Bug 576705 - Disable pgp.trustedPublicKeys from IUsI20211103-1800

Only stick to trusted keys defined in profile as it's not safe to import trusted keys from installed IUs because metadata is an attack vector (Bug 577029) Change-Id: I3d4c97b69d7b85a8f5aceed0c50383975f7f6f6a Reviewed-on: https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/187264 Tested-by: Equinox Bot <equinox-bot@eclipse.org> Reviewed-by: Mickael Istria <mistria@redhat.com>
author: Mickael Istria 2021-11-03 10:13:23 +0000
committer: Mickael Istria 2021-11-03 11:14:24 +0000
commit: 0b62cb8dd14b40cac16c8ecf2db864cffd975578 (patch)
tree: 4a94d0350d628c1ab37771619fb3e574b533746f
parent: 2e790125e6e8bdce3d933f45d5a0cc107266d451 (diff)
download: rt.equinox.p2-0b62cb8dd14b40cac16c8ecf2db864cffd975578.tar.gz
rt.equinox.p2-0b62cb8dd14b40cac16c8ecf2db864cffd975578.tar.xz
rt.equinox.p2-0b62cb8dd14b40cac16c8ecf2db864cffd975578.zip
2 files changed, 44 insertions, 43 deletions
diff --git a/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java b/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java
index e1a3d5f83..12bb4cee8 100644
--- a/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java
+++ b/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java
@@ -21,7 +21,8 @@ import java.util.*;
 import java.util.Map.Entry;
 import java.util.stream.Collectors;
 import org.bouncycastle.openpgp.*;
-import org.eclipse.core.runtime.*;
+import org.eclipse.core.runtime.IStatus;
+import org.eclipse.core.runtime.Status;
 import org.eclipse.equinox.internal.p2.artifact.processors.pgp.PGPSignatureVerifier;
 import org.eclipse.equinox.internal.p2.engine.*;
 import org.eclipse.equinox.p2.core.IProvisioningAgent;
@@ -29,7 +30,6 @@ import org.eclipse.equinox.p2.core.UIServices;
 import org.eclipse.equinox.p2.core.UIServices.TrustInfo;
 import org.eclipse.equinox.p2.engine.IProfile;
 import org.eclipse.equinox.p2.engine.IProfileRegistry;
-import org.eclipse.equinox.p2.query.QueryUtil;
 import org.eclipse.equinox.p2.repository.artifact.IArtifactDescriptor;
 import org.eclipse.osgi.service.security.TrustEngine;
 import org.eclipse.osgi.signedcontent.*;
@@ -290,8 +290,12 @@ public class CertificateChecker {
 		IProfile profile = agent.getService(IProfileRegistry.class).getProfile(IProfileRegistry.SELF);
 		Set<PGPPublicKey> store = new HashSet<>(
 				PGPSignatureVerifier.readPublicKeys(profile.getProperty(TRUSTED_KEY_STORE_PROPERTY)));
-		profile.query(QueryUtil.ALL_UNITS, new NullProgressMonitor()).forEach(
-				iu -> store.addAll(PGPSignatureVerifier.readPublicKeys(iu.getProperty(TRUSTED_KEY_STORE_PROPERTY))));
+		//// SECURITY ISSUE: next lines become an attack vector as we have no guarantee
+		//// the metadata of those IUs is safe/were signed.
+		//// https://bugs.eclipse.org/bugs/show_bug.cgi?id=576705#c4
+		// profile.query(QueryUtil.ALL_UNITS, new NullProgressMonitor()).forEach(
+		// iu ->
+		// store.addAll(PGPSignatureVerifier.readPublicKeys(iu.getProperty(TRUSTED_KEY_STORE_PROPERTY))));
 		store.forEach(PGPSignatureVerifier.keystore::addKey);
 		return store;
 	}
diff --git a/bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/engine/CertificateCheckerTest.java b/bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/engine/CertificateCheckerTest.java
index c9e4bc8a5..5f4049a5a 100644
--- a/bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/engine/CertificateCheckerTest.java
+++ b/bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/engine/CertificateCheckerTest.java
@@ -28,13 +28,7 @@ import org.eclipse.equinox.internal.p2.metadata.ArtifactKey;
 import org.eclipse.equinox.p2.core.IAgentLocation;
 import org.eclipse.equinox.p2.core.ProvisionException;
 import org.eclipse.equinox.p2.core.UIServices;
-import org.eclipse.equinox.p2.engine.IEngine;
-import org.eclipse.equinox.p2.engine.IProfile;
 import org.eclipse.equinox.p2.engine.IProfileRegistry;
-import org.eclipse.equinox.p2.engine.IProvisioningPlan;
-import org.eclipse.equinox.p2.engine.ProvisioningContext;
-import org.eclipse.equinox.p2.metadata.MetadataFactory;
-import org.eclipse.equinox.p2.metadata.MetadataFactory.InstallableUnitDescription;
 import org.eclipse.equinox.p2.metadata.Version;
 import org.eclipse.equinox.p2.repository.artifact.spi.ArtifactDescriptor;
 import org.eclipse.equinox.p2.tests.AbstractProvisioningTest;
@@ -287,37 +281,40 @@ public class CertificateCheckerTest extends AbstractProvisioningTest {
