Support CA cert bundles (#2222)

Author: letmaik

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [0.18.4]
+
+### Changed
+
+- `set_ca_cert`/`remove_ca_cert` proposals have been renamed `set_ca_cert_bundle`/`remove_ca_cert_bundle` and now also accept a bundle of certificates encoded as concatenated PEM string (#2221).
+
 ## [0.18.3]
 
 ### Changed
@@ -694,6 +700,7 @@ Some discrepancies with the TR remain, and are being tracked under https://githu
 
 Initial pre-release
 
+[0.18.4]: https://github.com/microsoft/CCF/releases/tag/ccf-0.18.4
 [0.18.3]: https://github.com/microsoft/CCF/releases/tag/ccf-0.18.3
 [0.18.2]: https://github.com/microsoft/CCF/releases/tag/ccf-0.18.2
 [0.18.1]: https://github.com/microsoft/CCF/releases/tag/ccf-0.18.1

python/ccf/proposal_generator.py

@@ -419,25 +419,30 @@ def set_recovery_threshold(threshold: int, **kwargs):
 
 
 @cli_proposal
-def set_ca_cert(cert_name, cert_path, skip_checks=False, **kwargs):
-    with open(cert_path) as f:
-        cert_pem = f.read()
+def set_ca_cert_bundle(cert_bundle_name, cert_bundle_path, skip_checks=False, **kwargs):
+    with open(cert_bundle_path) as f:
+        cert_bundle_pem = f.read()
 
     if not skip_checks:
-        try:
-            x509.load_pem_x509_certificate(
-                cert_pem.encode(), crypto_backends.default_backend()
-            )
-        except Exception as exc:
-            raise ValueError("Cannot parse PEM certificate") from exc
+        delim = "-----END CERTIFICATE-----"
+        for cert_pem in cert_bundle_pem.split(delim):
+            if not cert_pem.strip():
+                continue
+            cert_pem += delim
+            try:
+                x509.load_pem_x509_certificate(
+                    cert_pem.encode(), crypto_backends.default_backend()
+                )
+            except Exception as exc:
+                raise ValueError("Cannot parse PEM certificate") from exc
 
-    args = {"name": cert_name, "cert": cert_pem}
-    return build_proposal("set_ca_cert", args, **kwargs)
+    args = {"name": cert_bundle_name, "cert_bundle": cert_bundle_pem}
+    return build_proposal("set_ca_cert_bundle", args, **kwargs)
 
 
 @cli_proposal
-def remove_ca_cert(cert_name, **kwargs):
-    return build_proposal("remove_ca_cert", cert_name, **kwargs)
+def remove_ca_cert_bundle(cert_bundle_name, **kwargs):
+    return build_proposal("remove_ca_cert_bundle", cert_bundle_name, **kwargs)
 
 
 @cli_proposal
@@ -448,7 +453,7 @@ def set_jwt_issuer(json_path: str, **kwargs):
         "issuer": obj["issuer"],
         "key_filter": obj.get("key_filter", "all"),
         "key_policy": obj.get("key_policy"),
-        "ca_cert_name": obj.get("ca_cert_name"),
+        "ca_cert_bundle_name": obj.get("ca_cert_bundle_name"),
         "auto_refresh": obj.get("auto_refresh", False),
         "jwks": obj.get("jwks"),
     }

src/node/certs.h

@@ -6,7 +6,7 @@
 namespace ccf
 {
   using CertDERs = kv::Map<Cert, ObjectId>;
-  using CACertDERs = kv::Map<std::string, Cert>;
+  using CACertBundlePEMs = kv::Map<std::string, std::string>;
   // Mapping from hex-encoded digest of PEM cert to entity id
   using CertDigests = kv::Map<std::string, ObjectId>;
 }

src/node/entities.h

@@ -96,8 +96,11 @@ namespace ccf
     static constexpr auto ENDPOINTS = "public:gov.endpoints";
     static constexpr auto SERVICE_PRINCIPALS = "public:gov.service_principals";
 
+    // TLS
+    static constexpr auto CA_CERT_BUNDLE_PEMS =
+      "public:ccf.gov.tls.ca_cert_bundles";
+
     // JWT issuers
-    static constexpr auto CA_CERT_DERS = "public:ccf.gov.jwt.ca_certs_der";
     static constexpr auto JWT_ISSUERS = "public:ccf.gov.jwt.issuers";
     static constexpr auto JWT_PUBLIC_SIGNING_KEYS =
       "public:ccf.gov.jwt.public_signing_keys";

src/node/jwt.h

@@ -41,16 +41,16 @@ namespace ccf
   {
     JwtIssuerKeyFilter key_filter;
     std::optional<JwtIssuerKeyPolicy> key_policy;
-    std::optional<std::string> ca_cert_name;
+    std::optional<std::string> ca_cert_bundle_name;
     bool auto_refresh = false;
 
