Parse certificate chain CA Issuer

[JoshVanL]

The CA issuer now constructs a certificate chain after signing, and populates the CertificateRequest.Status.CA with the root most certificate if available. Correctly passes down CA certificate when chaining CA Issuers together.

This PR is branched from #3982 and should be merged first. EDIT: This should say "and that PR should be merged first" instead of "and should be merged first"

Updates SignCSRTemplate to use new ParseCertificateChain func, and passes through CA certificate when chaining CA Issuers together.

/assign @maelvls @munnerz @SgtCoDFish @jakexks

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoshVanL

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [JoshVanL]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[JoshVanL]

flake
/retest

[SgtCoDFish]

A few suggestions and questions from me; I think it was a great idea to split the original PR up into separate ones 👍

[SgtCoDFish]

suggestion: should this be EC not RSA, based on rootPK above?

[SgtCoDFish]

(actually, does this need to be specified in the template? I'd imagine it would be filled in automatically when the cert is signed, although I've not tested that)

[SgtCoDFish]

suggestion: is this not a re-import duplication of the line below it?

[SgtCoDFish]

suggestion: we're passed a crypto.Signer here; is it safe to just pass RSA for the key algo? (as before, is setting this field needed at all?)

[SgtCoDFish]

suggestion: could we use P-256 ECDSA keys here instead if we're refactoring the variable names?

[SgtCoDFish]

suggestion: would it be better to include the error when we call t.Fatal()?

Suggested change

	t.Fatal()
	t.Fatal(err)

[SgtCoDFish]

suggestion: would it be worth adding a test for a different branch off the same root?

e.g. using some random diagram I found, we're currently testing A->B->E->H which is good. Could we also test that ParseCertificateChain works correctly with an input set of, say, {A, B, C, E, G} which should produce A->C->G?

[irbekrm]

I may have misunderstood- I thought that this scenario would error- if the input was {A, B, C, E, G} from the diagram, we would end up with a list of chain nodes {A, B, E} and {C, G} that cannot be merged and would error here?

[SgtCoDFish]

(caveat: I didn't trace through the algorithm in depth with {A, B, C, E, G}, because ultimately it'll be unit tests that check this stuff and not humans 😁 )

I guess what I'm saying is that A->C->G is a valid chain, and the tree as presented in that diagram is a totally valid PKI hierarchy/tree which could be passed to the function, but we don't have a test which checks its operation.

It's reasonable IMO to do any of the following:

1. if we can construct two (partial or complete) chains to the same root from given input, we'll error (so {A, B, C, E, G} fails because there's A->C->G and A->B->E)
2. or if we can construct two full chains from root to leaf we'll error (so {A, B, C, E, G, H} fails because there's A->B->E->H and A->C->G but {A, B, C, E, G} succeeds with A->C->G since A->B->E doesn't end in a leaf)
3. or we return all chains we can construct (so {A, B, C, E, G} returns {{A->C->G}, {A->B->E},{A->B},{A->C}}
4. or we return all complete chains we can construct (so {A, B, C, E, G} returns {{A->C->G}} and {A, B, C, E, G, H} returns {{A->B->E->H}, {A->C->G}})

I think I'd prefer 2 as an implementation, but this is quite academic because in most cases we'd only ever be passed, say {A, A, B, B, E, H} which the algorithm should handle fine.

Whichever approach we take, I think my main point is that it would be super valuable to have a test case which takes an input of {A, B, C, E, G} and one which takes input of {A, B, C, E, G, H}; if they both end up erroring that's fine.

[JoshVanL]

Thanks for detailed explanation. Indeed having multiple branches in the same bundle is totally valid and is likely wanted for services with multiple intermediates; they may not even share the same roots, but do trust them. The intention here though is that we expect a single chain when a certificate is signed, i.e. the issuer returns the single chain from root to the new signed certificate.

I think managing these larger bundle trees is a separate concern, and falls under the "trust distribution" planned work (whatever that may look like). Given this, I would like to continue with 1 as the implementation. In future it may be that other functions are made to cover those other cases.

To make it clear this is the intention of this function and wouldn't be appropriate for other cases, I'm going to rename it to ParseSingleCertificateChain. Open to suggestions for better names 😄

[JoshVanL]

I'll also add some tests to demonstrate that this function should fail with branching chains.

[SgtCoDFish]

question: do you think we're doing enough testing that the whitespace is correct in the output PEM we expect?

I think we're relying on the PEM output from SignCertificate in mustCreateBundle having the required \n at the end; that's probably not likely to change, but given that ParseCertificateChain is so important, would it be good to make sure in these tests that if we pass a cert with no newline at the end it's handled correctly and we don't end up with a line like:

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

[JoshVanL]

Hmm, I don't think this is too much of a concern. Considering we do all the checks I think this should be fine.

[SgtCoDFish]

nitpick: spelling

Suggested change

	// attempt to add both chain together
	// attempt to add both chains together

[SgtCoDFish]

question: especially with larger RSA key sizes (4096 being common for roots, which we'll be using here) checking signatures can be quite an expensive operation, and we're potentially going to be doing it a lot in tryMergeChain for larger chains. [1]

we can maybe remove the need to do so many signature checks by ordering the nodes differently before we check signatures; we have access to the issuer and subject for every cert in the chain, and in most cases (i.e. when the chain is sane) we'll be able to order certs based on their issuer DN. we still need to check the signatures for correctness reasons, but ordering based on the DNs will save a lot of signature checks.

do you think this optimization is worth it now? I don't think it's needed for this PR (although we need to be careful of a potential performance regression here with longer chains). I could look at adding it in the future if you don't think it's required here.

[1] looking way into the future, quantum-resistant TLS will likely be even more computationally expensive.

[JoshVanL]

Yep, I think it is worth while thinking about and keeping an eye on. I'm not keen on pre optimising though given we don't know if this will be the limiting factor.

[SgtCoDFish]

yeah totally reasonable, I'm sure this will perform fine as implemented 👍

[SgtCoDFish]

praise: I think this will clean up a lot of stuff, and it seems super valuable to me.

[irbekrm]

Amazing code, I wish we did work more work like this!

I have added a comment where I think we should not modify the slice inside the for loop.

[JoshVanL]

/retest

[jakexks]

/lgtm

[jakexks]

/hold

[jakexks]

/unhold