connect: Check for expired root cert when cross-signing

2020-10-09 04:35:42 -07:00 · 2020-10-09 04:35:42 -07:00 · b78f618beb
parent 2956313f2d
commit b78f618beb
4 changed files with 24 additions and 9 deletions
--- a/agent/connect/ca/provider_consul.go
+++ b/agent/connect/ca/provider_consul.go
@ -21,14 +21,13 @@ import (
 	"github.com/hashicorp/go-hclog"
 )

-const (
-
+var (
 	// NotBefore will be CertificateTimeDriftBuffer in the past to account for
 	// time drift between different servers.
 	CertificateTimeDriftBuffer = time.Minute
-)

-var ErrNotInitialized = errors.New("provider not initialized")
+	ErrNotInitialized = errors.New("provider not initialized")
+)

 type ConsulProvider struct {
 	Delegate ConsulProviderStateDelegate
--- a/agent/connect/ca/provider_vault.go
+++ b/agent/connect/ca/provider_vault.go
@ -9,6 +9,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"strings"
+	"time"

 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/structs"
@ -476,8 +477,20 @@ func (v *VaultProvider) SignIntermediate(csr *x509.CertificateRequest) (string,
 // CrossSignCA takes a CA certificate and cross-signs it to form a trust chain
 // back to our active root.
 func (v *VaultProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
+	rootPEM, err := v.ActiveRoot()
+	if err != nil {
+		return "", err
+	}
+	rootCert, err := connect.ParseCert(rootPEM)
+	if err != nil {
+		return "", fmt.Errorf("error parsing root cert: %v", err)
+	}
+	if rootCert.NotAfter.Before(time.Now()) {
+		return "", fmt.Errorf("root certificate is expired")
+	}
+
 	var pemBuf bytes.Buffer
-	err := pem.Encode(&pemBuf, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
+	err = pem.Encode(&pemBuf, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
 	if err != nil {
 		return "", err
 	}
--- a/agent/consul/leader_connect.go
+++ b/agent/consul/leader_connect.go
@ -516,6 +516,7 @@ func (s *Server) persistNewRoot(provider ca.Provider, newActiveRoot *structs.CAR
 // which means it must never take that lock itself or call anything that does.
 func (s *Server) getIntermediateCAPrimary(provider ca.Provider, newActiveRoot *structs.CARoot) error {
 	connectLogger := s.loggers.Named(logging.Connect)
+	// Generate and sign an intermediate cert using the root CA.
 	intermediatePEM, err := provider.GenerateIntermediate()
 	if err != nil {
 		return fmt.Errorf("error generating new intermediate cert: %v", err)
@ -531,7 +532,7 @@ func (s *Server) getIntermediateCAPrimary(provider ca.Provider, newActiveRoot *s
 	newActiveRoot.IntermediateCerts = append(newActiveRoot.IntermediateCerts, intermediatePEM)
 	newActiveRoot.SigningKeyID = connect.EncodeSigningKeyID(intermediateCert.SubjectKeyId)

-	connectLogger.Info("generated new intermediate certificate in primary datacenter")
+	connectLogger.Info("generated new intermediate certificate for primary datacenter")
 	return nil
 }

@ -738,7 +739,6 @@ func (s *Server) intermediateCertRenewalWatch(ctx context.Context) error {

 				if lessThanHalfTimePassed(time.Now(), intermediateCert.NotBefore.Add(ca.CertificateTimeDriftBuffer),
 					intermediateCert.NotAfter) {
-					//connectLogger.Info("checked time passed", intermediateCert.NotBefore.Add(ca.CertificateTimeDriftBuffer), intermediateCert.NotAfter)
 					return nil
 				}

--- a/agent/consul/leader_connect_test.go
+++ b/agent/consul/leader_connect_test.go
@ -185,11 +185,14 @@ func TestLeader_PrimaryCA_IntermediateRenew(t *testing.T) {
 	// no parallel execution because we change globals
 	origInterval := structs.IntermediateCertRenewInterval
 	origMinTTL := structs.MinLeafCertTTL
+	origDriftBuffer := ca.CertificateTimeDriftBuffer
 	defer func() {
 		structs.IntermediateCertRenewInterval = origInterval
 		structs.MinLeafCertTTL = origMinTTL
+		ca.CertificateTimeDriftBuffer = origDriftBuffer
 	}()

+	ca.CertificateTimeDriftBuffer = 30 * time.Second
 	structs.IntermediateCertRenewInterval = time.Millisecond
 	structs.MinLeafCertTTL = time.Second
 	require := require.New(t)
@ -207,7 +210,7 @@ func TestLeader_PrimaryCA_IntermediateRenew(t *testing.T) {
 				"Token":               testVault.RootToken,
 				"RootPKIPath":         "pki-root/",
 				"IntermediatePKIPath": "pki-intermediate/",
-				"LeafCertTTL":         "5s",
+				"LeafCertTTL":         "1s",
 				// The retry loop only retries for 7sec max and
 				// the ttl needs to be below so that it
 				// triggers definitely.
@ -215,7 +218,7 @@ func TestLeader_PrimaryCA_IntermediateRenew(t *testing.T) {
 				// valid from 1minute in the past, we need to
 				// account for that, otherwise it will be
 				// expired immediately.
-				"IntermediateCertTTL": "15s",
+				"IntermediateCertTTL": "5s",
 			},
 		}
 	})