-    MSGPACK_DEFINE(key_filter, key_policy, ca_cert_name, auto_refresh);
+    MSGPACK_DEFINE(key_filter, key_policy, ca_cert_bundle_name, auto_refresh);
   };
 
   DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(JwtIssuerMetadata);
   DECLARE_JSON_REQUIRED_FIELDS(JwtIssuerMetadata, key_filter);
   DECLARE_JSON_OPTIONAL_FIELDS(
-    JwtIssuerMetadata, key_policy, ca_cert_name, auto_refresh);
+    JwtIssuerMetadata, key_policy, ca_cert_bundle_name, auto_refresh);
 
   using JwtIssuer = std::string;
   using JwtKeyId = std::string;

src/node/jwt_key_auto_refresh.h

@@ -281,8 +281,8 @@ namespace ccf
     {
       auto tx = network.tables->create_read_only_tx();
       auto jwt_issuers = tx.ro(network.jwt_issuers);
-      auto ca_certs = tx.ro(network.ca_certs);
-      jwt_issuers->foreach([this, &ca_certs](
+      auto ca_cert_bundles = tx.ro(network.ca_cert_bundles);
+      jwt_issuers->foreach([this, &ca_cert_bundles](
                              const JwtIssuer& issuer,
                              const JwtIssuerMetadata& metadata) {
         if (!metadata.auto_refresh)
@@ -295,14 +295,15 @@ namespace ccf
         }
         LOG_DEBUG_FMT(
           "JWT key auto-refresh: Refreshing keys for issuer '{}'", issuer);
-        auto& ca_cert_name = metadata.ca_cert_name.value();
-        auto ca_cert_der = ca_certs->get(ca_cert_name);
-        if (!ca_cert_der.has_value())
+        auto& ca_cert_bundle_name = metadata.ca_cert_bundle_name.value();
+        auto ca_cert_bundle_pem = ca_cert_bundles->get(ca_cert_bundle_name);
+        if (!ca_cert_bundle_pem.has_value())
         {
           LOG_FAIL_FMT(
-            "JWT key auto-refresh: CA cert with name '{}' for issuer '{}' not "
+            "JWT key auto-refresh: CA cert bundle with name '{}' for issuer "
+            "'{}' not "
             "found",
-            ca_cert_name,
+            ca_cert_bundle_name,
             issuer);
           send_refresh_jwt_keys_error();
           return true;
@@ -313,7 +314,7 @@ namespace ccf
         auto metadata_url_port =
           !metadata_url.port.empty() ? metadata_url.port : "443";
 
-        auto ca = std::make_shared<tls::CA>(ca_cert_der.value());
+        auto ca = std::make_shared<tls::CA>(ca_cert_bundle_pem.value());
         auto ca_cert = std::make_shared<tls::Cert>(
           ca,
           std::nullopt,

src/node/network_tables.h

@@ -74,7 +74,7 @@ namespace ccf
     SubmittedShares submitted_shares;
     Configuration config;
 
-    CACertDERs ca_certs;
+    CACertBundlePEMs ca_cert_bundles;
 
     JwtIssuers jwt_issuers;
     JwtPublicSigningKeys jwt_public_signing_keys;
@@ -133,7 +133,7 @@ namespace ccf
       encrypted_ledger_secrets(Tables::ENCRYPTED_PAST_LEDGER_SECRET),
       submitted_shares(Tables::SUBMITTED_SHARES),
       config(Tables::CONFIGURATION),
-      ca_certs(Tables::CA_CERT_DERS),
+      ca_cert_bundles(Tables::CA_CERT_BUNDLE_PEMS),
       jwt_issuers(Tables::JWT_ISSUERS),
       jwt_public_signing_keys(Tables::JWT_PUBLIC_SIGNING_KEYS),
       jwt_public_signing_key_issuer(Tables::JWT_PUBLIC_SIGNING_KEY_ISSUER),
@@ -171,7 +171,7 @@ namespace ccf
         std::ref(member_acks),
         std::ref(governance_history),
         std::ref(config),
-        std::ref(ca_certs),
+        std::ref(ca_cert_bundles),
         std::ref(jwt_issuers),
         std::ref(jwt_public_signing_keys),
         std::ref(jwt_public_signing_key_issuer),

src/node/rpc/member_frontend.h

@@ -171,13 +171,13 @@ namespace ccf
   DECLARE_JSON_TYPE(SetJwtPublicSigningKeys)
   DECLARE_JSON_REQUIRED_FIELDS(SetJwtPublicSigningKeys, issuer, jwks)
 
