Bug 1848954

Thank you, Geetika.

I don't believe this should be a 2.4 blocker, so I'm targeting it to 2.5. Please object if you believe this is a critical issue that has to be treated as a blocker.

Looks like AKI is not mandatory for self signed CA certificates https://github.com/golang/go/issues/15194

Also looks like SKI it's generated by golang if it's empty 

https://golang.org/pkg/crypto/x509/#CreateCertificate

If SubjectKeyId from template is empty and the template is a CA, SubjectKeyId will be generated from the hash of the public key.

There is a golang issue for that https://github.com/golang/go/issues/26676 and the fix https://github.com/golang/go/commit/6f3a9515b6bb879472f3b3443a052b07ed11ee2f is merged at newer golang version

It's part of golang 1.15 and I think it's has being backported to 1.14, what we can do is to add it in case golang is not filling in the field.

Looks like the fix is present at golagn 1.15


https://github.com/golang/go/blob/release-branch.go1.15/src/crypto/x509/x509.go#L2087-L2088

but not at 1.14 so they haven't backport it 


https://github.com/golang/go/blob/dev.boringcrypto.go1.14/src/crypto/x509/x509.go#L2092-L2095


Also I am pretty sure that kubevirt/kubevirt is going to be affected by it too.

Added fix at u/s library https://github.com/qinqon/kube-admission-webhook/pull/42 we will have to bump components with it.

Fix for kubevirt/kubevirt https://github.com/kubevirt/kubevirt/pull/4367

I tried verifying by running the scenario:
On a cluster with OCP 4.7.0 / CNV v2.6.0

1.
$ oc describe mutatingwebhookconfiguration -n openshift-cnv kubemacpool-mutator | grep 'Ca Bundle'

    Ca Bundle:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrVENDQWVHZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFlTVJ3d0dnWURWUVFERXhOcmRXSmwKYldGamNHOXZiQzF0ZFhSaGRHOXlNQjRYRFRJd01USXhNekl3TlRRME1sb1hEVEl3TVRJeU1ESXdOVFEwTWxvdwpIakVjTUJvR0ExVUVBeE1UYTNWaVpXMWhZM0J2YjJ3dGJYVjBZWFJ2Y2pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1jNFZrMllzc2dJSXl5enZGNmpiVGphZzN2WVNJTFUrMUF5OGhiWU9CelUKY016d2JDbTU0S3N0b1VpQlpJaGViZGRzcXljTVJ2SGFEMGhiV21HQmJjS0VBTDdrZXJ5eHR3aWlVQlRlQklTcQpnYWVna1UzVmpZL0FCdmhJWDRWM1Bia0JRTTBoYVN6TWt1Z1lQUzFqb3ovTTJSdDRRcS9jZjQwcDl0TW1WMzg5Cjl3VXpHdElXTTZKWU44dXNvSjB2Y2w2d1lxb2dtTmxlcXQxbTVtWElLNVZIMTNHMkhCTEpueW9SdVhFd1dZRkYKVXJhcU5TOEZ6ZG4rL0dKTGN1dWlsTVJxNml6dU1sWGJqWTNJRnNOTkNydlhkVFg2MDRocTdxdndZRnFaUUtBYQo4R0pES2xrUi85VUxpQnd1amhYQmVWT0RvQklPSGxkdFRXd2dFd0hDL1VzQ0F3RUFBYU5DTUVBd0RnWURWUjBQCkFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZORkFIMEJqM0ViQ3RZeUIKMHl1TXRlTTFPQjdGTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBYXV6RGUvcTlFb2NlZDU4Q2gyR0VlMEtWMgpxa3V2OUR1dFlUdGhrV2pPQXNjaFBMdW93RzJGN05FeEw4RDVrMDVYaTdrUjlqUHlpbDRQMUxqbnBSekthcDdZCjBVQVR5djNXTHN4bklwUWx1TVYranQ2Zk0vUlg5dkxVSVRLUXpQSDNiMlJuZklhdUJvZ1VocXhRRXdtNU5OMWwKTGFkalFXbE1acDhNZUR4NUlQUlo0VGRhVDd3YndNYk45NHBOVE5HT2JITkpYYTlFTlhmYml5b3RKWDAreDJXMApINTRDYmNPWlc1a0wrNjUvRzAvbHNaUGo0Y3pDZE5tUlhBUTAwZll1Y1grcTErd1BaSEY0Q3lFYkxENmViODZCCjhXbjNTNjZrclJGOVJJa1dUKytQd0RoaUgwNysyTUlXb1dORWp0UHFzMXd0ZFNybVZFclg3SG4vZU9qYQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

