Empty issuer DN when using selfSigned

[jglick]

Describe the bug:

The selfSigned issuer seems to generate a certificate that, while tolerated by Chromium for example, is rejected as malformed by Java—apparently due to lack of an issuer DN (and perhaps other reasons if it were to get past that).

Expected behaviour:

That the certificate be accepted as well-fomed and importable into the Java cert store.

Steps to reproduce the bug:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: self-signed
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: xxx
spec:
  secretName: xxx-tls
  dnsNames:
  - what.ever
  issuerRef:
    name: self-signed

Once the secret is created:

$ kubectl get secret xxx-tls -o go-template='{{ index .data "ca.crt" | base64decode }}' | tee xxx.crt
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
$ openssl x509 -text -in xxx.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            …
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: 
        Validity
…
$ keytool -cacerts -storepass changeit -import -file xxx.crt
keytool error: java.lang.Exception: Input not an X.509 certificate
$ keytool -v -printcert -file xxx.crt
keytool error: java.lang.Exception: Failed to parse input
java.lang.Exception: Failed to parse input
	at java.base/sun.security.tools.keytool.Main.printCertFromStream(Main.java:2626)
	at java.base/sun.security.tools.keytool.Main.doPrintCert(Main.java:2780)
	at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1246)
	at java.base/sun.security.tools.keytool.Main.run(Main.java:405)
	at java.base/sun.security.tools.keytool.Main.main(Main.java:398)
Caused by: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates
	at java.base/sun.security.x509.X509CertInfo.parse(X509CertInfo.java:658)
	at java.base/sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
	at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1842)
	at java.base/sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:194)
	at java.base/sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:476)
	at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:361)
	at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478)
	at java.base/sun.security.tools.keytool.Main.printCertFromStream(Main.java:2624)
	... 4 more

Anything else we need to know?:

Environment details::

• Kubernetes version: v1.18.14-gke.1600
• Cloud-provider/provisioner: GKE
• cert-manager version: v1.1.0
• Install method: Helm

Java:

openjdk version "11.0.9.1" 2020-11-04
OpenJDK Runtime Environment (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04)
OpenJDK 64-Bit Server VM (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)

/kind bug

[maelvls]

Hi! Thank you for the very thorough description.

You are right, the self-signed certificate might not properly follow the X.509 v3 spec described in RFC 5280 which obsoletes the previous RFC 3280. Note that in the following I will talk about RFC 3280 since these sections have not changed in the latest RFC 5280.

As discussed in the SO thread x-509-issuer-dn-optional, the RFC 3280 states that the issuer distinguished name must be not empty (MUST as per RFC 2119):

The issuer field identifies the entity that has signed and issued the certificate. The issuer field MUST contain a non-empty distinguished name (DN). The issuer field is defined as the X.501 type Name X.501. Name is defined by the following ASN.1 structure:

I also noticed that the RFC 3739 proposes a different certificate profile, based on RFC 3280, for identity certificates issued to natural persons. In this certificate profile, the issuer distinguished name does not seem mandatory (SHALL is a synonym of RECOMMENDED as per RFC 2119):

The subject field of a certificate compliant with this profile SHALL contain a distinguished name of the subject (see 2.4 for the definition of distinguished name).

I would assume that the self-signed certificates issued by the self-signed issuer would have a non-empty issuer distinguished name in order to comply with RFC 3280...

We definitely need to investigate this issue 😅

[maelvls]

/priority backlog
/area ca

[jglick]

I think I found a workaround: add

commonName: what.ever

to the Certificate.

[jglick]

A further update, which may be something obvious to you and as designed in cert-manager but recording it here for the benefit of anyone “Googling the error message” as I did: importing the ca.crt from a selfSigned issuer into the Java keystore (tls.crt was identical) did not allow a Java client to connect. However I then switched to a keypair generated by OpenSSL and referenced using a ca issuer, as documented, and imported both ca.crt and tls.crt from the secret/xxx-tls into the Java keystore, and this did work. (In the ca case I did not need to specify commonName—as documented, the first entry from dnsNames seems to have been used implicitly.)

[gerrywastaken]

ca.crt from a selfSigned issuer into the Java keystore (tls.crt was identical)

@jglick Yeah it wasn't obvious to me either, and I completely missed the following statement in the docs:

Clients consuming these certificates have no way to trust this certificate since there is no CA signer apart from itself, and as such, would be forced to trust the certificate as is.
https://cert-manager.io/docs/configuration/selfsigned/

More google foo:
Self signed tls.crt and ca.crt are the same
Self signed tls.crt and ca.crt are the identical
Self signed tls.crt and ca.crt are matching PEM
Certificate and Certificate Authority are the same in self signed