New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extended key usages into CSR #3211
Conversation
Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: meyskens The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
It looks good to me. Since this only fixes half of #3136, I think we shouldn't close the issue and discuss further with the users? |
If both the CSR and CertificateRequest specify key usages/extended key usages, which should be authoritative if they are different? As a consumer of the CertificateRequest API this could lead to confusion between different issuer types which may each behave differently. This change doesn't really change the state of the world here (previously, if a user created their own CSR which does specify usages and those are different to those on the CR, the question would be the same). But by making it default behaviour for the Certificate controller to add this, it certainly becomes a potentially more prominent issue. As an item for the v1 API, perhaps validation can be tightened in v1 to require that these are both the same if any are encoded into the CSR? |
Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
Digged deeper into specs and added the classic key usages also :) To come back to @munnerz' comment, I think validation is the best compromise here? But only if both are set? |
Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @meyskens
A few comments below.
Is there any danger that this will break existing issuers?
Will LetsEncrypt pay attention to this?
Will Venafi work with this?
It does seem ugly that we will be adding usages both to the CR and to the x509 CSR.
It makes me wonder whether:
- CR resource should be immutable.
- Perhaps the x509 CSR should be moved from spec.Request > status.Request, signifying that the CSR data is only meant to be populated by cert-manager.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple of nits from me
…if both are set Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few more comments and questions.
if err != nil { | ||
el = append(el, field.Invalid(fldPath.Child("request"), crSpec.Request, fmt.Sprintf("failed to decode csr: %s", err))) | ||
} else { | ||
// only compare usages if set on CR and in the CSR | ||
if len(crSpec.Usages) > 0 && len(csr.Extensions) > 0 && validateCSRContent { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if there are crSpec
usages but not csr.Extensions
? That should be a validation error too, right?
How about creating sets.NewString
of the CR and CSR usages and then doing a diff between them?
The differences could be added to the error message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignore the comment above. You explained in standup that we want to allow the case where usages are only defined in CR or CSR.
But perhaps we should also make that clear in the validation error message.
And if the usages are only defined in the CSR Request
bytes should we add validation to ensure that those are all in the enums set that we validate the CR usages against?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But perhaps we should also make that clear in the validation error message.
Done
And if the usages are only defined in the CSR Request bytes should we add validation to ensure that those are all in the enums set that we validate the CR usages against?
What do you mean? these are validated by it being a valid x509 CSR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I recently updated the RequestMatchesSpec
function in #3224 and it makes me wonder if that function should also be updated to handle the case where the usages are only present in the Request
bundle.
Not necessarily here, but perhaps in a followup issue / PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean? these are validated by it being a valid x509 CSR
I was thinking of the the x509.go line 705
UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.
/kind feature |
Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
/lgtm |
What this PR does / why we need it:
This encodes the ExtKeyUsages into the CSR so supported issuers can pick those up and assign them.
Which issue this PR fixes:
Fixes #3136
Special notes for your reviewer:
From my research is isn't possible to define the "old" key usages into the CSR. Prove me wrong is your mission ;)I read more code in the evening, it works :D
Release note: