Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: trust rootcertbundle public keys with libtrust keyid format #4417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

feat: trust rootcertbundle public keys with libtrust keyid format #4417

wants to merge 1 commit into from

Conversation

@zhangyoufu
Copy link
Contributor

@zhangyoufu zhangyoufu commented Jul 22, 2024
edited
Loading

Before #4096, the trusted keys always comes from rootcertbundle public keys, the kids are generated using libtrust's non-standard keyIDFromCryptoKey.

distribution/registry/auth/token/accesscontroller.go

Lines 214 to 223 in 5d5c60f

rootPool := x509.NewCertPool()
trustedKeys := make(map[string]libtrust.PublicKey, len(rootCerts))
for _, rootCert := range rootCerts {
rootPool.AddCert(rootCert)
pubKey, err := libtrust.FromCryptoPublicKey(crypto.PublicKey(rootCert.PublicKey))
if err != nil {
return nil, fmt.Errorf("unable to get public key from token auth root certificate: %s", err)
}
trustedKeys[pubKey.KeyID()] = pubKey
}

After #4096, the public keys of rootcertbundle is no longer trusted by default. The trusted keys must be configured via jwks option pointing to a JWKS (JSON Web Key Set) file.

distribution/registry/auth/token/accesscontroller.go

Lines 271 to 281 in fe21f43

rootPool := x509.NewCertPool()
for _, rootCert := range rootCerts {
rootPool.AddCert(rootCert)
}
trustedKeys := make(map[string]crypto.PublicKey)
if jwks != nil {
for _, key := range jwks.Keys {
trustedKeys[key.KeyID] = key.Public()
}
}

It is not trivial to extract public key from PEM format public key, convert it to JWK, append a libtrust flavor kid to the JWK, then compose a JWKS file. And in my opinion, this is the most troublesome part during my migration to distribution v3.

This change replicated keyid generation logic from libtrust, trusts public keys of rootcertbundle by default. It is intended to help more people migrates to distribution v3 without experiencing auth issues like #4299.

@zhangyoufu
feat: trust rootcertbundle public keys with libtrust keyid format
dd3e822 
for the sake of backward compatibility

Fix distribution#4096
Fix distribution#4299

Signed-off-by: Youfu Zhang <[email protected]>
@zhangyoufu zhangyoufu mentioned this pull request Jul 22, 2024
Closed
milosgajdos
milosgajdos reviewed Jul 22, 2024
View reviewed changes
registry/auth/token/accesscontroller.go
// SHA256(DER encoded ASN1)
// Then truncated to 240 bits and encoded into 12 base32 groups like so:
// ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ23:4567:ABCD:EFGH:IJKL:MNOP
func libtrustKeyIDFromPublicKey(pubKey any) string {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the issue we had with libtrust is it does things that are not standardized anywhere like this ID generation func.

That was actually the main reason we went for explicit JWKs defined on the consumer side.

Copy link
Contributor Author

@zhangyoufu zhangyoufu Jul 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The intention to introduce breaking changes should be guided by the goal of minimizing disruption. For instance, when implementing breaking changes in Go, there are multiple phases such as opt-in, opt-out, and eventual removal.

I agree that non-standard key id generation like this is not good. But libtrust is already gone, the key id generation in this PR is more likely mental burden instead of maintainance burden. A phased deprecation plan with decent migration guidance would be helpful to the community.

PS: The document still states that rootcertbundle is a required configuration option. If I understand correctly, it should be optionally after the introduce of jwks.

@zhangyoufu zhangyoufu closed this Jul 22, 2024
@zhangyoufu zhangyoufu deleted the feat-libtrust-keyid branch July 22, 2024 15:12
@zhangyoufu zhangyoufu mentioned this pull request Apr 18, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@milosgajdos milosgajdos milosgajdos left review comments

Assignees

No one assigned

Labels

area/auth

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zhangyoufu @milosgajdos