Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bugfix: include all CA certificates in encoded pkcs12/jks stores #6806

Merged
merged 2 commits into from Mar 4, 2024
Merged

bugfix: include all CA certificates in encoded pkcs12/jks stores #6806

merged 2 commits into from Mar 4, 2024

Conversation

bwaldrep
Copy link
Contributor

Pull Request Motivation

Fixes #6803. When either a JKS or PKCS12 keystore is requested, the contents of the generated truststores should match the contents of the ca.crt field in the rendered secret. Previously if an issuer returned multiple concatenated CAs when signing a CertificateRequest only the first CA would be included in the truststores, despite the full set appearing in the ca.crt field.

Kind

/kind bug

Release Note

BUGFIX: JKS and PKCS12 stores now contain the full set of CAs specified by an issuer

@bwaldrep
include full CA chain contents in encoded pkcs12/jks stores
251610d 
Signed-off-by: Bill Waldrep <bwaldrep@palantir.com>
@jetstack-bot jetstack-bot added kind/bug Categorizes issue or PR as related to a bug. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 29, 2024
@jetstack-bot
Copy link
Collaborator

Hi @bwaldrep. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Feb 29, 2024
@bwaldrep bwaldrep changed the title include full CA chain contents in encoded pkcs12/jks stores bugfix: include full CA chain contents in encoded pkcs12/jks stores Feb 29, 2024
@bwaldrep
add new utility method to clarify cert decoding semantics
bf3d202 
Signed-off-by: Bill Waldrep <bwaldrep@palantir.com>
@inteon inteon changed the title bugfix: include full CA chain contents in encoded pkcs12/jks stores bugfix: include all CA certificates in encoded pkcs12/jks stores Mar 4, 2024
@inteon
Copy link
Member

inteon commented Mar 4, 2024

Thanks @bwaldrep!
I'm very happy to receive these high-quality bugfix contributions.
/approve
/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 4, 2024
@jetstack-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 4, 2024
@inteon
Copy link
Member

inteon commented Mar 4, 2024

/cherrypick release-1.14

@jetstack-bot
Copy link
Collaborator

@inteon: once the present PR merges, I will cherry-pick it on top of release-1.14 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@inteon
Copy link
Member

inteon commented Mar 4, 2024

/cherrypick release-1.13

@jetstack-bot
Copy link
Collaborator

@inteon: once the present PR merges, I will cherry-pick it on top of release-1.13 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@inteon
Copy link
Member

inteon commented Mar 4, 2024

/cherrypick release-1.12

@jetstack-bot
Copy link
Collaborator

@inteon: once the present PR merges, I will cherry-pick it on top of release-1.12 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot merged commit fd55116 into cert-manager:master Mar 4, 2024
7 checks passed
@jetstack-bot
Copy link
Collaborator

@inteon: new pull request created: #6812

In response to this:

/cherrypick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot mentioned this pull request Mar 4, 2024
Merged
@jetstack-bot
Copy link
Collaborator

@inteon: #6806 failed to apply on top of branch "release-1.13":

Applying: include full CA chain contents in encoded pkcs12/jks stores
Using index info to reconstruct a base tree...
M	pkg/controller/certificates/issuing/internal/keystore.go
M	pkg/controller/certificates/issuing/internal/keystore_test.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/controller/certificates/issuing/internal/keystore_test.go
Auto-merging pkg/controller/certificates/issuing/internal/keystore.go
CONFLICT (content): Merge conflict in pkg/controller/certificates/issuing/internal/keystore.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 include full CA chain contents in encoded pkcs12/jks stores
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherrypick release-1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot
Copy link
Collaborator

@inteon: #6806 failed to apply on top of branch "release-1.12":

Applying: include full CA chain contents in encoded pkcs12/jks stores
Using index info to reconstruct a base tree...
M	pkg/controller/certificates/issuing/internal/keystore.go
M	pkg/controller/certificates/issuing/internal/keystore_test.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/controller/certificates/issuing/internal/keystore_test.go
Auto-merging pkg/controller/certificates/issuing/internal/keystore.go
CONFLICT (content): Merge conflict in pkg/controller/certificates/issuing/internal/keystore.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 include full CA chain contents in encoded pkcs12/jks stores
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherrypick release-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@bwaldrep bwaldrep mentioned this pull request Mar 4, 2024
Merged
This was referenced Mar 4, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inteon inteon inteon left review comments

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

JKS/PKCS12 truststores omit additional CAs returned by the issuer
3 participants
@bwaldrep @jetstack-bot @inteon