Description of problem: KMP have missing mandatory CA extensions that needs to be part of any CA who signs the certificate (as Root CA or intermediate CA) 1. Missing SKI 2. Missing AKI Refer : https://tools.ietf.org/html/rfc5280#page-28 These extensions are needed to make sure CA has unique identity and 2 CA in same deployment cannot have same SKI and AKI. Version-Release number of selected component (if applicable): $ oc get csv -n openshift-cnv | awk ' { print $4 } ' | tail -n1 2.4.0 How reproducible: always Steps to Reproduce: 1. get cabundle for mutatingwebhookconfiguration using : $ oc describe mutatingwebhookconfiguration -n openshift-cnv kubemacpool-mutator | grep 'Ca Bundle' 2. decode into base 64 bundle certificate. echo <cabundle> | base64 --decode 3.Refer the sample cert created by kubemacpool -----BEGIN CERTIFICATE----- MIIC2jCCAcKgAwIBAgIBADANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNrdWJl bWFjcG9vbC1tdXRhdG9yMB4XDTIwMDYxOTA4MjQyOVoXDTIxMDYxOTA4MjQyOVow HjEcMBoGA1UEAxMTa3ViZW1hY3Bvb2wtbXV0YXRvcjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAM0XrZ+qsSRv9BbREsvjEyZlx/cRVq+NByOE4/fyBijk JhRuDRreTn8bJxDtIjxhvmQHDoY3sVdw5HuHLtv1n/lWnAdL/+IehhZsvr7A6e2c qm6sXZStJLFFmcx3gCA0uPYTDbqpOs1mgmDbFkmWxjWsuzsEJJzqzHqSQAq3JJz2 6caZ8He5JDtwmkgkc5wImwznaG1pDm8X2nJV9c+mmEUV5wapjsmoL3wFBBLiVQok tDuQiC+AxXofW20Fur+bUWfIOQYMHKvavjlhXJqqLOtAMfTJ2yraWpLoQ1Bwdtzi iF07Hw61hi7eeHjR6IZ5Q1tdqnXYYPHlVAviuR9k7mECAwEAAaMjMCEwDgYDVR0P AQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEyo u0hNf5aWZnwTfRph1eDIZeE0bUL3fJwwmvdECW71KM3CkIoIlZXBAXu95F1z5ox/ gQepjhVB4BhB4ZjCbSVRCfwjvaEWvlD4oL1bDkZEkA2xOfaG82ko72EsJf/e8Nih XubJyVEoufC0Wiw/cW79IE0TLUoI12w6jacl70J8SSKAbDVODHNAik/6FsDOxhlo egMGg6TgqiT6dwwUbArRNhG3N0z+khoYJzn7IEKXiolwoWucs/47Bi3AHxrSkUzE tnY7Fg+bp+N/Ij5cnyXys+5bFRbwYawMdKysBqC+MXRV0/Q5vnv46ymkH9KWOUfg iQVs89ixU7Ox6DQ8GKM= -----END CERTIFICATE----- Actual results: SKI,AKI mandatory extensions are missing. Expected results: All mandatory CA fields should exist. Additional info:
Thank you, Geetika. I don't believe this should be a 2.4 blocker, so I'm targeting it to 2.5. Please object if you believe this is a critical issue that has to be treated as a blocker.
Looks like AKI is not mandatory for self signed CA certificates https://github.com/golang/go/issues/15194
Also looks like SKI it's generated by golang if it's empty https://golang.org/pkg/crypto/x509/#CreateCertificate If SubjectKeyId from template is empty and the template is a CA, SubjectKeyId will be generated from the hash of the public key.
There is a golang issue for that https://github.com/golang/go/issues/26676 and the fix https://github.com/golang/go/commit/6f3a9515b6bb879472f3b3443a052b07ed11ee2f is merged at newer golang version It's part of golang 1.15 and I think it's has being backported to 1.14, what we can do is to add it in case golang is not filling in the field.
