github/distribution
1
0
Fork 0
mirror of https://github.com/distribution/distribution.git synced 2025-09-08 10:20:08 +00:00
Code Issues Projects Releases Wiki Activity

feature: Bump go-jose and require signing algorithms in auth

Browse Source 
This bumps go-jose to the latest available version: v4.0.3.
This slightly breaks the backwards compatibility with the existing
registry deployments but brings more security with it.

We now require the users to specify the list of token signing algorithms in
the configuration. We do strive to maintain the b/w compat by providing
a list of supported algorithms, though, this isn't something we
recommend due to security issues, see:
* https://github.com/go-jose/go-jose/issues/64
* https://github.com/go-jose/go-jose/pull/69

As part of this change we now return to the original flow of the token
signature validation:
1. X2C (tls) headers
2. JWKS
3. KeyID

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
This commit is contained in:
Milos Gajdos
2024-05-14 09:21:38 +01:00
parent 56a020f7f1
commit 52d68216c0
46 changed files with 628 additions and 319 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
docs/content/about/configuration.md
View File

@@ -168,6 +168,9 @@ auth:
service: token-service
issuer: registry-token-issuer
rootcertbundle: /root/certs/bundle
signingalgorithms:
- EdDSA
- HS256
htpasswd:
realm: basic-realm
path: /path/to/htpasswd
@@ -572,6 +575,10 @@ auth:
service: token-service
issuer: registry-token-issuer
rootcertbundle: /root/certs/bundle
signingalgorithms:
- EdDSA
- HS256
- ES512
htpasswd:
realm: basic-realm
path: /path/to/htpasswd
@@ -615,7 +622,37 @@ security.
| `rootcertbundle` | yes | The absolute path to the root certificate bundle. This bundle contains the public part of the certificates used to sign authentication tokens. |
| `autoredirect` | no | When set to `true`, `realm` will automatically be set using the Host header of the request as the domain and a path of `/auth/token/`(or specified by `autoredirectpath`), the `realm` URL Scheme will use `X-Forwarded-Proto` header if set, otherwise it will be set to `https`. |
| `autoredirectpath` | no | The path to redirect to if `autoredirect` is set to `true`, default: `/auth/token/`. |
| `signingalgorithms` | no | A list of token signing algorithms to use for verifying token signatures. If left empty the default list of signing algorithms is used. Please see below for allowed values and default. |
Available `signingalgorithms`:
- EdDSA
- HS256
- HS384
- HS512
- RS256
- RS384
- RS512
- ES256
- ES384
- ES512
- PS256
- PS384
- PS512
Default `signingalgorithms`:
- EdDSA
- HS256
- HS384
- HS512
- RS256
- RS384
- RS512
- ES256
- ES384
- ES512
- PS256
- PS384
- PS512
For more information about Token based authentication configuration, see the
[specification](../spec/auth/token.md).