-  struct SetCaCert
+  struct SetCaCertBundle
   {
     std::string name;
-    std::string cert;
+    std::string cert_bundle;
   };
-  DECLARE_JSON_TYPE(SetCaCert)
-  DECLARE_JSON_REQUIRED_FIELDS(SetCaCert, name, cert)
+  DECLARE_JSON_TYPE(SetCaCertBundle)
+  DECLARE_JSON_REQUIRED_FIELDS(SetCaCertBundle, name, cert_bundle)
 
   class MemberEndpoints : public CommonEndpointRegistry
   {
@@ -679,35 +679,35 @@ namespace ccf
            users->put(parsed.user_id, user_info.value());
            return true;
          }},
-        {"set_ca_cert",
+        {"set_ca_cert_bundle",
          [this](
            const ProposalId& proposal_id,
            kv::Tx& tx,
            const nlohmann::json& args) {
-           const auto parsed = args.get<SetCaCert>();
-           auto ca_certs = tx.rw(this->network.ca_certs);
-           std::vector<uint8_t> cert_der;
+           const auto parsed = args.get<SetCaCertBundle>();
+           auto ca_cert_bundles = tx.rw(this->network.ca_cert_bundles);
            try
            {
-             cert_der = crypto::cert_pem_to_der(parsed.cert);
+             tls::CA(parsed.cert_bundle);
            }
-           catch (const std::invalid_argument& e)
+           catch (const std::logic_error& e)
            {
              LOG_FAIL_FMT(
-               "Proposal {}: certificate is not a valid X.509 certificate in "
+               "Proposal {}: 'cert_bundle' is not a valid X.509 certificate "
+               "bundle in "
                "PEM format: {}",
                proposal_id,
                e.what());
              return false;
            }
-           ca_certs->put(parsed.name, cert_der);
+           ca_cert_bundles->put(parsed.name, parsed.cert_bundle);
            return true;
          }},
-        {"remove_ca_cert",
+        {"remove_ca_cert_bundle",
          [this](const ProposalId&, kv::Tx& tx, const nlohmann::json& args) {
-           const auto cert_name = args.get<std::string>();
-           auto ca_certs = tx.rw(this->network.ca_certs);
-           ca_certs->remove(cert_name);
+           const auto cert_bundle_name = args.get<std::string>();
+           auto ca_cert_bundles = tx.rw(this->network.ca_cert_bundles);
+           ca_cert_bundles->remove(cert_bundle_name);
            return true;
          }},
         {"set_jwt_issuer",
@@ -717,24 +717,24 @@ namespace ccf
            const nlohmann::json& args) {
            const auto parsed = args.get<SetJwtIssuer>();
            auto issuers = tx.rw(this->network.jwt_issuers);
-           auto ca_certs = tx.ro(this->network.ca_certs);
+           auto ca_cert_bundles = tx.ro(this->network.ca_cert_bundles);
 
            if (parsed.auto_refresh)
            {
-             if (!parsed.ca_cert_name.has_value())
+             if (!parsed.ca_cert_bundle_name.has_value())
              {
                LOG_FAIL_FMT(
-                 "Proposal {}: ca_cert_name is missing but required if "
+                 "Proposal {}: ca_cert_bundle_name is missing but required if "
                  "auto_refresh is true",
                  proposal_id);
                return false;
              }
-             if (!ca_certs->has(parsed.ca_cert_name.value()))
+             if (!ca_cert_bundles->has(parsed.ca_cert_bundle_name.value()))
              {
                LOG_FAIL_FMT(
-                 "Proposal {}: No CA cert found with name '{}'",
+                 "Proposal {}: No CA cert list found with name '{}'",
                  proposal_id,
-                 parsed.ca_cert_name.value());
+                 parsed.ca_cert_bundle_name.value());
                return false;
              }
              http::URL issuer_url;

