Add support for setting pathlen on CA certificates and intermediate CA
#135
Conversation
Add support for setting `pathlen` on CA certificates and intermediate CA
|
|
|
Thanks to #112 for original idea. |
socheatsok78
changed the title
pathlen on CA certificates and intermediate CA
|
I've recently hit this as an issue. A rootCA created with |
pkix/cert_auth.go
Outdated
| if !excludePathlen { | ||
| if pathlen > 0 { | ||
| authTemplate.MaxPathLen = pathlen | ||
| authTemplate.MaxPathLenZero = false |
There was a problem hiding this comment.
MaxPathLenZero is only checked when MaxPathLen == 0. With that in mind, can we simplify this logic? Something like:
authTemplate.MaxPathLen = pathlen
if excludePathLen {
authTemplate.MaxPathLen = -1
}
Then MaxPathLenZero can remain true and we use the explicit MaxPathLen = -1 to unset it.
There was a problem hiding this comment.
Sorry for late to response. I should have went with that in the first place xD. Thank you for pointing out.
There was a problem hiding this comment.
Already made the change. Please give it a look.
There was a problem hiding this comment.
To be honest, the change I've just made doesn't seem right. Let me see what I can do or if you have any suggestion for making it better. Please let me know.
There was a problem hiding this comment.
Added a comment on the current iteration.
pkix/cert_auth.go
Outdated
| @@ -69,7 +78,7 @@ func CreateCertificateAuthority(key *Key, organizationalUnit string, expiry time | |||
|
|
|||
| // CreateIntermediateCertificateAuthority creates an intermediate | |||
| // CA certificate signed by the given authority. | |||
| func CreateIntermediateCertificateAuthority(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, proposedExpiry time.Time) (*Certificate, error) { | |||
| func CreateIntermediateCertificateAuthority(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, proposedExpiry time.Time, pathlen int) (*Certificate, error) { | |||
There was a problem hiding this comment.
Sorry, it's taken me so long to review these changes because I needed to be sure that this change to the public pkix package wouldn't break anyone. Unfortunately, looks like it will, for example https://cs.github.com/cloudfoundry/locket/blob/ad30c800960d38a0090acd7aa2acfc3f439b1f82/cmd/locket/certauthority/certauthority.go#L88.
Since we're not ready for a v2, I propose we add new functions (CreateIntermediateCertificateAuthorityWithOptions and CreateCertificateAuthorityWithOptions) to take opts ...Option to keep backwards compatibility:
type Option func(*x509.Certificate)
func WithPathlen(pathlen int, excludePathlen bool) {
return func(template *x509.Certificate) {
// Set MaxPathLen appropriately....
}
}
There was a problem hiding this comment.
(Note that part of the v2 changes will be moving things into an internal package so that it's clear we won't guarantee backward compatibility of thee APIs -- this isn't the first time it's hampered contributions. Thanks again for your patience.)
There was a problem hiding this comment.
Okay, let me revert the original function back. I kinda don't want other people code to break as well :D
There was a problem hiding this comment.
For the init command, it is okay to add the extra flag right?
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
Yes, I think it's fine to have the exclude flag in init.
socheatsok78
requested review from
a team,
mmontgomery-square,
eknapp-square and
sq-smits
…thlen' param" This reverts commit f1e380b.
…cateAuthorityWithOptions`
…tions` before `x509.CreateCertificate`
|
Should we check the if raw_crt.MaxPathLen == 0 {
fmt.Fprintln(os.Stderr, "Selected CA certificate is not allowed to issue intermediate certificates.")
os.Exit(1)
} |
# Conflicts: # cmd/sign.go
That might be a nice future improvement, but let's leave it out of this PR to keep the change minimal. |
pkix/cert_auth.go
Outdated
| if !excludePathlen { | ||
| if pathlen > 0 { | ||
| authTemplate.MaxPathLen = pathlen | ||
| authTemplate.MaxPathLenZero = false |
There was a problem hiding this comment.
Added a comment on the current iteration.
pkix/cert_auth.go
Outdated
| @@ -69,7 +78,7 @@ func CreateCertificateAuthority(key *Key, organizationalUnit string, expiry time | |||
|
|
|||
| // CreateIntermediateCertificateAuthority creates an intermediate | |||
| // CA certificate signed by the given authority. | |||
| func CreateIntermediateCertificateAuthority(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, proposedExpiry time.Time) (*Certificate, error) { | |||
| func CreateIntermediateCertificateAuthority(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, proposedExpiry time.Time, pathlen int) (*Certificate, error) { | |||
There was a problem hiding this comment.
Yes, I think it's fine to have the exclude flag in init.
…Options` internally
…CertificateAuthorityWithOptions` internally
| // CreateCertificateAuthority creates Certificate Authority using existing key. | ||
| // CertificateAuthorityInfo returned is the extra infomation required by Certificate Authority. | ||
| func CreateCertificateAuthority(key *Key, organizationalUnit string, expiry time.Time, organization string, country string, province string, locality string, commonName string, permitDomains []string) (*Certificate, error) { | ||
| // Passing all arguments to CreateCertificateAuthorityWithOptions |
There was a problem hiding this comment.
Nit: you can remove these comments (here and below).
There was a problem hiding this comment.
Will do in the morning, it's 3am over here! And I'm commenting from my phone 😄
Thank you for reviewing the PR! |
- Change pkix function to have WithPathLen options for intermediate certs Context: square/certstrap#135
* Bump to ginkgo/v2 & lager/v3 - Change pkix function to have WithPathLen options for intermediate certs Context: square/certstrap#135 * fix `go vet` failures
Taken from RFC 5280, section 4.2.1.9:
I.e. a
pathLenConstraintof0 does still allow the CA to issue certificates, but these certificates must be end-entity-certificates (the CA flag inBasicConstraintsisfalse- these are the "normal" certificates that are issued to people or organizations).It also implies that with this certificate, the CA must not issue intermediate CA certificates (where the CA flag is true again - these are certificates that could potentially issue further certificates, thereby increasing the
pathLenby 1).An absent
pathLenConstrainton the other hand means that there is no limitation considering the length of certificate paths built from an end-entity certificate that would lead up to our example CA certificate. This implies that the CA could issue an intermediate certificate for a sub CA, this sub CA could again issue an intermediate certificate, this sub CA could again... until finally one sub CA would issue an end-entity certificate.If the
pathLenConstraintofa given CA certificate is > 0, then it expresses the number of possible intermediate CA certificates in a path built from an end-entity certificate up to the CA certificate. Let's say CA X has apathLenConstraintof 2, the end-entity certificate is issued to EE. Then the following scenarios are valid (I denoting an intermediate CA certificate)Example
Create CA key
Create intermediate CA 1 key
Create intermediate CA 2 key