Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set KeyUsage properly for CA certs #2896

Merged
merged 1 commit into from Mar 28, 2022
Merged

Set KeyUsage properly for CA certs #2896

merged 1 commit into from Mar 28, 2022

Conversation

hiyosi
Copy link
Contributor

@hiyosi hiyosi commented Mar 28, 2022
edited

Signed-off-by: Tomoya Usami tousami@zlab.co.jp

Pull Request check list

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

Affected functionality

SPIRE Server CA

Description of change

Set KeyUsage properly for CA certs.
No longer set KeyUsage DigitalSignature for CA certs.

Which issue this PR fixes

fixes #2811

@hiyosi hiyosi changed the title Do not set KeyUsage DigitalSignature for CA certs @hiyosi Set KeyUsage properly for CA certs Mar 28, 2022
hiyosi
hiyosi commented Mar 28, 2022
View reviewed changes
pkg/server/plugin/upstreamauthority/certmanager/api.go
@@ -58,8 +58,7 @@ func (p *Plugin) buildCertificateRequest(request *upstreamauthorityv1.MintX509CA
Request: csrBuf.Bytes(),
IsCA: true,
Usages: []cmapi.KeyUsage{
cmapi.UsageDigitalSignature,
cmapi.UsageCertSign,
Copy link
Contributor Author

@hiyosi hiyosi Mar 28, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found another bug that the same KeyUsage was set, fixed at the same time

@hiyosi hiyosi changed the title @hiyosi Set KeyUsage properly for CA certs Set KeyUsage properly for CA certs Mar 28, 2022
@hiyosi
Copy link
Contributor Author

hiyosi commented Mar 28, 2022
edited

self-signed

before

root@spire-dev:/spire# openssl x509 -in test.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            81:94:83:e8:82:af:b9:cb:62:89:77:e6:e4:6c:f0:db
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, O=SPIFFE
        Validity
            Not Before: Mar 28 05:16:32 2022 GMT
            Not After : Mar 29 05:16:42 2022 GMT
        Subject: C=US, O=SPIFFE
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:cf:79:b0:b7:1a:47:1b:b3:45:2c:4d:89:c0:2d:
                    6c:9e:31:90:0e:3d:2c:bb:e7:81:fe:05:6a:3f:f2:
                    d5:6e:61:c0:72:0d:02:b7:52:f3:4c:b5:42:f7:36:
                    8a:3b:47:af:8b:cf:fa:36:eb:24:cf:21:b1:4c:17:
                    bb:90:58:a6:aa
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                26:78:E3:6C:2E:28:C6:FD:7F:5A:E3:94:B0:4E:75:DA:D6:C8:89:9A
            X509v3 Subject Alternative Name: 
                URI:spiffe://example.org
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:f8:0e:58:50:5a:c4:ca:68:75:17:46:08:7b:
         df:0b:23:fa:1a:7c:d1:99:3e:3d:2f:6e:4a:b7:58:7a:cc:9f:
         6a:02:20:5e:a5:e4:dd:db:ff:bb:71:b5:31:e1:06:a8:bd:76:
         a4:6c:df:66:a3:e1:a1:1b:c1:6b:d3:35:7c:ce:98:ea:03

after

root@spire-dev:/spire# openssl x509 -in test.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c3:b2:cf:68:33:21:6e:6b:d7:12:0c:40:df:96:71:84
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, O=SPIFFE
        Validity
            Not Before: Mar 28 05:03:54 2022 GMT
            Not After : Mar 29 05:04:04 2022 GMT
        Subject: C=US, O=SPIFFE
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:51:53:0f:95:8e:37:db:71:10:9b:8d:e1:88:52:
                    ad:7d:cb:1f:86:55:aa:85:50:d1:30:22:3d:56:cc:
                    17:96:5b:c5:fc:74:90:99:21:fe:c4:9d:f3:93:9b:
                    be:6b:8f:b2:7c:ff:4e:ab:59:14:1e:a9:4f:ed:e1:
                    f7:c0:d5:4c:4b
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                90:EF:46:AF:6E:8D:92:5C:A8:2D:1D:A5:0C:34:3D:F7:70:9D:FE:61
            X509v3 Subject Alternative Name: 
                URI:spiffe://example.org
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:50:f2:e8:a2:a3:44:1c:f8:1d:e5:32:15:f6:c4:
         07:0f:cb:95:52:46:cb:a2:50:e5:67:1f:95:04:80:18:4e:ce:
         02:20:0b:cd:13:86:d5:3d:61:68:e6:60:a1:9d:34:1d:1a:5a:
         62:eb:b2:6d:de:f0:9f:35:cc:1f:00:0b:c4:f8:87:08

