tls: SAN matching support in SPIFFE certificate validator

[mathetake]

This is a follow up on the first PR #14884

Right now, we only verify incoming SVIDs against the given trust bundles, but never use the existing match_subject_alt_names in the validation context. This must be supported in order to provide authz functionality in the SPIFFE validator.

The point I would like to discuss before I start implementation is that "Should we match any SAN other than URI SAN ?".

Since SPIFFE specification does not limit the DNS SANs or any others, but it only has the restriction that "SVID must contain exactly one URI SAN" (see the discussion here), it seems that we should match only the URI SAN and ignore others.

@azdagron @evan2645 thoughts?

cc @lizan

[evan2645]

Hmm that's a good question @mathetake!

Many SPIFFE implementations can mint SPIFFE certs that have DNS SANs in them. The typical use case for this though is to enable interop with software performing RFC 6125 validation. It's a little harder for me to reason about for validators that are SPIFFE-aware.

My instinct is that matching on URI SAN only when the SPIFFE validator is enabled makes sense initially, and if in the future we get requests to match on other SAN types, we should be able to introduce that functionality without breaking anyone (thanks to the strong typing of SANs). In contrast, if we start with matching any SAN, and later discover that it's problematic, it will be much harder to fix.

I also recognize that this represents an inconsistency in the behavior of match_subject_alt_names... but it does feel like the safer route. Here's a related question: does Envoy validate that the value(s) of the match_subject_alt_names field are actually valid SAN values? RFC 5280 is fairly strict on what things can go in what SAN types.

[mathetake]

My instinct is that matching on URI SAN only when the SPIFFE validator is enabled makes sense initially, and if in the future we get requests to match on other SAN types, we should be able to introduce that functionality without breaking anyone

Nice, I will follow this path.

I also recognize that this represents an inconsistency in the behavior of match_subject_alt_names... but it does feel like the safer route.

I don't think the inconsistency of the behavior of match_subject_alt_names is not that problem since we already document that the behavior of existing parameters depends on the custom validators. So I think this is fine.

As for the question about the values of match_subject_alt_names, it has StringMatcher type which can have regex, so virtually it can be any value in the current implementation of the default validator.

Having said that, I'm going to start implementation of matching only URI SAN and ignoring others.

Thanks @evan2645 🙂

[mathetake]

Now I opened a PR for this: #15509