 		}
 	}
 
-	public void testPGPSignedArtifactTrustedKeyInInstalledIU() throws ProvisionException, IOException {
-		try {
-			// create a test profile
-			testAgent.registerService("FORCED_SELF", IProfileRegistry.SELF);
-			testAgent
-					.registerService(IAgentLocation.SERVICE_NAME,
-							new AgentLocation(Files.createTempDirectory(
-									CertificateCheckerTest.class.getName() + "testPGPSignedArtifactTrustedKey-profile")
-									.toUri()));
-			IProfile testProfile = testAgent.getService(IProfileRegistry.class).addProfile(IProfileRegistry.SELF);
-			// install an IU that declares trusted keys
-			InstallableUnitDescription desc = new InstallableUnitDescription();
-			desc.setProperty(CertificateChecker.TRUSTED_KEY_STORE_PROPERTY, PGP_PUBLIC_KEY);
-			desc.setId("unitWithTrustedKeys");
-			desc.setVersion(Version.create("1.0.0"));
-			IEngine engine = testAgent.getService(IEngine.class);
-			IProvisioningPlan plan = engine.createPlan(testProfile, new ProvisioningContext(testAgent));
-			plan.addInstallableUnit(MetadataFactory.createInstallableUnit(desc));
-			assertTrue(engine.perform(plan, getMonitor()).isOK());
-
-			unsigned = TestData.getFile("pgp/repoPGPOK/plugins", "blah_1.0.0.123456.jar");
-			ArtifactDescriptor artifactDescriptor = new ArtifactDescriptor(
-					new ArtifactKey("what", "ever", Version.create("1")));
-			artifactDescriptor.addProperties(Map.of(PGPSignatureVerifier.PGP_SIGNATURES_PROPERTY_NAME, PGP_SIGNATURE));
-			checker.add(Map.of(artifactDescriptor, unsigned));
-			System.getProperties().setProperty(EngineActivator.PROP_UNSIGNED_POLICY, EngineActivator.UNSIGNED_PROMPT);
-			IStatus result = checker.start();
-			assertTrue(result.isOK());
-			assertFalse(serviceUI.wasPrompted);
-		} finally {
-			System.getProperties().remove(EngineActivator.PROP_UNSIGNED_POLICY);
-		}
-	}
+	//// SECURITY ISSUE: next lines become an attack vector as we have no guarantee
+	//// the metadata of those IUs is safe/were signed.
+	//// https://bugs.eclipse.org/bugs/show_bug.cgi?id=576705#c4
+//	public void testPGPSignedArtifactTrustedKeyInInstalledIU() throws ProvisionException, IOException {
+//		try {
+//			// create a test profile
+//			testAgent.registerService("FORCED_SELF", IProfileRegistry.SELF);
+//			testAgent
+//					.registerService(IAgentLocation.SERVICE_NAME,
+//							new AgentLocation(Files.createTempDirectory(
+//									CertificateCheckerTest.class.getName() + "testPGPSignedArtifactTrustedKey-profile")
+//									.toUri()));
+//			IProfile testProfile = testAgent.getService(IProfileRegistry.class).addProfile(IProfileRegistry.SELF);
+//			// install an IU that declares trusted keys
+//			InstallableUnitDescription desc = new InstallableUnitDescription();
+//			desc.setProperty(CertificateChecker.TRUSTED_KEY_STORE_PROPERTY, PGP_PUBLIC_KEY);
+//			desc.setId("unitWithTrustedKeys");
+//			desc.setVersion(Version.create("1.0.0"));
+//			IEngine engine = testAgent.getService(IEngine.class);
+//			IProvisioningPlan plan = engine.createPlan(testProfile, new ProvisioningContext(testAgent));
+//			plan.addInstallableUnit(MetadataFactory.createInstallableUnit(desc));
+//			assertTrue(engine.perform(plan, getMonitor()).isOK());
+//
+//			unsigned = TestData.getFile("pgp/repoPGPOK/plugins", "blah_1.0.0.123456.jar");
+//			ArtifactDescriptor artifactDescriptor = new ArtifactDescriptor(
+//					new ArtifactKey("what", "ever", Version.create("1")));
+//			artifactDescriptor.addProperties(Map.of(PGPSignatureVerifier.PGP_SIGNATURES_PROPERTY_NAME, PGP_SIGNATURE));
+//			checker.add(Map.of(artifactDescriptor, unsigned));
+//			System.getProperties().setProperty(EngineActivator.PROP_UNSIGNED_POLICY, EngineActivator.UNSIGNED_PROMPT);
+//			IStatus result = checker.start();
+//			assertTrue(result.isOK());
+//			assertFalse(serviceUI.wasPrompted);
+//		} finally {
+//			System.getProperties().remove(EngineActivator.PROP_UNSIGNED_POLICY);
+//		}
+//	}
 }
author	Mickael Istria	2021-11-03 10:13:23 +0000
committer	Mickael Istria	2021-11-03 11:14:24 +0000
commit	0b62cb8dd14b40cac16c8ecf2db864cffd975578 (patch)
tree	4a94d0350d628c1ab37771619fb3e574b533746f
parent	2e790125e6e8bdce3d933f45d5a0cc107266d451 (diff)
download	rt.equinox.p2-0b62cb8dd14b40cac16c8ecf2db864cffd975578.tar.gz rt.equinox.p2-0b62cb8dd14b40cac16c8ecf2db864cffd975578.tar.xz rt.equinox.p2-0b62cb8dd14b40cac16c8ecf2db864cffd975578.zip