Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change X509-SVID subject values #3367

Merged
merged 5 commits into from
Aug 26, 2022
Merged

Change X509-SVID subject values #3367

merged 5 commits into from
Aug 26, 2022

Conversation

azdagron
Copy link
Member

@azdagron azdagron commented Aug 22, 2022
edited
Loading

As outlined in #3341, this change behavior that controls the subject of X509-SVIDs signed by the SPIRE Server CA.

Instead of a fixed subject (i.e. "O=SPIRE,C=US"), the subject now inherits the subject of the signing CA (sans the CommonName). It also adds also has a UniqueID attribute to the subject. The Unique ID is per SPIFFEID. This brings us into RFC 5280 conformance.

The new behavior can be disabled with an immediately deprecated flag, "omit_x509svid_uid". This flag will be removed in a future release.

Edit: backed out the subject inheritance code while we discuss that behavior more fully

@azdagron
Change X509-SVID subject values
c89a3fb 
As outlined in spiffe#3341, this change behavior that controls the subject
of X509-SVIDs signed by the SPIRE Server CA.

Instead of a fixed subject (i.e. "O=SPIRE,C=US"), the subject now
inherits the subject of the signing CA (sans the CommonName). It also
adds a UniqueID attribute to the subject. The Unique ID is per SPIFFE
ID. This brings us into RFC 5280 conformance.

The new behavior can be disabled with an immediately deprecated flag,
"omit_x509svid_uid". This flag will be removed in a future release.

Fixes: spiffe#3341

Signed-off-by: Andrew Harding <[email protected]>
@azdagron azdagron added this to the 1.4.1 milestone Aug 22, 2022
MarcosDY
MarcosDY reviewed Aug 22, 2022
View reviewed changes
Copy link
Collaborator

@MarcosDY MarcosDY left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Andrew!!! looks great,
I can't stop thinking on that ca_subject is longer a configuration only for CA but for CA and SVIDs...
can you update documentation to reflect those changes?

@azdagron
Back out subject inheritance from CA
c2ab4f3 
Signed-off-by: Andrew Harding <[email protected]>
@azdagron
update docs
723cd23 
Signed-off-by: Andrew Harding <[email protected]>
@azdagron
Merge remote-tracking branch 'origin/main'
2a496b5 
Signed-off-by: Andrew Harding <[email protected]>
MarcosDY
MarcosDY previously approved these changes Aug 26, 2022
View reviewed changes
Copy link
Collaborator

@MarcosDY MarcosDY left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!! just a minor NIT

cmd/spire-server/cli/run/run.go Outdated
@@ -82,6 +82,7 @@ type serverConfig struct {
LogFile string `hcl:"log_file"`
LogLevel string `hcl:"log_level"`
LogFormat string `hcl:"log_format"`
OmitX509SVIDUID *bool `hcl:"omit_x509svid_uid"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: Can you add a // DEPRECATED: remove this migration in 1.5.0? (or the minor version we can remove it)
here or in pkg/server/config.go

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@azdagron
Add deprecation comment
c681e52 
Signed-off-by: Andrew Harding <[email protected]>
MarcosDY
MarcosDY approved these changes Aug 26, 2022
View reviewed changes
Copy link
Collaborator

@MarcosDY MarcosDY left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!!!

@azdagron azdagron merged commit fd449b4 into spiffe:main Aug 26, 2022
@azdagron azdagron deleted the x509svid-unique-id branch August 26, 2022 19:42
@azdagron azdagron mentioned this pull request Sep 2, 2022
Merged
@evan2645 evan2645 modified the milestones: 1.4.1, 1.4.2 Sep 6, 2022
@evan2645 evan2645 mentioned this pull request Nov 15, 2022
Closed
stevend-uber pushed a commit to stevend-uber/spire that referenced this pull request Oct 16, 2023
@azdagron @stevend-uber
Change X509-SVID subject values (spiffe#3367)
82e76ca 
* Change X509-SVID subject values

As outlined in spiffe#3341, this change behavior that controls the subject
of X509-SVIDs signed by the SPIRE Server CA.

Instead of a fixed subject (i.e. "O=SPIRE,C=US"), the subject now
 also has a UniqueID attribute. The Unique ID is per SPIFFE
ID. This brings us into RFC 5280 conformance.

The new behavior can be disabled with an immediately deprecated flag,
"omit_x509svid_uid". This flag will be removed in a future release.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarcosDY MarcosDY MarcosDY approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.4.2
Development

Successfully merging this pull request may close these issues.
3 participants
@azdagron @MarcosDY @evan2645