diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go index fa9c283f8..6a39a877f 100644 --- a/authority/provisioner/nebula.go +++ b/authority/provisioner/nebula.go @@ -62,9 +62,13 @@ func (p *Nebula) Init(config Config) (err error) { return errors.New("provisioner root(s) cannot be empty") } - p.caPool, err = nebula.NewCAPoolFromBytes(p.Roots) + var certErrors []error + p.caPool, certErrors, err = nebula.NewCAPoolFromBytes(p.Roots) if err != nil { - return errs.InternalServer("failed to create ca pool: %v", err) + return errs.InternalServer("failed to create CA pool: %v", err) + } + if len(certErrors) > 0 { + return errs.InternalServer("failed to create CA pool: %v", certErrors) } config.Audiences = config.Audiences.WithFragment(p.GetIDForToken()) diff --git a/authority/provisioner/nebula_test.go b/authority/provisioner/nebula_test.go index 5ab7c2a05..3e2d9780a 100644 --- a/authority/provisioner/nebula_test.go +++ b/authority/provisioner/nebula_test.go @@ -62,6 +62,31 @@ func mustNebulaCA(t *testing.T) (*cert.NebulaCertificate, ed25519.PrivateKey) { return nc, priv } +func mustExpiredNebulaCA(t *testing.T) (*cert.NebulaCertificate, ed25519.PrivateKey) { + t.Helper() + pub, priv, err := ed25519.GenerateKey(rand.Reader) + require.NoError(t, err) + nc := &cert.NebulaCertificate{ + Details: cert.NebulaCertificateDetails{ + Name: "ExpiredTestCA", + Groups: []string{"expired"}, + Ips: []*net.IPNet{ + mustNebulaIPNet(t, "10.2.0.0/16"), + }, + Subnets: []*net.IPNet{}, + NotBefore: time.Now().Add(-2 * time.Hour), + NotAfter: time.Now().Add(-1 * time.Hour), + PublicKey: pub, + IsCA: true, + Curve: cert.Curve_CURVE25519, + }, + } + err = nc.Sign(cert.Curve_CURVE25519, priv) + require.NoError(t, err) + + return nc, priv +} + func mustNebulaP256CA(t *testing.T) (*cert.NebulaCertificate, *ecdsa.PrivateKey) { t.Helper() @@ -298,6 +323,10 @@ func TestNebula_Init(t *testing.T) { nc, _ := mustNebulaCA(t) ncPem, err := nc.MarshalToPEM() require.NoError(t, err) + expiredNC, _ := mustExpiredNebulaCA(t) + expiredPEM, err := expiredNC.MarshalToPEM() + require.NoError(t, err) + expiredPEM = append(expiredPEM, ncPem...) // needed so that regular error isn't triggered cfg := Config{ Claims: globalProvisionerClaims, @@ -326,6 +355,7 @@ func TestNebula_Init(t *testing.T) { {"fail type", fields{"", "Nebulous", ncPem, nil, nil}, args{cfg}, true}, {"fail name", fields{"Nebula", "", ncPem, nil, nil}, args{cfg}, true}, {"fail root", fields{"Nebula", "Nebulous", nil, nil, nil}, args{cfg}, true}, + {"fail expired root", fields{"Nebula", "Nebulous", expiredPEM, nil, nil}, args{cfg}, true}, {"fail bad root", fields{"Nebula", "Nebulous", ncPem[:16], nil, nil}, args{cfg}, true}, {"fail bad claims", fields{"Nebula", "Nebulous", ncPem, &Claims{ MinTLSDur: &Duration{Duration: 0}, diff --git a/go.mod b/go.mod index 8265abec8..694b9df3e 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/prometheus/client_golang v1.20.5 github.com/rs/xid v1.6.0 github.com/sirupsen/logrus v1.9.3 - github.com/slackhq/nebula v1.9.4 + github.com/slackhq/nebula v1.9.5 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 github.com/smallstep/cli-utils v0.10.0 github.com/smallstep/go-attestation v0.4.4-0.20240109183208-413678f90935 diff --git a/go.sum b/go.sum index e71c05669..b79fe4d26 100644 --- a/go.sum +++ b/go.sum @@ -379,8 +379,8 @@ github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5I github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/slackhq/nebula v1.9.4 h1:p06JxtXT/OBMWt2OQkY7F0phOBb42X93YWNsS1yqC9o= -github.com/slackhq/nebula v1.9.4/go.mod h1:1+4q4wd3dDAjO8rKCttSb9JIVbklQhuJiBp5I0lbIsQ= +github.com/slackhq/nebula v1.9.5 h1:ZrxcvP/lxwFglaijmiwXLuCSkybZMJnqSYI1S8DtGnY= +github.com/slackhq/nebula v1.9.5/go.mod h1:1+4q4wd3dDAjO8rKCttSb9JIVbklQhuJiBp5I0lbIsQ= github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY= github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc= github.com/smallstep/cli-utils v0.10.0 h1:CfXNvHtIN5pAzGvGP0NEUZoGFcj5epNEB6RSpSfduek=