Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate root rotations against trust pinning where appropriate #800

Merged
merged 5 commits into from
Sep 12, 2016

Conversation

riyazdf
Copy link
Contributor

@riyazdf riyazdf commented Jun 23, 2016

Check new roots against the trust pinning when performing validation, but do not reject the new root if TOFUs is disabled because we've already trusted a previous root.

Closes #735.

Signed-off-by: Riyaz Faizullabhoy [email protected]

// At this point, we assume that we have already trusted previous root data and so will not perform any
// additional trust pinning checks on this new certificate
if !firstBootstrap {
logrus.Debug("TOFU is disabled but previous root data exists, skipping disable TOFU restriction")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: I'm wondering if this log message might be confusing, since it's not exactly doing a TOFU check, since it's not first use. It's just that no other trust pinning has been specified. In which case maybe this check can just be combined with the previous conditional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good, I'll combine them into a !trustPinConfig.DisableTOFU || !firstBootstrap case

@cyli
Copy link
Contributor

cyli commented Jul 8, 2016

LGTM after nits! Thanks for making sure the new roots conform to trust pinning too!

// If TOFUs is not disabled or we already have previous trusted root data for this GUN (even with TOFUs disabled),
// use TOFUs. It's ok if we have previous root data with TOFUs disabled because we've already
// bootstrapped the first use of trust
if !trustPinConfig.DisableTOFU || !firstBootstrap {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's apply De Morgan's and invert the check so we have:

if DisableTOFU && firstBootstrap {
    return error
}
return tofusCheck

@endophage
Copy link
Contributor

After one comment, looks great! First person to check in after CI passes should merge 👍

@riyazdf riyazdf force-pushed the trust-pinning-rotation branch from a29e483 to 30752d9 Compare September 12, 2016 22:46
@riyazdf riyazdf merged commit 946674a into release/0.4.0 Sep 12, 2016
@riyazdf riyazdf deleted the trust-pinning-rotation branch September 12, 2016 23:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants