deleting the certificate file used, where the reason given is that the file contains a private key. But the ssl_ca does not contain a private key and it is also deleted. It's a hardening measure which is applied a too broadly.

Severity
---------------------
Minor

Steps to Reproduce
---------------------
Create a root ca certificate, as described upstream:
https://docs.starlingx.io/security/kubernetes/create-certificates-locally-using-openssl.html

and install the file using "system certificate-install -m ssl_ca <cert_file_pem>

Expected Behavior
---------------------
Keep the file. As the file does not contain the private key information, its deletion does not contribute to security.

Actual Behavior
---------------------
The file is deleted with warning text "WARNING: For security reasons, the original certificate, containing the private key, will be removed, once the private key is processed."

Reproducibility
---------------------
Reproducible

System Configuration
---------------------
Any

Branch/Pull Time/Commit
------------------------
stx master August 24

Last Pass
---------------------
N/A - original behavior

Timestamp/Logs
---------------------
N/A

Alarms
---------------------
N/A

Test Activity
---------------------
HTTPS, cert-man/cert-manager

Workaround
---------------------
Manually preserve a copy of the certificate chain

Reinildes Oliveira (rjosemat)
Changed in starlingx:
assignee: nobody → Reinildes Oliveira (rjosemat)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/812185

Changed in starlingx:
status: New → In Progress
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.6.0 stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/812185
Committed: https://opendev.org/starlingx/config/commit/53e32d07237bbe181edd34f59e20c0c7e6b61953
Submitter: "Zuul (22348)"
Branch: master

commit 53e32d07237bbe181edd34f59e20c0c7e6b61953
Author: Rei Oliveira <email address hidden>
Date: Fri Oct 1 14:41:57 2021 -0300

    Keep files that don't have private key information

    For security reasons, system certificate-install deletes the
    file passed as parameter after a successful installation.

    It shows a warning describing what it is doing:
    'WARNING: For security reasons, the original certificate,
    containing the private key, will be removed,
    once the private key is processed.'

    The actual behaviour, however, is different than that. It is
    deleting the file regardless of whether it contains the
    private key information or not.

    That is incorrect. If the file does not contain any private
    key, such as ssl_ca or openstack_ca, it should not delete
    the file.

    This change fixes that: If file has a private key, it deletes
    it, otherwise it is kept.

    Test cases:

    PASSED: Verify that a software patch of this change works
    fine with sw-patch cli

    PASSED: Verify that files that contain a private key get
    deleted after a successful installation, by installing a ssl
    rest api certificate (-m ssl)

    PASSED: Verify that files that contain a private will be kept
    if the installation fails, by testing with a bad file

    PASSED: Verify that files that do not contain a private key
    are kept after a successful installation, by installing a new
    Trusted CA certificate (-m ssl_ca)

    Closes-Bug: 1945818
    Change-Id: Ie07548d3bb84dda4a1d9e2a365a28febc941663e
    Signed-off-by: Rei Oliveira <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.