days_until_expiration incorrectly reported by the /certs endpoint for expired certs

[uromahn]

Description:
Envoy reports the status of certificates via the admin endpoint by returning a JSON object from the /certs endpoint. One important property that is being reported for each cert is the days_until_expiration. However, once a certificate expired, i.e. the expiration_time is before the current time, the days_until_expiration is still reported as a positive number, albeit very large.
This value is typically used by services to check whether a certificate should be renewed and most services expect this value to be less than zero in case of an expired certificate.

This issue is impacting Istio in case istiod is temporarily not running and actively monitoring sidecars for expired certificates. Should the certificate in a sidecar expire before istiod was able to check it, it will not be automatically renewed until the pod gets restarted.

NOTE: this is a relatively rare and exotic edge case but nevertheless I believe this should be fixed.

Repro steps:

1. Use a certificate in Envoy with an expiration date of one day
2. Let Envoy run for more than a day
3. Check the certificate status using the /certs/ endpoint seeing the days_until_expiration reported as large positive number.

Admin and Stats Output:
Below is an example from such a case using the /certs endpoint:

...
  {
   "ca_cert": [
    {
     "path": "\u003cinline\u003e",
     "serial_number": "9cd01a3c2b02a8920348a161437b2751",
     "subject_alt_names": [],
     "days_until_expiration": "3644",
     "valid_from": "2022-03-23T20:48:23Z",
     "expiration_time": "2032-03-20T20:48:23Z"
    }
   ],
   "cert_chain": [
    {
     "path": "\u003cinline\u003e",
     "serial_number": "6d17d8aee9602497a99242cc68926720",
     "subject_alt_names": [
      {
       "uri": "spiffe://cluster.local/ns/istio-system/sa/istio-egressgateway-service-account"
      }
     ],
     "days_until_expiration": "18446744073709551613",
     "valid_from": "2022-03-25T15:56:24Z",
     "expiration_time": "2022-03-26T15:58:24Z"
    }
   ]
  },
...

One can see the ca_cert not expired and the days_until_expiration reporting the correct number. However, the cert_chain has already expired for almost three days (this report was written on 3/29) but the days_until_expiration is being reported as a very large but positive number.

Config:
N/A

Logs:
N/A

Call Stack:
N/A

[daixiang0]

I thought when cert expires, it returns the MAX, after checking the code, the MAX is 2147483647 as vscode shows, not what I think.

[daixiang0]

The above MAX is from default validitor, but for SNIFFE, it uses SIZE MAX(18446744073709551615UL).

[daixiang0]

/assign

[daixiang0]

@uromahn do you use SPIFFE cert validator?

[daixiang0]

The root cause is that size_t is unsigned, and can thus only express positive numbers. Comparing it to a negative will have wacky results. Not only happen in SPIFFE case. @uromahn

[uliromahn]

@daixiang0

@uromahn do you use SPIFFE cert validator?

No, I am not.

It seems there is a bug in the istio-agent that runs side-by-side of Envoy in the Istio sidecar. It is not using the days_until_expiration calculated by Envoy to test for cert expiration and instead it is parsing the cert directly using golang's x509 package and does the time diff calculation directly on the notAfter property. The istio-agent is supposed to check the validity of leaf certificates generated for mTLS and if they are close to expiration, it is supposed to create a new one and rotate that with the one that is about to expire.
I have to go a little bit deeper into the Istio code to see why it fails to renew the leaf certificates after they expired while the system was not actively running.

Nevertheless, I am not sure using a non-negative integer (uint64) for the days_until_expiration is a great idea since the intuitive expectation would be to see a negative number in case of an expired cert.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.