Skip to content

Commit 7c34fd5

Browse files
Benehikovvoland
Benehiko
authored and
vvoland
committed
Cleanup setAllowNegativex509
Signed-off-by: Alano Terblanche <[email protected]> (cherry picked from commit 65a6c35) Signed-off-by: Paweł Gronowski <[email protected]>
1 parent 0a2eaa4 commit 7c34fd5

File tree

1 file changed

+33
-16
lines changed

1 file changed

+33
-16
lines changed

cli/command/cli.go

Lines changed: 33 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -282,7 +282,10 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions, ops ...CLIOption)
282282
}
283283
filterResourceAttributesEnvvar()
284284

285-
cli.setAllowNegativex509()
285+
meta, err := cli.contextStore.GetMetadata(cli.currentContext)
286+
if err == nil {
287+
setAllowNegativex509(meta)
288+
}
286289

287290
return nil
288291
}
@@ -477,41 +480,55 @@ func (cli *DockerCli) getDockerEndPoint() (ep docker.Endpoint, err error) {
477480
return resolveDockerEndpoint(cli.contextStore, cn)
478481
}
479482

480-
// setAllowNegativex509 is an escape hatch that sets the GODEBUG=x509negativeserial
481-
// environment variable for this process and sub-processes (such as CLI plugins)
482-
func (cli *DockerCli) setAllowNegativex509() {
483-
cn := cli.CurrentContext()
484-
meta, err := cli.ContextStore().GetMetadata(cn)
485-
if err != nil {
483+
// setAllowNegativex509 is an escape hatch that sets the GODEBUG environment
484+
// variable value using docker context metadata.
485+
//
486+
// {
487+
// "Name": "my-context",
488+
// "Metadata": { "GODEBUG": "x509negativeserial=1" }
489+
// }
490+
//
491+
// WARNING: Setting x509negativeserial=1 allows Go's x509 library to accept
492+
// X.509 certificates with negative serial numbers.
493+
// This behavior is deprecated and non-compliant with current security
494+
// standards (RFC 5280). Accepting negative serial numbers can introduce
495+
// serious security vulnerabilities, including the risk of certificate
496+
// collision or bypass attacks.
497+
// This option should only be used for legacy compatibility and never in
498+
// production environments.
499+
// Use at your own risk.
500+
func setAllowNegativex509(meta store.Metadata) {
501+
fieldName := "GODEBUG"
502+
godebugEnv := os.Getenv(fieldName)
503+
// early return if GODEBUG is already set. We don't want to override what
504+
// the user already sets.
505+
if godebugEnv != "" {
486506
return
487507
}
488508

489-
fieldName := "allowx509negativeserialdonotuse"
490-
491-
var config any
509+
var cfg any
492510
var ok bool
493511
switch m := meta.Metadata.(type) {
494512
case DockerContext:
495-
config, ok = m.AdditionalFields[fieldName]
513+
cfg, ok = m.AdditionalFields[fieldName]
496514
if !ok {
497515
return
498516
}
499517
case map[string]any:
500-
config, ok = m[fieldName]
518+
cfg, ok = m[fieldName]
501519
if !ok {
502520
return
503521
}
504522
default:
505523
return
506524
}
507525

508-
v, ok := config.(string)
526+
v, ok := cfg.(string)
509527
if !ok {
510528
return
511529
}
512-
if v == "1" {
513-
_ = os.Setenv("GODEBUG", "x509negativeserial=1")
514-
}
530+
// set the GODEBUG environment variable with whatever was in the context
531+
_ = os.Setenv(fieldName, v)
515532
}
516533

517534
func (cli *DockerCli) initialize() error {

0 commit comments

Comments
 (0)