From ab3ea2d1d3ac3a82f7ee05431d91ab8ef6d39c76 Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Wed, 30 Mar 2022 19:36:25 +0000 Subject: [PATCH] Fix concurrency properly in File CA implementation The last fix guarded against writes, but as pointed out in another PR, the set of certificates could change between fetching the cert/key pair, and using the cert chain in the response. The fix simply reads the cert chain and private key once. Signed-off-by: Hayden Blauzvern --- pkg/ca/fileca/fileca.go | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/pkg/ca/fileca/fileca.go b/pkg/ca/fileca/fileca.go index 7bd5d8932..57621c2f2 100644 --- a/pkg/ca/fileca/fileca.go +++ b/pkg/ca/fileca/fileca.go @@ -79,10 +79,10 @@ func (fca *fileCA) updateX509KeyPair(certs []*x509.Certificate, key crypto.Signe fca.key = key } -func (fca *fileCA) getX509KeyPair() (*x509.Certificate, crypto.Signer) { +func (fca *fileCA) getX509KeyPair() ([]*x509.Certificate, crypto.Signer) { fca.RLock() defer fca.RUnlock() - return fca.certs[0], fca.key + return fca.certs, fca.key } // CreateCertificate issues code signing certificates @@ -92,17 +92,14 @@ func (fca *fileCA) CreateCertificate(_ context.Context, subject *challenges.Chal return nil, err } - rootCA, privateKey := fca.getX509KeyPair() + certChain, privateKey := fca.getX509KeyPair() - finalCertBytes, err := x509.CreateCertificate(rand.Reader, cert, rootCA, subject.PublicKey, privateKey) + finalCertBytes, err := x509.CreateCertificate(rand.Reader, cert, certChain[0], subject.PublicKey, privateKey) if err != nil { return nil, err } - fca.RLock() - defer fca.RUnlock() - - return ca.CreateCSCFromDER(subject, finalCertBytes, fca.certs) + return ca.CreateCSCFromDER(subject, finalCertBytes, certChain) } func (fca *fileCA) Root(ctx context.Context) ([]byte, error) {