Comments (8)
Oh, forgot to mention that this should be a backwards compatible change, as embedded protobuf message fields are actually encoded in exactly the same format as bytes
.
from nebula.
Thanks for raising this. The main reason we do this is to avoid duplication of data on handshakes. To use vanilla noise, the public key needed to be part of the noise portion of the handshake packet(s), while the remaining bits of the certificate needed to be in the payload. To properly avoid version/language incompatibilities we would need to double send that data or modify how the noise protocol worked. The last thing we wanted to do was modify the noise library to avoid this case (btw thank you for your great work there).
We do have tests to catch the case where signature verification would fail and are certainly open to other thoughts or suggestions, but as it stands this would be a complicated change to make.
from nebula.
I think the test might not be enough to reveal the problem because pb marshal of the same object could be dependent on (pbversion, os) and it's really hard to cover all different os and pb versions in tests. Specifically, this problem seems to occur more for array data while the data you are signing here contains repeated xxx and bytes fields...
We actually faced the same problem at NKN and struggled for a while. AFAIK there is no pb-equivalent stuff that can provide canonical encoding. The solution we finally used is to replace proto.Marshal
before ed25519.Verify
with a customized encoding function and use it only for signature & verification 😂 I'm not familiar with the noise library and not sure if you can do the same thing without modifying the noise library...
from nebula.
Correct, it is not sufficient cross platform but will raise issues when updating the library within a platform.
Are you saying you hit this snag with nebula at NKN or with another project? I would be very interested to hear more if the compilation and deployment if it was directly related to nebula.
from nebula.
Oh sorry for the confusion, it's not directly related to nebula but generally related to signing and verifying data encoded with protobuf (cross version/platform)...
from nebula.
Could this be the reason why Nebula certificates produced in another language (in my case, Rust) cannot be verified? nebula-cert print
does display all the right info, but nebula-cert verify
fails.
It indeed appears that the byte representation of the protobuf data is different between my program and Nebula, for the same source data, which explains why the signature verification would be an issue.
This would be quite important to be able to include Nebula into existing processes, like automate the creation of client certificates, where directly using the official command-line client is not possible or desired.
from nebula.
Could this be the reason why Nebula certificates produced in another language (in my case, Rust) cannot be verified? nebula-cert print does display all the right info, but nebula-cert verify fails.
@apognu can you share your implementation or an example of the generated bytes so we can see what the difference is? We would like to work towards finding a backwards compatible fix for this issue if we can.
from nebula.
Circling back on the rust specific issue, pb does not default to packing ints in rust. This protobuf definition fixes that:
syntax = "proto3";
package cert;
option go_package = "github.com/slackhq/nebula/cert";
message RawNebulaCertificate {
RawNebulaCertificateDetails Details = 1;
bytes Signature = 2;
}
message RawNebulaCertificateDetails {
string Name = 1;
// Ips and Subnets are in big endian 32 bit pairs, 1st the ip, 2nd the mask
repeated uint32 Ips = 2 [packed = true];
repeated uint32 Subnets = 3 [packed = true];
repeated string Groups = 4;
int64 NotBefore = 5;
int64 NotAfter = 6;
bytes PublicKey = 7;
bool IsCA = 8;
// sha-256 of the issuer certificate, if this field is blank the cert is self-signed
bytes Issuer = 9;
}
While I agree that we exist in undefined behavior territory, we at least have confirmation of two languages being capable of working on the same byte representation of a nebula cert.
I'm closing this issue since any change here would ideally require bumping a major version and it appears likely that we can operate on the byte representation of a nebula cert in more than just go and rust.
from nebula.
Related Issues (20)
- Thanks for nebula
- example config: commented punchy.respond value should be false HOT 1
- 🐛 BUG: tests fail after 2027-11-11 HOT 1
- 🐛 BUG: Unable to reconnect after server crash HOT 4
- 🐛 BUG: overall poor behavior with "not before" field in host certificate HOT 5
- Feature request: push unsafe routes from lighthouse HOT 1
- 🐛 BUG:Failed to setup adapter (problem code: 0x34) HOT 21
- Feature Request: Relative paths in config HOT 1
- Feature Request: `nebula-service -test -config` should warn about unknown keys and stuff in config yaml
- 🐛 BUG: wintun failed HOT 6
- 🐛 BUG: Event Log spam when handshake timeout fails HOT 10
- 🐛 BUG: "Refusing to handshake with myself" when configuring self as unsafe_routes via
- Windows is not as fast as linux for downloading files
- 🐛 BUG: Nebula nodes cannot ping each other , however they can ping the lighthouse vpn IP HOT 1
- 🐛 BUG: Linux (386) "panic: runtime error: makeslice: len out of range" HOT 2
- 🐛 BUG:test
- can i use port range ?
- 🐛 BUG: use_system_route_table not considering multipath routes HOT 1
- 🐛 BUG: wakes up the CPU a lot
- 🐛 BUG: after dns changed, connection lost forever
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nebula.