Looks like the fix is present at golagn 1.15 https://github.com/golang/go/blob/release-branch.go1.15/src/crypto/x509/x509.go#L2087-L2088 but not at 1.14 so they haven't backport it https://github.com/golang/go/blob/dev.boringcrypto.go1.14/src/crypto/x509/x509.go#L2092-L2095 Also I am pretty sure that kubevirt/kubevirt is going to be affected by it too.
Added fix at u/s library https://github.com/qinqon/kube-admission-webhook/pull/42 we will have to bump components with it.
Fix for kubevirt/kubevirt https://github.com/kubevirt/kubevirt/pull/4367
I tried verifying by running the scenario: On a cluster with OCP 4.7.0 / CNV v2.6.0 1. $ oc describe mutatingwebhookconfiguration -n openshift-cnv kubemacpool-mutator | grep 'Ca Bundle' Ca Bundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrVENDQWVHZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFlTVJ3d0dnWURWUVFERXhOcmRXSmwKYldGamNHOXZiQzF0ZFhSaGRHOXlNQjRYRFRJd01USXhNekl3TlRRME1sb1hEVEl3TVRJeU1ESXdOVFEwTWxvdwpIakVjTUJvR0ExVUVBeE1UYTNWaVpXMWhZM0J2YjJ3dGJYVjBZWFJ2Y2pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1jNFZrMllzc2dJSXl5enZGNmpiVGphZzN2WVNJTFUrMUF5OGhiWU9CelUKY016d2JDbTU0S3N0b1VpQlpJaGViZGRzcXljTVJ2SGFEMGhiV21HQmJjS0VBTDdrZXJ5eHR3aWlVQlRlQklTcQpnYWVna1UzVmpZL0FCdmhJWDRWM1Bia0JRTTBoYVN6TWt1Z1lQUzFqb3ovTTJSdDRRcS9jZjQwcDl0TW1WMzg5Cjl3VXpHdElXTTZKWU44dXNvSjB2Y2w2d1lxb2dtTmxlcXQxbTVtWElLNVZIMTNHMkhCTEpueW9SdVhFd1dZRkYKVXJhcU5TOEZ6ZG4rL0dKTGN1dWlsTVJxNml6dU1sWGJqWTNJRnNOTkNydlhkVFg2MDRocTdxdndZRnFaUUtBYQo4R0pES2xrUi85VUxpQnd1amhYQmVWT0RvQklPSGxkdFRXd2dFd0hDL1VzQ0F3RUFBYU5DTUVBd0RnWURWUjBQCkFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZORkFIMEJqM0ViQ3RZeUIKMHl1TXRlTTFPQjdGTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBYXV6RGUvcTlFb2NlZDU4Q2gyR0VlMEtWMgpxa3V2OUR1dFlUdGhrV2pPQXNjaFBMdW93RzJGN05FeEw4RDVrMDVYaTdrUjlqUHlpbDRQMUxqbnBSekthcDdZCjBVQVR5djNXTHN4bklwUWx1TVYranQ2Zk0vUlg5dkxVSVRLUXpQSDNiMlJuZklhdUJvZ1VocXhRRXdtNU5OMWwKTGFkalFXbE1acDhNZUR4NUlQUlo0VGRhVDd3YndNYk45NHBOVE5HT2JITkpYYTlFTlhmYml5b3RKWDAreDJXMApINTRDYmNPWlc1a0wrNjUvRzAvbHNaUGo0Y3pDZE5tUlhBUTAwZll1Y1grcTErd1BaSEY0Q3lFYkxENmViODZCCjhXbjNTNjZrclJGOVJJa1dUKytQd0RoaUgwNysyTUlXb1dORWp0UHFzMXd0ZFNybVZFclg3SG4vZU9qYQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== 2. Decode the result in base64: $ echo LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrVENDQWVHZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFlTVJ3d0dnWURWUVFERXhOcmRXSmwKYldGamNHOXZiQzF0ZFhSaGRHOXlNQjRYRFRJd01USXhNekl3TlRRME1sb1hEVEl3TVRJeU1ESXdOVFEwTWxvdwpIakVjTUJvR0ExVUVBeE1UYTNWaVpXMWhZM0J2YjJ3dGJYVjBZWFJ2Y2pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCCkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1jNFZrMllzc2dJSXl5enZGNmpiVGphZzN2WVNJTFUrMUF5OGhiWU9CelUKY016d2JDbTU0S3N0b1VpQlpJaGViZGRzcXljTVJ2SGFEMGhiV21HQmJjS0VBTDdrZXJ5eHR3aWlVQlRlQklTcQpnYWVna1UzVmpZL0FCdmhJWDRWM1Bia0JRTTBoYVN6TWt1Z1lQUzFqb3ovTTJSdDRRcS9jZjQwcDl0TW1WMzg5Cjl3VXpHdElXTTZKWU44dXNvSjB2Y2w2d1lxb2dtTmxlcXQxbTVtWElLNVZIMTNHMkhCTEpueW9SdVhFd1dZRkYKVXJhcU5TOEZ6ZG4rL0dKTGN1dWlsTVJxNml6dU1sWGJqWTNJRnNOTkNydlhkVFg2MDRocTdxdndZRnFaUUtBYQo4R0pES2xrUi85VUxpQnd1amhYQmVWT0RvQklPSGxkdFRXd2dFd0hDL1VzQ0F3RUFBYU5DTUVBd0RnWURWUjBQCkFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZORkFIMEJqM0ViQ3RZeUIKMHl1TXRlTTFPQjdGTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBYXV6RGUvcTlFb2NlZDU4Q2gyR0VlMEtWMgpxa3V2OUR1dFlUdGhrV2pPQXNjaFBMdW93RzJGN05FeEw4RDVrMDVYaTdrUjlqUHlpbDRQMUxqbnBSekthcDdZCjBVQVR5djNXTHN4bklwUWx1TVYranQ2Zk0vUlg5dkxVSVRLUXpQSDNiMlJuZklhdUJvZ1VocXhRRXdtNU5OMWwKTGFkalFXbE1acDhNZUR4NUlQUlo0VGRhVDd3YndNYk45NHBOVE5HT2JITkpYYTlFTlhmYml5b3RKWDAreDJXMApINTRDYmNPWlc1a0wrNjUvRzAvbHNaUGo0Y3pDZE5tUlhBUTAwZll1Y1grcTErd1BaSEY0Q3lFYkxENmViODZCCjhXbjNTNjZrclJGOVJJa1dUKytQd0RoaUgwNysyTUlXb1dORWp0UHFzMXd0ZFNybVZFclg3SG4vZU9qYQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | base64 --decode -----BEGIN CERTIFICATE----- MIIC+TCCAeGgAwIBAgIBADANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNrdWJl bWFjcG9vbC1tdXRhdG9yMB4XDTIwMTIxMzIwNTQ0MloXDTIwMTIyMDIwNTQ0Mlow HjEcMBoGA1UEAxMTa3ViZW1hY3Bvb2wtbXV0YXRvcjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMc4Vk2YssgIIyyzvF6jbTjag3vYSILU+1Ay8hbYOBzU cMzwbCm54KstoUiBZIhebddsqycMRvHaD0hbWmGBbcKEAL7keryxtwiiUBTeBISq gaegkU3VjY/ABvhIX4V3PbkBQM0haSzMkugYPS1joz/M2Rt4Qq/cf40p9tMmV389 9wUzGtIWM6JYN8usoJ0vcl6wYqogmNleqt1m5mXIK5VH13G2HBLJnyoRuXEwWYFF UraqNS8Fzdn+/GJLcuuilMRq6izuMlXbjY3IFsNNCrvXdTX604hq7qvwYFqZQKAa 8GJDKlkR/9ULiBwujhXBeVODoBIOHldtTWwgEwHC/UsCAwEAAaNCMEAwDgYDVR0P AQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNFAH0Bj3EbCtYyB 