Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eliminating OpenSSL Dependency for Enhanced Compatibility #116

Closed
JeyJeyGao opened this issue Jun 5, 2023 · 1 comment · Fixed by #117
Closed

Eliminating OpenSSL Dependency for Enhanced Compatibility #116

JeyJeyGao opened this issue Jun 5, 2023 · 1 comment · Fixed by #117
Assignees
@JeyJeyGao
Labels
bug Something isn't working enhancement New feature or request

Comments

@JeyJeyGao
Copy link
Collaborator

JeyJeyGao commented Jun 5, 2023
edited
Loading

In our testing, we discovered that the plugin is incompatible with OpenSSL versions earlier than v1.1.1h. This is due to our usage of X509Chain.Build(), which requires interfacing with the system's cryptography library. Older versions of OpenSSL do not support certificates generated by Azure Key Vault, leading to compatibility issues.

To resolve this, we've decided to eliminate the OpenSSL dependency. We will build the certificate chain by directly concatenating the leaf certificate and the certificate bundle, bypassing the need to validate the chain's integrity.
@JeyJeyGao JeyJeyGao added bug Something isn't working enhancement New feature or request labels Jun 5, 2023
@JeyJeyGao JeyJeyGao self-assigned this Jun 5, 2023
@JeyJeyGao JeyJeyGao mentioned this issue Jun 5, 2023
Merged
shizhMSFT pushed a commit that referenced this issue Jun 5, 2023
@JeyJeyGao
fix: remove X509Chain.Build to avoid compatibility issue (#117)
787d9ae 
After the PR, the plugin will not check the certificate chain integrity.

Resolves #116 
Signed-off-by: Junjie Gao <[email protected]>

---------

Signed-off-by: Junjie Gao <[email protected]>
@shizhMSFT
Copy link
Member

The removal of OpenSSL is for v1.0.0. We consider adding this functionality back post v1.0.0 by detecting the supported OpenSSL versions.

@JeyJeyGao JeyJeyGao mentioned this issue Jun 6, 2023
Merged
JeyJeyGao added a commit that referenced this issue Jun 7, 2023
@JeyJeyGao
doc: update ca signed workflow (#118)
6bf62ca 
Update:
- With the removal of the automatic certificate chain arrangement
feature in update #116, you'll now need to manually create a valid
certificate bundle by following the guide.

Signed-off-by: Junjie Gao <[email protected]>

---------

Signed-off-by: Junjie Gao <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JeyJeyGao JeyJeyGao

Labels
bug Something isn't working enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: remove X509Chain.Build to avoid compatibility issue JeyJeyGao/notation-azure-kv
2 participants
@shizhMSFT @JeyJeyGao