src/runtime_config/default_whitelists.h

@@ -25,7 +25,7 @@ namespace ccf
       Tables::MODULES,
       Tables::SERVICE,
       Tables::CONFIGURATION,
-      Tables::CA_CERT_DERS,
+      Tables::CA_CERT_BUNDLE_PEMS,
       Tables::SERVICE_PRINCIPALS,
       Tables::JWT_ISSUERS,
       Tables::JWT_PUBLIC_SIGNING_KEYS,
@@ -40,7 +40,7 @@ namespace ccf
       Tables::APP_SCRIPTS,
       Tables::MODULES,
       Tables::CONFIGURATION,
-      Tables::CA_CERT_DERS,
+      Tables::CA_CERT_BUNDLE_PEMS,
       Tables::SERVICE_PRINCIPALS,
       Tables::JWT_ISSUERS,
       Tables::JWT_PUBLIC_SIGNING_KEYS,

tests/ca_certs.py

@@ -3,8 +3,6 @@
 import os
 import tempfile
 import http
-from cryptography import x509
-import cryptography.hazmat.backends as crypto_backends
 import infra.network
 import infra.path
 import infra.proc
@@ -29,60 +27,59 @@ def test_cert_store(network, args):
         f.write("foo")
         f.flush()
         try:
-            ccf.proposal_generator.set_ca_cert(cert_name, f.name)
+            ccf.proposal_generator.set_ca_cert_bundle(cert_name, f.name)
         except ValueError:
             pass
         else:
-            assert False, "set_ca_cert should have raised an error"
+            assert False, "set_ca_cert_bundle should have raised an error"
 
     LOG.info("Member makes a ca cert update proposal with malformed cert")
     with tempfile.NamedTemporaryFile("w") as f:
         f.write("foo")
         f.flush()
         try:
-            network.consortium.set_ca_cert(primary, cert_name, f.name, skip_checks=True)
+            network.consortium.set_ca_cert_bundle(
+                primary, cert_name, f.name, skip_checks=True
+            )
         except infra.proposal.ProposalNotAccepted:
             pass
         else:
             assert False, "Proposal should not have been accepted"
 
-    LOG.info("Member makes a ca cert update proposal with valid cert")
+    LOG.info("Member makes a ca cert update proposal with valid certs")
     key_priv_pem, _ = infra.crypto.generate_rsa_keypair(2048)
     cert_pem = infra.crypto.generate_cert(key_priv_pem)
+    key2_priv_pem, _ = infra.crypto.generate_rsa_keypair(2048)
+    cert2_pem = infra.crypto.generate_cert(key2_priv_pem)
     with tempfile.NamedTemporaryFile(prefix="ccf", mode="w+") as cert_pem_fp:
         cert_pem_fp.write(cert_pem)
+        cert_pem_fp.write(cert2_pem)
         cert_pem_fp.flush()
-        network.consortium.set_ca_cert(primary, cert_name, cert_pem_fp.name)
+        network.consortium.set_ca_cert_bundle(primary, cert_name, cert_pem_fp.name)
 
     with primary.client(
         f"member{network.consortium.get_any_active_member().member_id}"
     ) as c:
         r = c.post(
-            "/gov/read", {"table": "public:ccf.gov.jwt.ca_certs_der", "key": cert_name}
+            "/gov/read",
+            {"table": "public:ccf.gov.tls.ca_cert_bundles", "key": cert_name},
         )
         assert r.status_code == http.HTTPStatus.OK.value, r.status_code
-        cert_ref = x509.load_pem_x509_certificate(
-            cert_pem.encode(), crypto_backends.default_backend()
-        )
-        cert_kv = x509.load_der_x509_certificate(
-            # Note that /gov/read returns all data as JSON.
-            # Here, the stored data is a uint8 array, therefore it
-            # is returned as an array of integers.
-            bytes(r.body.json()),
-            crypto_backends.default_backend(),
-        )
+        cert_ref = cert_pem + cert2_pem
+        cert_kv = r.body.json()
         assert (
             cert_ref == cert_kv
-        ), f"stored cert not equal to input cert: {cert_ref} != {cert_kv}"
+        ), f"stored cert not equal to input certs: {cert_ref} != {cert_kv}"
 
     LOG.info("Member removes a ca cert")
-    network.consortium.remove_ca_cert(primary, cert_name)
+    network.consortium.remove_ca_cert_bundle(primary, cert_name)
 
     with primary.client(
         f"member{network.consortium.get_any_active_member().member_id}"
     ) as c:
         r = c.post(
-            "/gov/read", {"table": "public:ccf.gov.jwt.ca_certs_der", "key": cert_name}
+            "/gov/read",
+            {"table": "public:ccf.gov.tls.ca_cert_bundles", "key": cert_name},
         )
         assert r.status_code == http.HTTPStatus.NOT_FOUND.value, r.status_code