Fix concurrency properly in File CA implementation (#495)

The last fix guarded against writes, but as pointed out in another PR, the set of certificates could change between fetching the cert/key pair, and using the cert chain in the response. The fix simply reads the cert chain and private key once. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Mar 31, 2022 · 765a06a · 765a06a
1 parent 29a36bb
commit 765a06a
Showing 1 changed file with 5 additions and 8 deletions.
diff --git a/pkg/ca/fileca/fileca.go b/pkg/ca/fileca/fileca.go
@@ -79,10 +79,10 @@ func (fca *fileCA) updateX509KeyPair(certs []*x509.Certificate, key crypto.Signe
 	fca.key = key
 }
 
-func (fca *fileCA) getX509KeyPair() (*x509.Certificate, crypto.Signer) {
+func (fca *fileCA) getX509KeyPair() ([]*x509.Certificate, crypto.Signer) {
 	fca.RLock()
 	defer fca.RUnlock()
-	return fca.certs[0], fca.key
+	return fca.certs, fca.key
 }
 
 // CreateCertificate issues code signing certificates
@@ -92,17 +92,14 @@ func (fca *fileCA) CreateCertificate(_ context.Context, subject *challenges.Chal
 		return nil, err
 	}
 
-	rootCA, privateKey := fca.getX509KeyPair()
+	certChain, privateKey := fca.getX509KeyPair()
 
-	finalCertBytes, err := x509.CreateCertificate(rand.Reader, cert, rootCA, subject.PublicKey, privateKey)
+	finalCertBytes, err := x509.CreateCertificate(rand.Reader, cert, certChain[0], subject.PublicKey, privateKey)
 	if err != nil {
 		return nil, err
 	}
 
-	fca.RLock()
-	defer fca.RUnlock()
-
-	return ca.CreateCSCFromDER(subject, finalCertBytes, fca.certs)
+	return ca.CreateCSCFromDER(subject, finalCertBytes, certChain)
 }
 
 func (fca *fileCA) Root(ctx context.Context) ([]byte, error) {