From 4d356d1863b607fa78e3f15a6f3ed7fd79ea01f2 Mon Sep 17 00:00:00 2001 From: Joe Lanford Date: Tue, 9 Aug 2022 10:08:14 -0400 Subject: [PATCH] improve CA and certificate generation (#2834) Recently during an audit on a user's cluster, it was discovered that OLM's certificate generation functionality has a few minor shortcomings. 1) The generated CA and server cert do not include a common name, which causes some tooling to have trouble tracing the cert chain. 2) The generated CA and server cert include unnecessary key usages, which means those certificates can be used for more than their intended purposes. This commit resolves the above issues by ensuring the certificates include common names and by using the minimal key usages necessary. Signed-off-by: Joe Lanford Upstream-commit: 13fa7be0e153711a9ef6b8c3d4315ce088ad6274 Upstream-repository: operator-lifecycle-manager --- .../pkg/controller/certs/certs.go | 8 ++++---- .../pkg/controller/certs/certs.go | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/staging/operator-lifecycle-manager/pkg/controller/certs/certs.go b/staging/operator-lifecycle-manager/pkg/controller/certs/certs.go index e000ab2c5e..9ece822314 100644 --- a/staging/operator-lifecycle-manager/pkg/controller/certs/certs.go +++ b/staging/operator-lifecycle-manager/pkg/controller/certs/certs.go @@ -71,13 +71,13 @@ func GenerateCA(notAfter time.Time, organization string) (*KeyPair, error) { caDetails := &x509.Certificate{ SerialNumber: serial, Subject: pkix.Name{ + CommonName: fmt.Sprintf("olm-selfsigned-%x", serial), Organization: []string{organization}, }, NotBefore: notBefore, NotAfter: notAfter, IsCA: true, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + KeyUsage: x509.KeyUsageCertSign, BasicConstraintsValid: true, } @@ -120,12 +120,12 @@ func CreateSignedServingPair(notAfter time.Time, organization string, ca *KeyPai certDetails := &x509.Certificate{ SerialNumber: serial, Subject: pkix.Name{ + CommonName: hosts[0], Organization: []string{organization}, }, NotBefore: notBefore, NotAfter: notAfter, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, DNSNames: hosts, } diff --git a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/certs/certs.go b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/certs/certs.go index e000ab2c5e..9ece822314 100644 --- a/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/certs/certs.go +++ b/vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/certs/certs.go @@ -71,13 +71,13 @@ func GenerateCA(notAfter time.Time, organization string) (*KeyPair, error) { caDetails := &x509.Certificate{ SerialNumber: serial, Subject: pkix.Name{ + CommonName: fmt.Sprintf("olm-selfsigned-%x", serial), Organization: []string{organization}, }, NotBefore: notBefore, NotAfter: notAfter, IsCA: true, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + KeyUsage: x509.KeyUsageCertSign, BasicConstraintsValid: true, } @@ -120,12 +120,12 @@ func CreateSignedServingPair(notAfter time.Time, organization string, ca *KeyPai certDetails := &x509.Certificate{ SerialNumber: serial, Subject: pkix.Name{ + CommonName: hosts[0], Organization: []string{organization}, }, NotBefore: notBefore, NotAfter: notAfter, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, DNSNames: hosts, }