nested

downstream spire-ca
before

openssl x509 -in test.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4b:c4:bb:91:cb:bf:61:63:60:28:35:0b:0c:12:12:52
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, O=SPIFFE
        Validity
            Not Before: Mar 28 06:56:38 2022 GMT
            Not After : Mar 28 07:56:00 2022 GMT
        Subject: C=US, O=SPIFFE, OU=DOWNSTREAM-1
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:4e:a2:2e:2f:16:ae:8b:e8:8f:37:95:a3:a6:89:
                    10:c6:12:22:0e:9b:2a:fe:9b:4c:cc:78:eb:38:0c:
                    91:99:6e:0c:84:92:9b:6e:ed:39:b3:86:cc:03:78:
                    fe:e2:f9:ff:1d:16:56:d7:03:68:2c:60:80:94:b7:
                    f2:28:f1:14:03
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                FC:98:08:5B:72:6B:E7:AB:29:1C:E0:3B:14:CA:94:20:15:75:32:AE
            X509v3 Authority Key Identifier:
                keyid:26:45:B9:95:6A:0B:8E:EE:59:7E:E6:33:28:B5:84:44:4A:E1:9A:1F

            X509v3 Subject Alternative Name:
                URI:spiffe://domain.test
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:35:80:43:a1:69:19:d5:88:14:db:a5:7f:a4:ca:
         a6:05:00:a3:56:7b:39:48:cf:d2:a3:a7:4c:3a:ee:18:09:38:
         02:20:2a:e1:94:18:64:6e:c3:93:37:ff:36:ac:f1:1d:30:05:
         d8:90:a8:24:c3:02:aa:03:73:59:a3:91:0b:c5:5c:73

after

$ openssl x509 -in test.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d2:a2:50:cb:5b:47:cf:89:ad:ab:b2:b0:ad:55:e6:47
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, O=SPIFFE
        Validity
            Not Before: Mar 28 06:42:04 2022 GMT
            Not After : Mar 28 07:41:25 2022 GMT
        Subject: C=US, O=SPIFFE, OU=DOWNSTREAM-1
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:fe:35:8b:f0:45:39:ec:d3:14:82:20:20:cf:18:
                    a5:1d:a9:e3:87:ba:0e:58:06:8d:57:0e:76:d2:98:
                    d0:9d:af:46:ff:8d:f8:c6:b0:e2:17:f1:6d:14:e6:
                    4c:87:2c:73:68:fa:b8:27:6f:ae:d1:bf:8f:4e:b3:
                    18:dc:26:e4:b9
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                59:27:E4:3D:3A:74:B8:7F:02:D3:36:9B:DF:E6:63:80:03:99:D6:7D
            X509v3 Authority Key Identifier:
                keyid:26:73:9D:99:D8:FA:C8:B1:26:53:A0:58:55:18:7F:52:3C:7C:43:7D

            X509v3 Subject Alternative Name:
                URI:spiffe://domain.test
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:8d:d3:22:04:90:58:06:9a:e5:e2:99:07:b4:
         b4:38:19:04:e9:cb:16:2f:11:a5:d9:03:08:91:dc:10:0f:4d:
         a5:02:20:06:69:10:0b:3a:d0:ff:af:b8:7d:73:76:23:8f:f5:
         eb:0d:8b:c1:73:28:5c:13:5a:b4:9a:bb:b5:88:24:56:4a

@hiyosi hiyosi force-pushed the fix-2811 branch 2 times, most recently from 73175a9 to b20f658 Compare March 28, 2022 07:24
@hiyosi hiyosi marked this pull request as ready for review March 28, 2022 07:59
@hiyosi
Set KeyUsage properly for CA certs
45d7342 
Signed-off-by: Tomoya Usami <tousami@zlab.co.jp>
azdagron
azdagron approved these changes Mar 28, 2022
View reviewed changes
Copy link
Member

@azdagron azdagron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for this fix, @hiyosi !

@azdagron azdagron merged commit 34d9080 into spiffe:main Mar 28, 2022
@hiyosi hiyosi deleted the fix-2811 branch March 31, 2022 06:43
@azdagron azdagron added this to the 1.2.2 milestone Apr 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azdagron azdagron azdagron approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.2.2
Development

Successfully merging this pull request may close these issues.

DigitalSignature bit SHOULD NOT be set on a SPIRE CA cert
2 participants
@hiyosi @azdagron