Merge pull request #252 from securesign/fulcio-fix-generated-cert

Fix generated Fulcio root certificate requirements
securesign · Mar 6, 2024 · 06d1865 · 06d1865
2 parents b6ca269 + 552c572
commit 06d1865
Show file tree

Hide file tree

Showing 10 changed files with 52 additions and 14 deletions.
diff --git a/api/v1alpha1/fulcio_types.go b/api/v1alpha1/fulcio_types.go
@@ -21,6 +21,7 @@ type FulcioSpec struct {
 
 // FulcioCert defines fields for system-generated certificate
 // +kubebuilder:validation:XValidation:rule=(has(self.caRef) || self.commonName != ""),message=commonName cannot be empty
+// +kubebuilder:validation:XValidation:rule=(has(self.caRef) || self.organizationName != ""),message=organizationName cannot be empty
 // +kubebuilder:validation:XValidation:rule=(!has(self.caRef) || has(self.privateKeyRef)),message=privateKeyRef cannot be empty
 type FulcioCert struct {
 	// Reference to CA private key

diff --git a/api/v1alpha1/fulcio_types_test.go b/api/v1alpha1/fulcio_types_test.go
@@ -229,7 +229,8 @@ func generateFulcioObject(name string) *Fulcio {
 				},
 			},
 			Certificate: FulcioCert{
-				CommonName: "hostname",
+				CommonName:       "hostname",
+				OrganizationName: "organization",
 			},
 		},
 	}

diff --git a/config/crd/bases/rhtas.redhat.com_fulcios.yaml b/config/crd/bases/rhtas.redhat.com_fulcios.yaml
@@ -115,6 +115,8 @@ spec:
                 x-kubernetes-validations:
                 - message: commonName cannot be empty
                   rule: (has(self.caRef) || self.commonName != "")
+                - message: organizationName cannot be empty
+                  rule: (has(self.caRef) || self.organizationName != "")
                 - message: privateKeyRef cannot be empty
                   rule: (!has(self.caRef) || has(self.privateKeyRef))
               config:
@@ -314,6 +316,8 @@ spec:
                 x-kubernetes-validations:
                 - message: commonName cannot be empty
                   rule: (has(self.caRef) || self.commonName != "")
+                - message: organizationName cannot be empty
+                  rule: (has(self.caRef) || self.organizationName != "")
                 - message: privateKeyRef cannot be empty
                   rule: (!has(self.caRef) || has(self.privateKeyRef))
               conditions:

diff --git a/config/crd/bases/rhtas.redhat.com_securesigns.yaml b/config/crd/bases/rhtas.redhat.com_securesigns.yaml
@@ -221,6 +221,8 @@ spec:
                     x-kubernetes-validations:
                     - message: commonName cannot be empty
                       rule: (has(self.caRef) || self.commonName != "")
+                    - message: organizationName cannot be empty
+                      rule: (has(self.caRef) || self.organizationName != "")
                     - message: privateKeyRef cannot be empty
                       rule: (!has(self.caRef) || has(self.privateKeyRef))
                   config:

diff --git a/controllers/ctlog/actions/handle_fulcio_root.go b/controllers/ctlog/actions/handle_fulcio_root.go
@@ -2,6 +2,7 @@ package actions
 
 import (
 	"context"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	"slices"
 
 	"github.com/securesign/operator/api/v1alpha1"
@@ -92,7 +93,9 @@ func (g handleFulcioCert) Handle(ctx context.Context, instance *v1alpha1.CTlog)
 				Namespace: instance.Namespace,
 			},
 		}); err != nil {
-			return g.Failed(err)
+			if !k8sErrors.IsNotFound(err) {
+				return g.Failed(err)
+			}
 		}
 		instance.Status.ServerConfigRef = nil
 	}

diff --git a/controllers/ctlog/actions/handle_keys.go b/controllers/ctlog/actions/handle_keys.go
@@ -3,14 +3,14 @@ package actions
 import (
 	"context"
 	"fmt"
-
 	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/controllers/common/action"
 	k8sutils "github.com/securesign/operator/controllers/common/utils/kubernetes"
 	"github.com/securesign/operator/controllers/constants"
 	"github.com/securesign/operator/controllers/ctlog/utils"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -168,7 +168,9 @@ func (g handleKeys) Handle(ctx context.Context, instance *v1alpha1.CTlog) *actio
 				Namespace: instance.Namespace,
 			},
 		}); err != nil {
-			return g.Failed(err)
+			if !k8sErrors.IsNotFound(err) {
+				return g.Failed(err)
+			}
 		}
 		instance.Status.ServerConfigRef = nil
 	}

