see_also:
- rgw_keystone_verify_ssl
with_legacy: true
+- name: rgw_enable_jwks_url_verification
+ type: bool
+ level: advanced
+ desc: Enable JWKS url verification for AWS compliance
+ long_desc:
+ Verifies the security of the JWKS url endpoint using the client provided thumbprints
+ for AWS compliance. If turned on, the legacy verification option of using thumbprints
+ to verify JWT x5c certs is disabled.
+ default: false
+ services:
+ - rgw
# The following are tunables for caches of RGW NFS (and other file
# client) objects.
#
return true;
}
-bool WebTokenEngine::validate_cert_url(const DoutPrefixProvider* dpp, const std::string& cert_url,
+bool WebTokenEngine::verify_oidc_thumbprint(const DoutPrefixProvider* dpp, const std::string& cert_url,
const std::vector<std::string>& thumbprints) const
{
+ if (!cct->_conf.get_val<bool>("rgw_enable_jwks_url_verification")) {
+ ldpp_dout(dpp, 5) << "Verification of JWKS endpoint is turned off." << dendl;
+ return true;
+ }
+
// Fetch and verify cert according to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
const auto hostname = get_top_level_domain_from_host(dpp, cert_url);
ldpp_dout(dpp, 20) << "Validating hostname: " << hostname << dendl;
{
if (algorithm != "HS256" && algorithm != "HS384" && algorithm != "HS512") {
const auto cert_url = get_cert_url(iss, dpp, y);
- if (cert_url.empty() || !validate_cert_url(dpp, cert_url, thumbprints)) {
+ if (cert_url.empty() || !verify_oidc_thumbprint(dpp, cert_url, thumbprints)) {
ldpp_dout(dpp, 5) << "Not able to validate JWKS url with registered thumbprints" << dendl;
throw std::system_error(EINVAL, std::system_category());
}
if (JSONDecoder::decode_json("x5c", x5c, &k_parser)) {
string cert;
bool found_valid_cert = false;
+ bool skip_thumbprint_verification = cct->_conf.get_val<bool>("rgw_enable_jwks_url_verification");
for (auto& it : x5c) {
cert = "-----BEGIN CERTIFICATE-----\n" + it + "\n-----END CERTIFICATE-----";
ldpp_dout(dpp, 20) << "Certificate is: " << cert.c_str() << dendl;
- if (is_cert_valid(thumbprints, cert)) {
+ if (skip_thumbprint_verification || is_cert_valid(thumbprints, cert)) {
found_valid_cert = true;
break;
}
return;
}
}
- ldpp_dout(dpp, 10) << "Bare key parameters are not present for key" << dendl;
+ ldpp_dout(dpp, 10) << "Bare key parameters (n&e) are not present for key" << dendl;
}
}
} //end k_parser.parse
std::string connect_to_host_get_cert_chain(const DoutPrefixProvider* dpp, const std::string& hostname, int port = 443) const;
std::string get_top_level_domain_from_host(const DoutPrefixProvider* dpp, const std::string& hostname) const;
std::string extract_last_certificate(const DoutPrefixProvider* dpp, const std::string& pem_chain) const;
- bool validate_cert_url(const DoutPrefixProvider* dpp, const std::string& cert_url,
+ bool verify_oidc_thumbprint(const DoutPrefixProvider* dpp, const std::string& cert_url,
const std::vector<std::string>& thumbprints) const;
void shutdown_ssl(const DoutPrefixProvider* dpp, SSL* ssl, SSL_CTX* ctx) const;
projects / ceph.git / commitdiff