shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
backport/24401-to-2.32
coder/coderd/coderdtest
T
History
Spike Curtis d6e9344e03 fix: verify PKCS7 signature on Azure instance identity tokens (backport 2.32) (#25303) 
The Azure instance-identity authentication endpoint parsed the PKCS7
envelope and verified the certificate chain, but never verified the
PKCS7 signature itself. An attacker could forge a PKCS7 envelope with a
legitimate, publicly obtainable Azure certificate and arbitrary vmId
content to obtain any agent auth token.

Add verifyPKCS7Signature(), a custom PKCS7 signature verification that
handles Azure non-standard use of sha256WithRSAEncryption (OID
1.2.840.113549.1.1.11) as the DigestAlgorithm. The upstream
go.mozilla.org/pkcs7 library Verify() rejects this combination.

The verification checks:
1. Content digest matches the signed message-digest attribute
2. Signature over the authenticated attributes is valid

Tests added:
- TestValidate_TamperedContent: forges a PKCS7 with modified vmId,
confirms rejection
- TestValidate_UntrustedCertWithValidSignature: valid PKCS7 signature
with untrusted cert chain, confirms rejection

Co-authored-by: Jakub Domeracki <jakub@coder.com>
2026-05-13 13:45:52 -04:00
..
oidctest
chore: arrange imports in a standard way (#21452)
2026-01-08 15:24:11 +04:00
promhelp
chore: add tx metrics and logs for serialization errors (#15215)
2024-10-25 12:14:15 -04:00
testjar
chore: add custom samesite options to auth cookies (#16885)
2025-04-08 14:15:14 -05:00
authorize_test.go
chore: convert dbauthz tests to also run with Postgres (#15862)
2025-01-08 16:22:51 +01:00
authorize.go
fix: replace moby/moby namesgenerator with internal implementation (#21377)
2026-01-09 15:40:26 -07:00
coderdtest_test.go
fix: replace moby/moby namesgenerator with internal implementation (#21377)
2026-01-09 15:40:26 -07:00
coderdtest.go
fix: verify PKCS7 signature on Azure instance identity tokens (backport 2.32) (#25303)
2026-05-13 13:45:52 -04:00
dynamicparameters.go
chore: distinct operations for provisioner's 'parse', 'init', 'plan', 'apply', 'graph' (#21064)
2025-12-15 11:26:41 -06:00
initflags.go
test: set test flags from within an init to limit maximum test parallelism (#19575)
2025-09-17 08:24:19 -05:00
stream.go
chore: refactor dynamic parameters into dedicated package (#18420)
2025-06-20 13:00:39 -05:00
swagger_test.go
chore: add /v2 to import module path (#9072)
2023-08-18 18:55:43 +00:00
swaggerparser.go
feat: add API to serve proxy certificate (#21391)
2025-12-29 18:00:06 +00:00
usage.go
chore: add tallyman events for ai seat tracking (#22689)
2026-03-18 09:30:22 -05:00
users.go
feat: make service accounts a Premium feature (#24020)
2026-04-07 12:25:32 -06:00
uuids_test.go
chore: support multi-org group sync with runtime configuration (#14578)
2024-09-11 13:43:50 -05:00
uuids.go
chore: support multi-org group sync with runtime configuration (#14578)
2024-09-11 13:43:50 -05:00