Fix cryptographic certificates for post go 1.19

Go 1.19 changed the way cryptographic certificates were verified, which
broke a certain edge case of root CA rotation. This edge case is now
disallowed.

Signed-off-by: Drew Erny <[email protected]>

Author: dperny

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.18.9
+ARG GO_VERSION=1.21.6
 ARG PROTOC_VERSION=3.11.4
 ARG GOLANGCI_LINT_VERSION=v1.50.1
 ARG DEBIAN_FRONTEND=noninteractive

api/types.pb.go

@@ -464,14 +464,14 @@ func TestSecurityConfigUpdateRootCA(t *testing.T) {
 	require.Error(t, err)
 	err = <-actualErrChan
 	require.Error(t, err)
-	require.IsType(t, x509.UnknownAuthorityError{}, err)
+	require.ErrorAs(t, err, &x509.UnknownAuthorityError{})
 
 	_, actualErrChan, err = tlsGRPCDial(tc.Context, l.Addr().String(), tcConfig.ClientTLSCreds)
 	defer close(actualErrChan)
 	require.Error(t, err)
 	err = <-actualErrChan
 	require.Error(t, err)
-	require.IsType(t, x509.UnknownAuthorityError{}, err)
+	require.ErrorAs(t, err, &x509.UnknownAuthorityError{})
 
 	// update the root CA on the "original security config to support both the old root
 	// and the "new root" (the testing CA root).  Also make sure this root CA has an
@@ -640,7 +640,7 @@ func TestRenewTLSConfigUpdatesRootOnUnknownAuthError(t *testing.T) {
 		default:
 			crossSigneds[i], err = cas[i-1].CrossSignCACertificate(certs[i])
 			require.NoError(t, err)
-			cas[i], err = ca.NewRootCA(certs[i-1], certs[i], keys[i], ca.DefaultNodeCertExpiration, crossSigneds[i])
+			cas[i], err = ca.NewRootCA(certs[i-1], crossSigneds[i], keys[i], ca.DefaultNodeCertExpiration, crossSigneds[i])
 			require.NoError(t, err)
 		}
 	}
@@ -652,7 +652,7 @@ func TestRenewTLSConfigUpdatesRootOnUnknownAuthError(t *testing.T) {
 		CACert: certs[0],
 		CAKey:  keys[0],
 		RootRotation: &api.RootRotation{
-			CACert:            certs[1],
+			CACert:            crossSigneds[1],
 			CAKey:             keys[1],
 			CrossSignedCACert: crossSigneds[1],
 		},

ca/config_test.go

@@ -429,8 +429,9 @@ type clusterObjToUpdate struct {
 	externalCertSignedBy []byte
 }
 
-// When the SecurityConfig is updated with a new TLS keypair, the server automatically uses that keypair to contact
-// the external CA
+// TestServerExternalCAGetsTLSKeypairUpdates tests that when the SecurityConfig
+// is updated with a new TLS keypair, the server automatically uses that
+// keypair to contact the external CA
 func TestServerExternalCAGetsTLSKeypairUpdates(t *testing.T) {
 	t.Parallel()
 
@@ -473,12 +474,13 @@ func TestServerExternalCAGetsTLSKeypairUpdates(t *testing.T) {
 	require.NoError(t, testutils.PollFuncWithTimeout(nil, func() error {
 		externalCA := tc.CAServer.ExternalCA()
 		// wait for the credentials for the external CA to update
+		log.G(tc.Context).Warn("making external CA sign request")
 		if _, err = externalCA.Sign(tc.Context, req); err == nil {
 			return errors.New("external CA creds haven't updated yet to be invalid")
 		}
 		return nil
 	}, 2*time.Second))
-	require.Contains(t, errors.Cause(err).Error(), "remote error: tls: bad certificate")
+	require.Contains(t, errors.Cause(err).Error(), "remote error: tls: expired certificate")
 }
 
 func TestCAServerUpdateRootCA(t *testing.T) {

ca/server_test.go

@@ -37,6 +37,7 @@ func hasSigningKey(a interface{}) bool {
 // Creates a cross-signed intermediate and new api.RootRotation object.
 // This function assumes that the root cert and key and the external CAs have already been validated.
 func newRootRotationObject(ctx context.Context, securityConfig *ca.SecurityConfig, apiRootCA *api.RootCA, newCARootCA ca.RootCA, extCAs []*api.ExternalCA, version uint64) (*api.RootCA, error) {
+	log.G(ctx).Info("calls newRootRotationObject")
 	var (
 		rootCert, rootKey, crossSignedCert []byte
 		newRootHasSigner                   bool
@@ -53,6 +54,7 @@ func newRootRotationObject(ctx context.Context, securityConfig *ca.SecurityConfi
 	// a root rotation is already in progress)
 	switch {
 	case hasSigningKey(apiRootCA):
+		log.G(ctx).Info("takes hasSigningKey branch")
 		var oldRootCA ca.RootCA
 		oldRootCA, err = ca.NewRootCA(apiRootCA.CACert, apiRootCA.CACert, apiRootCA.CAKey, ca.DefaultNodeCertExpiration, nil)
 		if err == nil {
@@ -175,8 +177,14 @@ func getNormalizedExtCAs(caConfig *api.CAConfig, normalizedCurrentRootCACert []b
 //     object as is
 //     - we want to generate a new internal CA cert and key (force rotation value has changed), and we return the updated RootCA
 //     object
-//  3. Signing cert and key have been provided: validate that these match (the cert and key match). Otherwise, return an error.
-//  4. Return the updated RootCA object according to the following criteria:
+//  3. Check if the cert is the same key. We cannot rotate to a cert with the same key. As of go 1.19, the logic for certificate
+//     trust chain validation changed, and a chain including two certs with the same key will not validate. This case would
+//     usually occur when reissuing the same cert with a later expiration date. Because of this validation failure, our root
+//     rotation algorithm fails. While it might be possible to adjust the rotation procedure to accommodate such a cert change,
+//     it is somewhat of an edge case, and, more importantly, we do not currently possess the cryptographic expertise to safely
+//     make such a change. So, as a result, this operation is disallowed. The new root cert must have a new key.
+//  4. Signing cert and key have been provided: validate that these match (the cert and key match). Otherwise, return an error.
+//  5. Return the updated RootCA object according to the following criteria:
 //     - If the desired cert is the same as the current CA cert then abort any outstanding rotations. The current signing key
 //     is replaced with the desired signing key (this could lets us switch between external->internal or internal->external
 //     without an actual CA rotation, which is not needed because any leaf cert issued with one CA cert can be validated using
@@ -289,6 +297,12 @@ func validateCAConfig(ctx context.Context, securityConfig *ca.SecurityConfig, cl
 		return copied, nil
 	}
 
+	// See step 3 in the doc comment. We cannot upgrade a cert with the same
+	// key.
+	if len(newConfig.SigningCAKey) > 0 && bytes.Equal(newConfig.SigningCAKey, cluster.RootCA.CAKey) {
+		return nil, status.Errorf(codes.InvalidArgument, "Cannot update to a cert with an identical key")
+	}
+
 	// check if this is the same desired cert as an existing root rotation
 	if r := cluster.RootCA.RootRotation; r != nil && bytes.Equal(ca.NormalizePEMs(r.CACert), newConfig.SigningCACert) {
 		copied := cluster.RootCA.Copy()