fix: reject TLS secret when certificate and private key do not match#9487
fix: reject TLS secret when certificate and private key do not match#9487zhaohuabing wants to merge 5 commits into
Conversation
41dde4c to
ff272ee
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## release/v1.8 #9487 +/- ##
================================================
- Coverage 74.99% 74.95% -0.04%
================================================
Files 251 251
Lines 40619 40639 +20
================================================
Hits 30462 30462
- Misses 8092 8107 +15
- Partials 2065 2070 +5 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
ff272ee to
ec77845
Compare
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
ec77845 to
d42fe2e
Compare
|
Thanks for splitting! |
|
/retest |
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
| module github.com/envoyproxy/gateway | ||
|
|
||
| go 1.26.4 | ||
| go 1.26.5 |
There was a problem hiding this comment.
This is required to fix the go-benchmark-test.
| // mergeGateways enabled that NACKs the whole SDS push, breaking TLS for all | ||
| // Gateways sharing the proxy. Reject the bad Secret here so it never reaches | ||
| // Envoy and only the affected listener degrades. | ||
| if _, err := tls.X509KeyPair(validData, pem.EncodeToMemory(keyBlock)); err != nil { |
There was a problem hiding this comment.
I think that this might cause a false error to be reported, see comment here: #9473 (comment).
There was a problem hiding this comment.
Nice catch!
I've updated this PR. validateServingCertificateChain no longer filters individual certificates. Instead, it rejects the entire TLS serving certificate Secret if the certificate chain contains an invalid/expired certificate. CA bundles still drop expired CAs.
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
b071ec4 to
770052b
Compare
|
@codex review |
|
Codex Review: Didn't find any major issues. What shall we delve into next? Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
| data: | ||
| tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= | ||
| tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= | ||
| tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ3RTYzR6eUlsb042cUIKMHF3SFhaSGlZMmpEL1lzakU0dndUNlBYQ1Q2RVJQR1l1MW1xVksxeS8vUVBhL294ek1oaUdUV1RYWEdlWEdObAo3OUN6L0djVmN0cFpOUHQ4TFdNeDU2Um1CbGJjcXRyWHJRNFJiSWo1Zk5tRVl3dEpzMW11RURNK0VsOHhSellDCkE2VVhZWDY2TDVySHJsaGtCUEtWZUZIZlZDdjBpb3BURHFyUWVTWXF5ejlsYk9VOWFGb25GaTBMMzJ4c0wrN0IKUTNhL1d4dEY3VWtLZGV4MG9LT2RFZ3hPZmdZMHBxYlJjTlZYQ2k1YW1vVEZ3UXc0cUs0TUlTSVJoaXFSRW5qTgpEKzJ4WVZacEROMnJJZHNVa3diaFZBUTVST0NUbW9jOExBMTY3cVZJUTNVdFlYWE5uejY0NFJRSlNYMWhHR2VnClpXWThySWxWQWdNQkFBRUNnZ0VBSmpONGpTcmV1OFpWeE5QY0Q2MmRmUEpjUktTT3VUZFVhTEF0MXJoWGUxSTEKam0xeXlWMXNkVWNlbHcyL05KNUg2SFJWUHJ6aFVMOWVQRGtmWWFZNVZWMmg2L3VGbXl6b1NyYWRvODR1OU91SApYZmRzL0FOWXVPTkFrbkpCS1Vpcjh2Ym9UUDFBMWZ5MFY4SlU4VEFSZjFzQ1BKWGZMNEYxdHVTMDY4NUMrRi82CmRqclJxOGlqdzd3QmdmcHRYZWVjVkIxdXFyS2ZsS1U0aTg2Z0NYNmZDOUtJYTRZT0hVVXJSL2QxZXBlMUt1alcKNUpadGJnSXJzV1Q4WWsvbTQ3UjZBemsxVW90WlZ4S2JaeUNZc1FCOWlUZkxTWFU5bUlDN3VQdVl3OXF3QmlSbwpZUjAwQlZJM0J0VXJjdm9RdEwzUDdqV0EvZjBFSG1PS0NSTEdPYU5Ga1FLQmdRRHlCK01TU3FiV2h1d1hWYzJnClJWaU9VcVF0dGhxa3UrOWtaY2UxTzhOWlREakFvQ1A3SzVUSXM4Um9aTG5JUzEycjRWM1g5QjROa2t4RHdCdmoKbmdNMU1CcHBObEtyUnZHVExJcXRzdTlkc1N6ek51ZVpaTEF0b3ZJZzRhRVAyY0JMbW9jNFhjRFFpRGRVL0VqQgpUeXBUYkRtNDB6OXBCbDNFQlJYZEZDeGxhUUtCZ1FDM1NqZWpTUkMzdkF1QThRTmVYMlJ5T0I3cVU1TS81RU1KCkZlTkIzS056cGVyL2IxN2JndW1oRzhYRStmdzlPaHlXZzhraXBIYmljZGRPM1VzTllGNndPcFRmNVhVbVBoSkoKcnhYM2liQjNpbWp1TW5yQkJjOW9FUVlySFllN2U4aHFiOGU4dHNybDIzdDF6TlRZZkVBVi9tZ0dHdlNLTGtiKwp4NHprZkRUckRRS0JnUURodzFHZ29sbjJDbXozWjJZamRnd2cxaDJuTmhLc1QxSUN5SjM5QS80NHNjek9nWktPCm5CeHhDcDdPOGdZS082TG96WlFIK1FKL2psUHRicW1WTExPNVRXR1Zlc0txV2NiRmplcmVFK2NMOGxVSG1kTjMKVm1Dd2NTcUNXWFV2bitLcm96MDI2dDBNcDhOVlZ1OVd3azJzKzJyc2FNRGhhcnJVT2hvbTJzWis0UUtCZ1FDcApRWURsYVNobDh1RlFuYjkxbTNOZlFsSFNJNEU3bytiL2NkWGRVUWtqVjFrTnJtT1RJMjNwRjRObXBVNTNuNzBjCmhPL3M3S0RYOVRaVkhtY2JJQjN3Y1BoZlZUMzhKWit2cVY0SXEzNW90VWkyaGFqenJCRGVVYkkzaUZwNkdCRjMKc0dkcTdnV3BneWVjSFoyRG1DRjU3ZWRUay9xenk0NUY0akpLSUNTaDFRS0JnRG9IUk5CYzg0T2doQzNtbnBrcQpoL2RFUkhIaHNlQ3FGYTc5Wi80N2hHTTAyWU9obThQZGtJRkJ1YndHWllPOHNseCtPTEZtZzloZGYxdmFoSkJnCkczNnVOaWM1VmFyQ0w0eDNSc01pWkN3bW9rUDlBUjUyRC92dm54UjQ3amJQL3grNEIycWM2ZndKVkFRTmhGZzAKS3RPcXAwa1dlNjFvMkNPY05WL1BWeGozCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K |
There was a problem hiding this comment.
Fixed the mismatching key/cert in the test yaml files.
Simplified, backport-safe version of #9480 fixing the TLS regressions in #9473, #9463 and #9225. Validates TLS Secrets at translation and isolates failures to the affected listener instead of pushing a broken chain that Envoy NACKs with
KEY_VALUES_MISMATCH(which stalls all Gateways under mergeGateways): rejects mismatched key/cert pairs, and rejects serving chains containing an expired/malformed cert instead of silently dropping the member. CA bundles still drop expired CAs. #9480's broader validation could break existing v1.8 use cases.Related: #9225 #9473 #9463