2. Decode the result in base64:
$ echo LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrVENDQWVHZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFlTVJ3d0dnWURWUVFERXhOcmRXSmwKYldGamNHOXZiQzF0ZFhSaGRHOXlNQjRYRFRJd01USXhNekl3TlRRME1sb1hEVEl3TVRJeU1ESXdOVFEwTWxvdwpIakVjTUJvR0ExVUVBeE1UYTNWaVpXMWhZM0J2YjJ3dGJYVjBZWFJ2Y2pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1jNFZrMllzc2dJSXl5enZGNmpiVGphZzN2WVNJTFUrMUF5OGhiWU9CelUKY016d2JDbTU0S3N0b1VpQlpJaGViZGRzcXljTVJ2SGFEMGhiV21HQmJjS0VBTDdrZXJ5eHR3aWlVQlRlQklTcQpnYWVna1UzVmpZL0FCdmhJWDRWM1Bia0JRTTBoYVN6TWt1Z1lQUzFqb3ovTTJSdDRRcS9jZjQwcDl0TW1WMzg5Cjl3VXpHdElXTTZKWU44dXNvSjB2Y2w2d1lxb2dtTmxlcXQxbTVtWElLNVZIMTNHMkhCTEpueW9SdVhFd1dZRkYKVXJhcU5TOEZ6ZG4rL0dKTGN1dWlsTVJxNml6dU1sWGJqWTNJRnNOTkNydlhkVFg2MDRocTdxdndZRnFaUUtBYQo4R0pES2xrUi85VUxpQnd1amhYQmVWT0RvQklPSGxkdFRXd2dFd0hDL1VzQ0F3RUFBYU5DTUVBd0RnWURWUjBQCkFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZORkFIMEJqM0ViQ3RZeUIKMHl1TXRlTTFPQjdGTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBYXV6RGUvcTlFb2NlZDU4Q2gyR0VlMEtWMgpxa3V2OUR1dFlUdGhrV2pPQXNjaFBMdW93RzJGN05FeEw4RDVrMDVYaTdrUjlqUHlpbDRQMUxqbnBSekthcDdZCjBVQVR5djNXTHN4bklwUWx1TVYranQ2Zk0vUlg5dkxVSVRLUXpQSDNiMlJuZklhdUJvZ1VocXhRRXdtNU5OMWwKTGFkalFXbE1acDhNZUR4NUlQUlo0VGRhVDd3YndNYk45NHBOVE5HT2JITkpYYTlFTlhmYml5b3RKWDAreDJXMApINTRDYmNPWlc1a0wrNjUvRzAvbHNaUGo0Y3pDZE5tUlhBUTAwZll1Y1grcTErd1BaSEY0Q3lFYkxENmViODZCCjhXbjNTNjZrclJGOVJJa1dUKytQd0RoaUgwNysyTUlXb1dORWp0UHFzMXd0ZFNybVZFclg3SG4vZU9qYQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | base64 --decode

