Skip to content

Commit 65a6c35

Browse files
BenehikoBenehiko
committed
Cleanup setAllowNegativex509
Signed-off-by: Alano Terblanche <[email protected]>
1 parent 7d7a7aa commit 65a6c35

File tree

1 file changed

+33
-16
lines changed

1 file changed

+33
-16
lines changed

cli/command/cli.go

Lines changed: 33 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -281,7 +281,10 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption)
281281
}
282282
filterResourceAttributesEnvvar()
283283

284-
cli.setAllowNegativex509()
284+
meta, err := cli.contextStore.GetMetadata(cli.currentContext)
285+
if err == nil {
286+
setAllowNegativex509(meta)
287+
}
285288

286289
return nil
287290
}
@@ -476,41 +479,55 @@ func (cli *DockerCli) getDockerEndPoint() (ep docker.Endpoint, err error) {
476479
return resolveDockerEndpoint(cli.contextStore, cn)
477480
}
478481

479-
// setAllowNegativex509 is an escape hatch that sets the GODEBUG=x509negativeserial
480-
// environment variable for this process and sub-processes (such as CLI plugins)
481-
func (cli *DockerCli) setAllowNegativex509() {
482-
cn := cli.CurrentContext()
483-
meta, err := cli.ContextStore().GetMetadata(cn)
484-
if err != nil {
482+
// setAllowNegativex509 is an escape hatch that sets the GODEBUG environment
483+
// variable value using docker context metadata.
484+
//
485+
// {
486+
// "Name": "my-context",
487+
// "Metadata": { "GODEBUG": "x509negativeserial=1" }
488+
// }
489+
//
490+
// WARNING: Setting x509negativeserial=1 allows Go's x509 library to accept
491+
// X.509 certificates with negative serial numbers.
492+
// This behavior is deprecated and non-compliant with current security
493+
// standards (RFC 5280). Accepting negative serial numbers can introduce
494+
// serious security vulnerabilities, including the risk of certificate
495+
// collision or bypass attacks.
496+
// This option should only be used for legacy compatibility and never in
497+
// production environments.
498+
// Use at your own risk.
499+
func setAllowNegativex509(meta store.Metadata) {
500+
fieldName := "GODEBUG"
501+
godebugEnv := os.Getenv(fieldName)
502+
// early return if GODEBUG is already set. We don't want to override what
503+
// the user already sets.
504+
if godebugEnv != "" {
485505
return
486506
}
487507

488-
fieldName := "allowx509negativeserialdonotuse"
489-
490-
var config any
508+
var cfg any
491509
var ok bool
492510
switch m := meta.Metadata.(type) {
493511
case DockerContext:
494-
config, ok = m.AdditionalFields[fieldName]
512+
cfg, ok = m.AdditionalFields[fieldName]
495513
if !ok {
496514
return
497515
}
498516
case map[string]any:
499-
config, ok = m[fieldName]
517+
cfg, ok = m[fieldName]
500518
if !ok {
501519
return
502520
}
503521
default:
504522
return
505523
}
506524

507-
v, ok := config.(string)
525+
v, ok := cfg.(string)
508526
if !ok {
509527
return
510528
}
511-
if v == "1" {
512-
_ = os.Setenv("GODEBUG", "x509negativeserial=1")
513-
}
529+
// set the GODEBUG environment variable with whatever was in the context
530+
_ = os.Setenv(fieldName, v)
514531
}
515532

516533
func (cli *DockerCli) initialize() error {

0 commit comments

Comments
 (0)