0yuMteM1OB7FMA0GCSqGSIb3DQEBCwUAA4IBAQAauzDe/q9Eoced58Ch2GEe0KV2 qkuv9DutYTthkWjOAschPLuowG2F7NExL8D5k05Xi7kR9jPyil4P1LjnpRzKap7Y 0UATyv3WLsxnIpQluMV+jt6fM/RX9vLUITKQzPH3b2RnfIauBogUhqxQEwm5NN1l LadjQWlMZp8MeDx5IPRZ4TdaT7wbwMbN94pNTNGObHNJXa9ENXfbiyotJX0+x2W0 H54CbcOZW5kL+65/G0/lsZPj4czCdNmRXAQ00fYucX+q1+wPZHF4CyEbLD6eb86B 8Wn3S66krRF9RIkWT++PwDhiH07+2MIWoWNEjtPqs1wtdSrmVErX7Hn/eOja -----END CERTIFICATE----- 3. Store the decode output in a file, and parse it to a human-readable text: $ openssl x509 -text -in ca Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = kubemacpool-mutator Validity Not Before: Dec 13 20:54:42 2020 GMT Not After : Dec 20 20:54:42 2020 GMT Subject: CN = kubemacpool-mutator Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c7:38:56:4d:98:b2:c8:08:23:2c:b3:bc:5e:a3: 6d:38:da:83:7b:d8:48:82:d4:fb:50:32:f2:16:d8: 38:1c:d4:70:cc:f0:6c:29:b9:e0:ab:2d:a1:48:81: 64:88:5e:6d:d7:6c:ab:27:0c:46:f1:da:0f:48:5b: 5a:61:81:6d:c2:84:00:be:e4:7a:bc:b1:b7:08:a2: 50:14:de:04:84:aa:81:a7:a0:91:4d:d5:8d:8f:c0: 06:f8:48:5f:85:77:3d:b9:01:40:cd:21:69:2c:cc: 92:e8:18:3d:2d:63:a3:3f:cc:d9:1b:78:42:af:dc: 7f:8d:29:f6:d3:26:57:7f:3d:f7:05:33:1a:d2:16: 33:a2:58:37:cb:ac:a0:9d:2f:72:5e:b0:62:aa:20: 98:d9:5e:aa:dd:66:e6:65:c8:2b:95:47:d7:71:b6: 1c:12:c9:9f:2a:11:b9:71:30:59:81:45:52:b6:aa: 35:2f:05:cd:d9:fe:fc:62:4b:72:eb:a2:94:c4:6a: ea:2c:ee:32:55:db:8d:8d:c8:16:c3:4d:0a:bb:d7: 75:35:fa:d3:88:6a:ee:ab:f0:60:5a:99:40:a0:1a: f0:62:43:2a:59:11:ff:d5:0b:88:1c:2e:8e:15:c1: 79:53:83:a0:12:0e:1e:57:6d:4d:6c:20:13:01:c2: fd:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: D1:40:1F:40:63:DC:46:C2:B5:8C:81:D3:2B:8C:B5:E3:35:38:1E:C5 Signature Algorithm: sha256WithRSAEncryption 1a:bb:30:de:fe:af:44:a1:c7:9d:e7:c0:a1:d8:61:1e:d0:a5: 76:aa:4b:af:f4:3b:ad:61:3b:61:91:68:ce:02:c7:21:3c:bb: a8:c0:6d:85:ec:d1:31:2f:c0:f9:93:4e:57:8b:b9:11:f6:33: f2:8a:5e:0f:d4:b8:e7:a5:1c:ca:6a:9e:d8:d1:40:13:ca:fd: d6:2e:cc:67:22:94:25:b8:c5:7e:8e:de:9f:33:f4:57:f6:f2: d4:21:32:90:cc:f1:f7:6f:64:67:7c:86:ae:06:88:14:86:ac: 50:13:09:b9:34:dd:65:2d:a7:63:41:69:4c:66:9f:0c:78:3c: 79:20:f4:59:e1:37:5a:4f:bc:1b:c0:c6:cd:f7:8a:4d:4c:d1: 8e:6c:73:49:5d:af:44:35:77:db:8b:2a:2d:25:7d:3e:c7:65: b4:1f:9e:02:6d:c3:99:5b:99:0b:fb:ae:7f:1b:4f:e5:b1:93: e3:e1:cc:c2:74:d9:91:5c:04:34:d1:f6:2e:71:7f:aa:d7:ec: 