Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default interpolated x509 certificates have invalid 3 digits USA country code #632

Open
gberche-orange opened this issue Oct 18, 2023 · 0 comments
Open

Default interpolated x509 certificates have invalid 3 digits USA country code #632

gberche-orange opened this issue Oct 18, 2023 · 0 comments
Assignees
@bgandon

Comments

@gberche-orange
Copy link

Expected behavior

As a bosh user,
In order to work with certificate generated by bosh interpolate
I need the certificates to be compliant to specs where country code should be 2 digits

https://www.ietf.org/rfc/rfc2459.html

id-at-countryName AttributeType ::= {id-at 6}
X520countryName ::= PrintableString (SIZE (2)) -- IS 3166 codes

Observed behavior

Bosh cli interpolate https://bosh.io/docs/director-certs/ creates certificates where the country code is USA (3 digits) and thus invalid.

bosh-cli/vendor/github.com/cloudfoundry/config-server/types/certificate_generator.go

Lines 187 to 199 in 1a5b8fa

template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Country: []string{"USA"},
Organization: organizations,
CommonName: cParams.CommonName,
},
NotBefore: now,
NotAfter: notAfter,
BasicConstraintsValid: true,
IsCA: cParams.IsCA,
}
return template, nil

As a result, tools such as openssl improperly handle them, in particular when computing their Subject key identifier from their Subject: The invalid Country=USA (3 digits) is excluded. This prevents regenerating new certs with new expiration dates using openssl.

    $ show-cert blobstore_ca.ca_new
            Serial Number:
                f6:b9:5c:fc:97:14:63:86:59:43:f0:9d:82:f4:2d:c6
            Issuer: C = USA, O = Cloud Foundry, CN = default.blobstore-ca.bosh-internal
            Validity
                Not Before: Oct 17 12:16:58 2023 GMT
                Not After : Oct 16 12:16:58 2025 GMT
            Subject: C = USA, O = Cloud Foundry, CN = default.blobstore-ca.bosh-internal
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Certificate Sign, CRL Sign
                X509v3 Basic Constraints: critical
                    CA:TRUE
                X509v3 Subject Key Identifier: 
                    94:EE:29:B3:BE:01:CB:36:93:8F:42:72:F7:A6:57:6E:8D:17:C5:78
                X509v3 Authority Key Identifier: 
                    45:C4:44:B9:63:4F:4A:CD:C8:A0:4C:28:31:37:60:6E:91:56:74:FE

Proposed fix

Add support for specifying country code in the variables option https://bosh.io/docs/director-certs/ as to enable opt-in for valid C=US instead of invalid C=USA

bosh-cli/vendor/github.com/cloudfoundry/config-server/types/certificate_generator.go

Lines 28 to 37 in 1a5b8fa

type certParams struct {
CommonName string `yaml:"common_name"`
Organization string `yaml:"organization"`
Organizations []string `yaml:"organizations"`
AlternativeNames []string `yaml:"alternative_names"`
IsCA bool `yaml:"is_ca"`
CAName string `yaml:"ca"`
ExtKeyUsage []string `yaml:"extended_key_usage"`
Duration int64 `yaml:"duration"`
}

/CC @ogrand
@gberche-orange gberche-orange changed the title Default generated x509 certificates have invalid 3 digits USA country code Default interpolated x509 certificates have invalid 3 digits USA country code Oct 18, 2023
@bgandon bgandon mentioned this issue Oct 26, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bgandon bgandon

Labels
None yet
Projects
Foundational Infrastructure Working Group
Status: Waiting for Changes | Open for Contribution
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bgandon @gberche-orange