From b12ce7299f5a2666f716581a4f383ef83a543b13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mika=C3=ABl=20Cluseau?= <mikael.cluseau@gmail.com>
Date: Sun, 26 Jan 2025 18:39:31 +0100
Subject: [PATCH] check leaf certificates against their CA

---
 cmd/dkl-local-server/tls-ca.go | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/cmd/dkl-local-server/tls-ca.go b/cmd/dkl-local-server/tls-ca.go
index c5f101f..21e647a 100644
--- a/cmd/dkl-local-server/tls-ca.go
+++ b/cmd/dkl-local-server/tls-ca.go
@@ -2,6 +2,8 @@ package main
 
 import (
 	"crypto"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"log"
@@ -129,7 +131,26 @@ func getUsableKeyCert(cluster, caName, name, profile, label string, req *csr.Cer
 
 	if found {
 		if rh == kc.ReqHash {
-			err = checkCertUsable(kc.Cert)
+			err = func() (err error) {
+				err = checkCertUsable(kc.Cert)
+				if err != nil {
+					return
+				}
+
+				pool := x509.NewCertPool()
+				if !pool.AppendCertsFromPEM(ca.Cert) {
+					panic("unexpected invalid CA certificate at this point")
+				}
+
+				certBlock, _ := pem.Decode(kc.Cert)
+				cert, err := x509.ParseCertificate(certBlock.Bytes)
+				if err != nil {
+					return
+				}
+
+				_, err = cert.Verify(x509.VerifyOptions{Roots: pool})
+				return
+			}()
 			if err == nil {
 				return // all good, no need to create or renew
 			}