diff --git a/agent/consul/leader_connect_ca.go b/agent/consul/leader_connect_ca.go index 3087fb84af..0a6b0b47a4 100644 --- a/agent/consul/leader_connect_ca.go +++ b/agent/consul/leader_connect_ca.go @@ -1463,28 +1463,22 @@ func (c *CAManager) SignCertificate(csr *x509.CertificateRequest, spiffeID conne connect.HackSANExtensionForCSR(csr) - root, err := provider.ActiveRoot() - if err != nil { - return nil, err - } // Check if the root expired before using it to sign. - err = c.checkExpired(root) + // TODO: we store NotBefore and NotAfter on this struct, so we could avoid + // parsing the cert here. + err = c.checkExpired(caRoot.RootCert) if err != nil { return nil, fmt.Errorf("root expired: %w", err) } - inter, err := provider.ActiveIntermediate() - if err != nil { - return nil, err - } - // Check if the intermediate expired before using it to sign. - err = c.checkExpired(inter) - if err != nil { - return nil, fmt.Errorf("intermediate expired: %w", err) + if c.isIntermediateUsedToSignLeaf() && len(caRoot.IntermediateCerts) > 0 { + inter := caRoot.IntermediateCerts[len(caRoot.IntermediateCerts)-1] + if err := c.checkExpired(inter); err != nil { + return nil, fmt.Errorf("intermediate expired: %w", err) + } } // All seems to be in order, actually sign it. - pem, err := provider.Sign(csr) if err == ca.ErrRateLimited { return nil, ErrRateLimited diff --git a/agent/consul/leader_connect_ca_test.go b/agent/consul/leader_connect_ca_test.go index 869459cb7f..5e5e1de59d 100644 --- a/agent/consul/leader_connect_ca_test.go +++ b/agent/consul/leader_connect_ca_test.go @@ -12,6 +12,7 @@ import ( "fmt" "math/big" "net/rpc" + "net/url" "testing" "time" @@ -131,11 +132,12 @@ func verifyLeafCert(t *testing.T, root *structs.CARoot, leafCertPEM string) { } type mockCAServerDelegate struct { - t *testing.T - config *Config - store *state.Store - primaryRoot *structs.CARoot - callbackCh chan string + t *testing.T + config *Config + store *state.Store + primaryRoot *structs.CARoot + secondaryIntermediate string + callbackCh chan string } func NewMockCAServerDelegate(t *testing.T, config *Config) *mockCAServerDelegate { @@ -198,7 +200,7 @@ func (m *mockCAServerDelegate) forwardDC(method, dc string, args interface{}, re roots.ActiveRootID = m.primaryRoot.ID case "ConnectCA.SignIntermediate": r := reply.(*string) - *r = m.primaryRoot.RootCert + *r = m.secondaryIntermediate default: return fmt.Errorf("received call to unsupported method %q", method) } @@ -305,13 +307,14 @@ func initTestManager(t *testing.T, manager *CAManager, delegate *mockCAServerDel } func TestCAManager_Initialize(t *testing.T) { - conf := DefaultConfig() conf.ConnectEnabled = true conf.PrimaryDatacenter = "dc1" conf.Datacenter = "dc2" delegate := NewMockCAServerDelegate(t, conf) + delegate.secondaryIntermediate = delegate.primaryRoot.RootCert manager := NewCAManager(delegate, nil, testutil.Logger(t), conf) + manager.providerShim = &mockCAProvider{ callbackCh: delegate.callbackCh, rootPEM: delegate.primaryRoot.RootCert, @@ -356,6 +359,7 @@ func TestCAManager_UpdateConfigWhileRenewIntermediate(t *testing.T) { conf.PrimaryDatacenter = "dc1" conf.Datacenter = "dc2" delegate := NewMockCAServerDelegate(t, conf) + delegate.secondaryIntermediate = delegate.primaryRoot.RootCert manager := NewCAManager(delegate, nil, testutil.Logger(t), conf) manager.providerShim = &mockCAProvider{ callbackCh: delegate.callbackCh, @@ -447,6 +451,8 @@ func TestCAManager_SignCertificate_WithExpiredCert(t *testing.T) { intermediatePEM := generateCertPEM(t, caPrivKey, arg.notBeforeIntermediate, arg.notAfterIntermediate) delegate := NewMockCAServerDelegate(t, conf) + delegate.primaryRoot.RootCert = rootPEM + delegate.secondaryIntermediate = intermediatePEM manager := NewCAManager(delegate, nil, testutil.Logger(t), conf) manager.providerShim = &mockCAProvider{ @@ -458,14 +464,13 @@ func TestCAManager_SignCertificate_WithExpiredCert(t *testing.T) { // Simulate Wait half the TTL for the cert to need renewing. manager.timeNow = func() time.Time { - return time.Now().Add(500 * time.Millisecond) + return time.Now().UTC().Add(500 * time.Millisecond) } // Call RenewIntermediate and then confirm the RPCs and provider calls // happen in the expected order. _, err := manager.SignCertificate(&x509.CertificateRequest{}, &connect.SpiffeIDAgent{}) - if arg.isError { require.Error(t, err) require.Contains(t, err.Error(), arg.errorMsg) @@ -494,6 +499,7 @@ func generateCertPEM(t *testing.T, caPrivKey *rsa.PrivateKey, notBefore time.Tim ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, + URIs: []*url.URL{connect.SpiffeIDAgent{Host: "foo"}.URI()}, } caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)