check leaf certificates against their CA

2025-01-26 18:39:31 +01:00 · 2025-01-26 18:39:31 +01:00 · b12ce7299f
commit b12ce7299f
parent 82f7cbcc92
1 changed files with 22 additions and 1 deletions
--- a/cmd/dkl-local-server/tls-ca.go
+++ b/cmd/dkl-local-server/tls-ca.go
@ -2,6 +2,8 @@ package main

 import (
 	"crypto"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"log"
@ -129,7 +131,26 @@ func getUsableKeyCert(cluster, caName, name, profile, label string, req *csr.Cer

 	if found {
 		if rh == kc.ReqHash {
+			err = func() (err error) {
 				err = checkCertUsable(kc.Cert)
+				if err != nil {
+					return
+				}
+
+				pool := x509.NewCertPool()
+				if !pool.AppendCertsFromPEM(ca.Cert) {
+					panic("unexpected invalid CA certificate at this point")
+				}
+
+				certBlock, _ := pem.Decode(kc.Cert)
+				cert, err := x509.ParseCertificate(certBlock.Bytes)
+				if err != nil {
+					return
+				}
+
+				_, err = cert.Verify(x509.VerifyOptions{Roots: pool})
+				return
+			}()
 			if err == nil {
 				return // all good, no need to create or renew
 			}