Problem
The bootz server v0.6.1 fails to validate client IDevID certificates during TLS handshake because the [VendorCA]certificate from SecurityArtifacts is never added to the [ClientCAs] pool.
Current Behavior
In [server.go] lines 117-119:
// In a real scenario, this cert pool would contain CA(s) that
// signed the device's IDevID cert.
vendorIDevIDPool := x509.NewCertPool()
The [vendorIDevIDPool] is created empty and never populated, even though [SecurityArtifacts.VendorCA] is available defined in [types.go].
Later at line 133, this empty pool is used:
ClientAuth: tls.VerifyClientCertIfGiven,
ClientCAs: vendorIDevIDPool,
Impact
Unary gRPC calls (GetBootstrapData, ReportStatus) that require IDevID cert validation fail with:
rpc error: code = Unavailable desc = connection error: desc = "error reading server preface: remote error: tls: unknown certificate authority"
Devices cannot bootstrap using Cisco SUDI certificates or other vendor-signed IDevID certs
Expected Behavior
The [VendorCA] should be added to the cert pool:
vendorIDevIDPool := x509.NewCertPool()
if sa.VendorCA != nil {
vendorIDevIDPool.AddCert(sa.VendorCA)
}
Environment
bootz version: v0.6.1
Platform: Cisco IOS-XR with ECC256 SUDI certificates
TLS version: 1.3
Reproduction
Configure bootz server with SecurityArtifacts containing a valid [VendorCA]
Device attempts unary RPC call with IDevID cert in TLS handshake
Server rejects with "unknown certificate authority"
Problem
The bootz server v0.6.1 fails to validate client IDevID certificates during TLS handshake because the [VendorCA]certificate from SecurityArtifacts is never added to the [ClientCAs] pool.
Current Behavior
In [server.go] lines 117-119:
// In a real scenario, this cert pool would contain CA(s) that
// signed the device's IDevID cert.
vendorIDevIDPool := x509.NewCertPool()
The [vendorIDevIDPool] is created empty and never populated, even though [SecurityArtifacts.VendorCA] is available defined in [types.go].
Later at line 133, this empty pool is used:
ClientAuth: tls.VerifyClientCertIfGiven,
ClientCAs: vendorIDevIDPool,
Impact
Unary gRPC calls (GetBootstrapData, ReportStatus) that require IDevID cert validation fail with:
rpc error: code = Unavailable desc = connection error: desc = "error reading server preface: remote error: tls: unknown certificate authority"
Devices cannot bootstrap using Cisco SUDI certificates or other vendor-signed IDevID certs
Expected Behavior
The [VendorCA] should be added to the cert pool:
vendorIDevIDPool := x509.NewCertPool()
if sa.VendorCA != nil {
vendorIDevIDPool.AddCert(sa.VendorCA)
}
Environment
bootz version: v0.6.1
Platform: Cisco IOS-XR with ECC256 SUDI certificates
TLS version: 1.3
Reproduction
Configure bootz server with SecurityArtifacts containing a valid [VendorCA]
Device attempts unary RPC call with IDevID cert in TLS handshake
Server rejects with "unknown certificate authority"