diff --git a/controllers/fulcio/actions/generate_cert.go b/controllers/fulcio/actions/generate_cert.go
@@ -183,7 +183,7 @@ func (g handleCert) setupCert(instance *v1alpha1.Fulcio) (*utils.FulcioCertConfi
 		}
 		config.PrivateKey = key
 	} else {
-		key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		key, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
 		if err != nil {
 			return nil, err
 		}

diff --git a/controllers/fulcio/utils/fulcio_secrets.go b/controllers/fulcio/utils/fulcio_secrets.go
@@ -8,6 +8,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"math/big"
 	"time"
@@ -81,8 +82,8 @@ func CreateCAPub(key crypto.PublicKey) ([]byte, error) {
 func CreateFulcioCA(config *FulcioCertConfig, instance *rhtasv1alpha1.Fulcio) ([]byte, error) {
 	var err error
 
-	if instance.Spec.Certificate.CommonName == "" || instance.Spec.Certificate.OrganizationEmail == "" || instance.Spec.Certificate.OrganizationName == "" {
-		return nil, fmt.Errorf("could not create certificate: missing OrganizationName, OrganizationEmail or CommonName from config")
+	if instance.Spec.Certificate.CommonName == "" || instance.Spec.Certificate.OrganizationName == "" {
+		return nil, fmt.Errorf("could not create certificate: missing OrganizationName or CommonName from config")
 	}
 
 	block, _ := pem.Decode(config.PrivateKey)
@@ -107,14 +108,25 @@ func CreateFulcioCA(config *FulcioCertConfig, instance *rhtasv1alpha1.Fulcio) ([
 		Organization: []string{instance.Spec.Certificate.OrganizationName},
 	}
 
+	serialNumber, err := GenerateSerialNumber()
+	if err != nil {
+		return nil, err
+	}
+
+	emailAddresses := make([]string, 0)
+
+	if instance.Spec.Certificate.OrganizationEmail != "" {
+		emailAddresses = append(emailAddresses, instance.Spec.Certificate.OrganizationEmail)
+	}
+
 	template := x509.Certificate{
-		SerialNumber:          big.NewInt(0),
+		SerialNumber:          serialNumber,
 		Subject:               issuer,
-		EmailAddresses:        []string{instance.Spec.Certificate.OrganizationEmail},
-		SignatureAlgorithm:    x509.ECDSAWithSHA256,
+		EmailAddresses:        emailAddresses,
+		SignatureAlgorithm:    x509.ECDSAWithSHA384,
 		BasicConstraintsValid: true,
 		IsCA:                  true,
-		KeyUsage:              x509.KeyUsageCertSign,
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		Issuer:                issuer,
 		NotBefore:             notBefore,
 		NotAfter:              notAfter,
@@ -136,3 +148,16 @@ func CreateFulcioCA(config *FulcioCertConfig, instance *rhtasv1alpha1.Fulcio) ([
 
 	return pemFulcioRoot.Bytes(), nil
 }
+
+// GenerateSerialNumber creates a compliant serial number as per RFC 5280 4.1.2.2.
+// Serial numbers must be positive, and can be no longer than 20 bytes.
+// The serial number is generated with 159 bits, so that the first bit will always
+// be 0, resulting in a positive serial number.
+func GenerateSerialNumber() (*big.Int, error) {
+	// Pick a random number from 0 to 2^159.
+	serial, err := rand.Int(rand.Reader, (&big.Int{}).Exp(big.NewInt(2), big.NewInt(159), nil))
+	if err != nil {
+		return nil, errors.New("error generating serial number")
+	}
+	return serial, nil
+}
diff --git a/controllers/rekor/actions/server/generate_signer.go b/controllers/rekor/actions/server/generate_signer.go
@@ -190,7 +190,7 @@ func (g generateSigner) CreateRekorKey(instance *v1alpha1.Rekor) (*RekorCertConf
 		return config, nil
 	}
 
-	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	key, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
 	if err != nil {
 		return nil, err
 	}

diff --git a/e2e/provided_certs_test.go b/e2e/provided_certs_test.go
@@ -355,14 +355,14 @@ func initCertificates(passwordProtected bool) ([]byte, []byte, []byte, error) {
 	}
 	//Create certificate templet
 	template := x509.Certificate{
-		SerialNumber:          big.NewInt(0),
+		SerialNumber:          big.NewInt(1),
 		Subject:               issuer,
 		SignatureAlgorithm:    x509.ECDSAWithSHA256,
 		NotBefore:             notBefore,
 		NotAfter:              notAfter,
 		BasicConstraintsValid: true,
 		IsCA:                  true,
-		KeyUsage:              x509.KeyUsageCertSign,
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		Issuer:                issuer,
 	}
 	//Create certificate using templet