-----BEGIN CERTIFICATE-----
MIIC+TCCAeGgAwIBAgIBADANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNrdWJl
bWFjcG9vbC1tdXRhdG9yMB4XDTIwMTIxMzIwNTQ0MloXDTIwMTIyMDIwNTQ0Mlow
HjEcMBoGA1UEAxMTa3ViZW1hY3Bvb2wtbXV0YXRvcjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMc4Vk2YssgIIyyzvF6jbTjag3vYSILU+1Ay8hbYOBzU
cMzwbCm54KstoUiBZIhebddsqycMRvHaD0hbWmGBbcKEAL7keryxtwiiUBTeBISq
gaegkU3VjY/ABvhIX4V3PbkBQM0haSzMkugYPS1joz/M2Rt4Qq/cf40p9tMmV389
9wUzGtIWM6JYN8usoJ0vcl6wYqogmNleqt1m5mXIK5VH13G2HBLJnyoRuXEwWYFF
UraqNS8Fzdn+/GJLcuuilMRq6izuMlXbjY3IFsNNCrvXdTX604hq7qvwYFqZQKAa
8GJDKlkR/9ULiBwujhXBeVODoBIOHldtTWwgEwHC/UsCAwEAAaNCMEAwDgYDVR0P
AQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNFAH0Bj3EbCtYyB
0yuMteM1OB7FMA0GCSqGSIb3DQEBCwUAA4IBAQAauzDe/q9Eoced58Ch2GEe0KV2
qkuv9DutYTthkWjOAschPLuowG2F7NExL8D5k05Xi7kR9jPyil4P1LjnpRzKap7Y
0UATyv3WLsxnIpQluMV+jt6fM/RX9vLUITKQzPH3b2RnfIauBogUhqxQEwm5NN1l
LadjQWlMZp8MeDx5IPRZ4TdaT7wbwMbN94pNTNGObHNJXa9ENXfbiyotJX0+x2W0
H54CbcOZW5kL+65/G0/lsZPj4czCdNmRXAQ00fYucX+q1+wPZHF4CyEbLD6eb86B
8Wn3S66krRF9RIkWT++PwDhiH07+2MIWoWNEjtPqs1wtdSrmVErX7Hn/eOja
-----END CERTIFICATE-----

