check leaf certificates against their CA

cmd/dkl-local-server/tls-ca.go

@@ -2,6 +2,8 @@ package main
 
 import (
 	"crypto"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"log"
@@ -129,7 +131,26 @@ func getUsableKeyCert(cluster, caName, name, profile, label string, req *csr.Cer
 
 	if found {
 		if rh == kc.ReqHash {
+			err = func() (err error) {
 				err = checkCertUsable(kc.Cert)
+				if err != nil {
+					return
+				}
+
+				pool := x509.NewCertPool()
+				if !pool.AppendCertsFromPEM(ca.Cert) {
+					panic("unexpected invalid CA certificate at this point")
+				}
+
+				certBlock, _ := pem.Decode(kc.Cert)
+				cert, err := x509.ParseCertificate(certBlock.Bytes)
+				if err != nil {
+					return
+				}
+
+				_, err = cert.Verify(x509.VerifyOptions{Roots: pool})
+				return
+			}()
 			if err == nil {
 				return // all good, no need to create or renew
 			}