coder

mirror of https://github.com/coder/coder.git synced 2026-06-03 04:58:23 +00:00

Files

T

Spike Curtis d6e9344e03 fix: verify PKCS7 signature on Azure instance identity tokens (backport 2.32) (#25303 )

The Azure instance-identity authentication endpoint parsed the PKCS7
envelope and verified the certificate chain, but never verified the
PKCS7 signature itself. An attacker could forge a PKCS7 envelope with a
legitimate, publicly obtainable Azure certificate and arbitrary vmId
content to obtain any agent auth token.

Add verifyPKCS7Signature(), a custom PKCS7 signature verification that
handles Azure non-standard use of sha256WithRSAEncryption (OID
1.2.840.113549.1.1.11) as the DigestAlgorithm. The upstream
go.mozilla.org/pkcs7 library Verify() rejects this combination.

The verification checks:
1. Content digest matches the signed message-digest attribute
2. Signature over the authenticated attributes is valid

Tests added:
- TestValidate_TamperedContent: forges a PKCS7 with modified vmId,
confirms rejection
- TestValidate_UntrustedCertWithValidSignature: valid PKCS7 signature
with untrusted cert chain, confirms rejection

Co-authored-by: Jakub Domeracki <jakub@coder.com>

2026-05-13 13:45:52 -04:00

oidctest

chore: arrange imports in a standard way (#21452 )

2026-01-08 15:24:11 +04:00

promhelp

chore: add tx metrics and logs for serialization errors (#15215 )

2024-10-25 12:14:15 -04:00

testjar

chore: add custom samesite options to auth cookies (#16885 )

2025-04-08 14:15:14 -05:00

authorize_test.go

chore: convert dbauthz tests to also run with Postgres (#15862 )