3. Store the decode output in a file, and parse it to a human-readable text:
$ openssl x509 -text -in ca
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = kubemacpool-mutator
        Validity
            Not Before: Dec 13 20:54:42 2020 GMT
            Not After : Dec 20 20:54:42 2020 GMT
        Subject: CN = kubemacpool-mutator
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c7:38:56:4d:98:b2:c8:08:23:2c:b3:bc:5e:a3:
                    6d:38:da:83:7b:d8:48:82:d4:fb:50:32:f2:16:d8:
                    38:1c:d4:70:cc:f0:6c:29:b9:e0:ab:2d:a1:48:81:
                    64:88:5e:6d:d7:6c:ab:27:0c:46:f1:da:0f:48:5b:
                    5a:61:81:6d:c2:84:00:be:e4:7a:bc:b1:b7:08:a2:
                    50:14:de:04:84:aa:81:a7:a0:91:4d:d5:8d:8f:c0:
                    06:f8:48:5f:85:77:3d:b9:01:40:cd:21:69:2c:cc:
                    92:e8:18:3d:2d:63:a3:3f:cc:d9:1b:78:42:af:dc:
                    7f:8d:29:f6:d3:26:57:7f:3d:f7:05:33:1a:d2:16:
                    33:a2:58:37:cb:ac:a0:9d:2f:72:5e:b0:62:aa:20:
                    98:d9:5e:aa:dd:66:e6:65:c8:2b:95:47:d7:71:b6:
                    1c:12:c9:9f:2a:11:b9:71:30:59:81:45:52:b6:aa:
                    35:2f:05:cd:d9:fe:fc:62:4b:72:eb:a2:94:c4:6a:
                    ea:2c:ee:32:55:db:8d:8d:c8:16:c3:4d:0a:bb:d7:
                    75:35:fa:d3:88:6a:ee:ab:f0:60:5a:99:40:a0:1a:
                    f0:62:43:2a:59:11:ff:d5:0b:88:1c:2e:8e:15:c1:
                    79:53:83:a0:12:0e:1e:57:6d:4d:6c:20:13:01:c2:
                    fd:4b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                D1:40:1F:40:63:DC:46:C2:B5:8C:81:D3:2B:8C:B5:E3:35:38:1E:C5
    Signature Algorithm: sha256WithRSAEncryption
         1a:bb:30:de:fe:af:44:a1:c7:9d:e7:c0:a1:d8:61:1e:d0:a5:
         76:aa:4b:af:f4:3b:ad:61:3b:61:91:68:ce:02:c7:21:3c:bb:
         a8:c0:6d:85:ec:d1:31:2f:c0:f9:93:4e:57:8b:b9:11:f6:33:
         f2:8a:5e:0f:d4:b8:e7:a5:1c:ca:6a:9e:d8:d1:40:13:ca:fd:
         d6:2e:cc:67:22:94:25:b8:c5:7e:8e:de:9f:33:f4:57:f6:f2:
         d4:21:32:90:cc:f1:f7:6f:64:67:7c:86:ae:06:88:14:86:ac:
         50:13:09:b9:34:dd:65:2d:a7:63:41:69:4c:66:9f:0c:78:3c:
         79:20:f4:59:e1:37:5a:4f:bc:1b:c0:c6:cd:f7:8a:4d:4c:d1:
         8e:6c:73:49:5d:af:44:35:77:db:8b:2a:2d:25:7d:3e:c7:65:
         b4:1f:9e:02:6d:c3:99:5b:99:0b:fb:ae:7f:1b:4f:e5:b1:93:
         e3:e1:cc:c2:74:d9:91:5c:04:34:d1:f6:2e:71:7f:aa:d7:ec:
         0f:64:71:78:0b:21:1b:2c:3e:9e:6f:ce:81:f1:69:f7:4b:ae:
         a4:ad:11:7d:44:89:16:4f:ef:8f:c0:38:62:1f:4e:fe:d8:c2:
         16:a1:63:44:8e:d3:ea:b3:5c:2d:75:2a:e6:54:4a:d7:ec:79:
         ff:78:e8:da
-----BEGIN CERTIFICATE-----
MIIC+TCCAeGgAwIBAgIBADANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNrdWJl
bWFjcG9vbC1tdXRhdG9yMB4XDTIwMTIxMzIwNTQ0MloXDTIwMTIyMDIwNTQ0Mlow
HjEcMBoGA1UEAxMTa3ViZW1hY3Bvb2wtbXV0YXRvcjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMc4Vk2YssgIIyyzvF6jbTjag3vYSILU+1Ay8hbYOBzU
cMzwbCm54KstoUiBZIhebddsqycMRvHaD0hbWmGBbcKEAL7keryxtwiiUBTeBISq
gaegkU3VjY/ABvhIX4V3PbkBQM0haSzMkugYPS1joz/M2Rt4Qq/cf40p9tMmV389
9wUzGtIWM6JYN8usoJ0vcl6wYqogmNleqt1m5mXIK5VH13G2HBLJnyoRuXEwWYFF
UraqNS8Fzdn+/GJLcuuilMRq6izuMlXbjY3IFsNNCrvXdTX604hq7qvwYFqZQKAa
8GJDKlkR/9ULiBwujhXBeVODoBIOHldtTWwgEwHC/UsCAwEAAaNCMEAwDgYDVR0P
AQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNFAH0Bj3EbCtYyB
0yuMteM1OB7FMA0GCSqGSIb3DQEBCwUAA4IBAQAauzDe/q9Eoced58Ch2GEe0KV2
qkuv9DutYTthkWjOAschPLuowG2F7NExL8D5k05Xi7kR9jPyil4P1LjnpRzKap7Y
0UATyv3WLsxnIpQluMV+jt6fM/RX9vLUITKQzPH3b2RnfIauBogUhqxQEwm5NN1l
LadjQWlMZp8MeDx5IPRZ4TdaT7wbwMbN94pNTNGObHNJXa9ENXfbiyotJX0+x2W0
H54CbcOZW5kL+65/G0/lsZPj4czCdNmRXAQ00fYucX+q1+wPZHF4CyEbLD6eb86B
8Wn3S66krRF9RIkWT++PwDhiH07+2MIWoWNEjtPqs1wtdSrmVErX7Hn/eOja
-----END CERTIFICATE-----


The result includes SKI (Subject Key Identifier), but no AKI (Authority Code Identifier).
According to Quique - AKI is not supposed to br presented because it's a self-signed cert, but OTOH - the bug description explicitly say "SKI,AKI mandatory extensions are missing."

@Quique, Petr - can you please dis/approve if this verification is valid.
If it is - I will move the bug to "Verified"; otherwise - I'll reopen.
Thanks.

According to https://github.com/golang/go/issues/15194#issue-146931348 - SKI is enough, and omitting AKI is valid.
According to that source, when the cert is self-signed, the AKI and SKI are identical, and it's enough that only SKI is published.
We can tell that the cert here is self-signed because both `Issuer` and `Subject` fields are identical - they both have the value "CN = kubemacpool-mutator".
Thank you Quique for the clarification.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 2.6.0 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0799