0f:64:71:78:0b:21:1b:2c:3e:9e:6f:ce:81:f1:69:f7:4b:ae: a4:ad:11:7d:44:89:16:4f:ef:8f:c0:38:62:1f:4e:fe:d8:c2: 16:a1:63:44:8e:d3:ea:b3:5c:2d:75:2a:e6:54:4a:d7:ec:79: ff:78:e8:da -----BEGIN CERTIFICATE----- MIIC+TCCAeGgAwIBAgIBADANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNrdWJl bWFjcG9vbC1tdXRhdG9yMB4XDTIwMTIxMzIwNTQ0MloXDTIwMTIyMDIwNTQ0Mlow HjEcMBoGA1UEAxMTa3ViZW1hY3Bvb2wtbXV0YXRvcjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMc4Vk2YssgIIyyzvF6jbTjag3vYSILU+1Ay8hbYOBzU cMzwbCm54KstoUiBZIhebddsqycMRvHaD0hbWmGBbcKEAL7keryxtwiiUBTeBISq gaegkU3VjY/ABvhIX4V3PbkBQM0haSzMkugYPS1joz/M2Rt4Qq/cf40p9tMmV389 9wUzGtIWM6JYN8usoJ0vcl6wYqogmNleqt1m5mXIK5VH13G2HBLJnyoRuXEwWYFF UraqNS8Fzdn+/GJLcuuilMRq6izuMlXbjY3IFsNNCrvXdTX604hq7qvwYFqZQKAa 8GJDKlkR/9ULiBwujhXBeVODoBIOHldtTWwgEwHC/UsCAwEAAaNCMEAwDgYDVR0P AQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNFAH0Bj3EbCtYyB 0yuMteM1OB7FMA0GCSqGSIb3DQEBCwUAA4IBAQAauzDe/q9Eoced58Ch2GEe0KV2 qkuv9DutYTthkWjOAschPLuowG2F7NExL8D5k05Xi7kR9jPyil4P1LjnpRzKap7Y 0UATyv3WLsxnIpQluMV+jt6fM/RX9vLUITKQzPH3b2RnfIauBogUhqxQEwm5NN1l LadjQWlMZp8MeDx5IPRZ4TdaT7wbwMbN94pNTNGObHNJXa9ENXfbiyotJX0+x2W0 H54CbcOZW5kL+65/G0/lsZPj4czCdNmRXAQ00fYucX+q1+wPZHF4CyEbLD6eb86B 8Wn3S66krRF9RIkWT++PwDhiH07+2MIWoWNEjtPqs1wtdSrmVErX7Hn/eOja -----END CERTIFICATE----- The result includes SKI (Subject Key Identifier), but no AKI (Authority Code Identifier). According to Quique - AKI is not supposed to br presented because it's a self-signed cert, but OTOH - the bug description explicitly say "SKI,AKI mandatory extensions are missing." @Quique, Petr - can you please dis/approve if this verification is valid. If it is - I will move the bug to "Verified"; otherwise - I'll reopen. Thanks.
According to https://github.com/golang/go/issues/15194#issue-146931348 - SKI is enough, and omitting AKI is valid. According to that source, when the cert is self-signed, the AKI and SKI are identical, and it's enough that only SKI is published. We can tell that the cert here is self-signed because both `Issuer` and `Subject` fields are identical - they both have the value "CN = kubemacpool-mutator". Thank you Quique for the clarification.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 2.6.0 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0799