[release-4.2] Bug 1810421: Ensure service CA certs are created with unique serial numbers

pkg/operator/rotate.go

@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"math/big"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
@@ -197,6 +198,19 @@ func createIntermediateCACert(targetCACert, signingCACert *x509.Certificate, sig
 	// Enable key identity chaining
 	template.AuthorityKeyId = signingCACert.SubjectKeyId
 
+	// Set a new serial number so that the intermediate CA cert is
+	// differentiated from the target CA cert. This ensures that a serving
+	// cert bundle that includes the issuing CA cert and an intermediate CA
+	// cert generated by this function - with the issuing CA cert as the
+	// target and the previous CA as the signer - will not result in
+	// SEC_ERROR_REUSED_ISSUER_AND_SERIAL when read by applications like curl.
+	serialGenerator := crypto.RandomSerialGenerator{}
+	serial, err := serialGenerator.Next(template)
+	if err != nil {
+		return nil, fmt.Errorf("failed to find next serial number: %v", err)
+	}
+	template.SerialNumber = big.NewInt(serial)
+
 	// Update the expiry if necessary
 	if expiry != nil {
 		template.NotAfter = *expiry

pkg/operator/rotate_test.go

@@ -245,3 +245,35 @@ func TestRotateSigningCA(t *testing.T) {
 	dnsName := oldServingCert.Certs[0].Subject.CommonName
 	util.CheckRotation(t, dnsName, oldCertPEM, oldKeyPEM, oldBundlePEM, newCertPEM, newKeyPEM, newBundlePEM)
 }
+
+// TestCreateIntermediateCACert checks that the intermediate CA cert
+// created by signing a target CA cert supports identity key chaining
+// and uses a serial number distinct from that of the target CA cert.
+func TestCreateIntermediateCACert(t *testing.T) {
+	// Create the signing CA
+	signingCAConfig, err := crypto.MakeSelfSignedCAConfig("foo", signingCertificateLifetimeInDays)
+	if err != nil {
+		t.Fatalf("error generating a new ca: %v", err)
+	}
+	signingCACert := signingCAConfig.Certs[0]
+
+	// Create the CA targeted for signing
+	targetCAConfig, err := crypto.MakeSelfSignedCAConfig("foo", signingCertificateLifetimeInDays)
+	if err != nil {
+		t.Fatalf("error generating a new ca: %v", err)
+	}
+	targetCACert := targetCAConfig.Certs[0]
+
+	intermediateCACert, err := createIntermediateCACert(targetCACert, signingCACert, signingCAConfig.Key.(*rsa.PrivateKey), nil)
+	if err != nil {
+		t.Fatalf("Failed to create intermediate CA cert: %v", err)
+	}
+
+	if bytes.Compare(intermediateCACert.AuthorityKeyId, signingCACert.SubjectKeyId) != 0 {
+		t.Fatalf("Expected intermediate CA cert AuthorityKeyId to match signing CA cert SubjectKeyId")
+	}
+
+	if intermediateCACert.SerialNumber.Cmp(targetCACert.SerialNumber) == 0 {
+		t.Fatalf("Expected intermediate CA cert serial number to differ from serial number of target CA cert")
+	}
+}