connect/ca: cease including the common name field in generated certs #10424

rboyer · 2021-06-17T20:42:33Z

As part of this change, we ensure that the SAN extensions are marked as
critical when the subject is empty so that AWS PCA tolerates the loss of
common names well and continues to function as a Connect CA provider.

Parts of this currently hack around a bug in crypto/x509 and can be
removed after https://go-review.googlesource.com/c/go/+/329129 lands in
a Go release.

Note: the AWS PCA tests do not run automatically, but the following
passed locally for me:

ENABLE_AWS_PCA_TESTS=1 go test ./agent/connect/ca -run TestAWS

The only remaining place that we use a CommonName in certs is for CA certs themselves, since they don't get SAN fields.

agent/connect/ca/provider_aws.go

rboyer · 2021-06-17T20:45:47Z

agent/connect/x509_patch.go

@@ -0,0 +1,122 @@
+package connect


This can all go away with golang/go#46810

rboyer · 2021-06-17T20:46:21Z

Parts of this can be cleaned up after golang/go#46810 (or something like it) lands.

rboyer · 2021-06-17T20:55:59Z

agent/connect/ca/provider_consul.go

@@ -487,8 +471,12 @@ func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string,
 	effectiveNow := time.Now().Add(-1 * CertificateTimeDriftBuffer)
 	template := x509.Certificate{


This blob threw me until I found it.

This spot in the code accepts a CSR but does not pass that CSR off to the crypto/x509 package or anything of the sort. The incoming CSR has select fields plucked out of it to assign to the newly generated intermediate cert.

I'd done an overmatch during cleanup and stripped the Subject: csr.Subject, line from this function which super broke intermediate certs (which only put data in the Subject/CN field). For now I modified this to handle this more like how a CSR should operate and copy the various SAN fields along with the Subject and any provided ExtraExtensions as-is.

We can discuss if the CA certs themselves should be using SAN fields, too, but the CN fields for those things are less awful to construct so it's fine to keep them for now.

FWIW, if we're not going to use CN everywhere else, it probably makes sense to stop using it for the CA and reflect that in the TLS utilities. Is there a reason not to?

AWS PCA requires a CN field to be populated in order to create the Root CA. From what I can tell you can't set SAN fields on the root CA.

Interesting! Seems to align with that I'm finding in https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 and https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4 where the Subject/CN is required.

It might be nice to document the reasoning for "CN only in the CA", just not sure where.

agent/connect/x509_patch.go

agent/connect/x509_patch_test.go

agent/connect/x509_patch.go

picatz · 2021-06-18T18:19:46Z

agent/connect/ca/provider_consul.go

@@ -487,8 +471,12 @@ func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string,
 	effectiveNow := time.Now().Add(-1 * CertificateTimeDriftBuffer)
 	template := x509.Certificate{


FWIW, if we're not going to use CN everywhere else, it probably makes sense to stop using it for the CA and reflect that in the TLS utilities. Is there a reason not to?

agent/connect/x509_patch.go

agent/connect/testing_ca.go

tlsutil/generate.go

hashicorp#10424 introduced a regression, because it removed common name also for secondary CA intermediate certificate, which used the same code path. This violates RFC 5280, which mandates that Issuer CN must not be empty and equal to Subject CN of subordinate certificate. Partially revert this patch to fix consul provider, and add a test case to prevent future regressions.

rboyer requested a review from a team June 17, 2021 20:42

rboyer self-assigned this Jun 17, 2021

vercel bot temporarily deployed to Preview – consul June 17, 2021 20:44 Inactive

vercel bot temporarily deployed to Preview – consul-ui-staging June 17, 2021 20:44 Inactive