Bug in logic detecting overlapping cert SANs

[jing8956]

Description:

1. This issue is not a duplicate of Bug in logic detecting overlapping cert SANs #6321.
2. The cause of this issue is mistakenly treating all absolute domain names as wildcard domain names for comparison.
3. Use 'strings.HasSuffix' for comparison is reckless, because the wildcard applies only to one level of the domain name.

Repro steps:

1. Add a listener for foo.example.com and pdf.foo.example.com.
   ※ Use *.example.com and pdf.foo.example.com should also trigger the issue.
2. Use cert-manager to issue certs for them (note that a wildcard certificate should not be used)
3. Look in the logs to see a warning about overlapping SANs

Sample Gateway Listeners

listeners:
  - name: foo
    hostname: foo.example.com
    protocol: HTTPS
    port: 443
    tls:
      mode: Terminate
      certificateRefs:
        - name: foo-tls
  - name: foo-pdf
    hostname: pdf.foo.example.com
    protocol: HTTPS
    port: 443
    tls:
      mode: Terminate
      certificateRefs:
        - name: foo-pdf-tls

Environment:
Envoy Gateway v1.5.3

Logs:

Message:  The certificate SAN pdf.foo.example.com overlaps with the certificate SAN foo.example.com in listener foo. ALPN will default to HTTP/1.1 to prevent HTTP/2 connection coalescing, unless explicitly configured via ClientTrafficPolicy
Reason: OverlappingCertificates
Type: OverlappingTLSConfig

[jing8956]

The original submitter is @zhaohuabing

Regarding the code to fix this issue, I can only provide C# code as a reference.

[TestClass]
public sealed class Test
{
    public bool isOverlappingHostname(string? name1, string? name2)
    {
        if (name1 == null || name2 == null) return true;
        if (string.Equals(name1, name2)) return true;

        if (isSubdomain(name1, name2)) return true;
        if (isSubdomain(name2, name1)) return true;

        return false;
    }

    public bool isSubdomain(string pattern, string name)
    {
        // eg: pattern = "*.example.com", name = "foo.example.com"
        if (pattern.Length == 0) return false;
        if (pattern[0] != '*') return false;

        var suffix = pattern.Substring(startIndex: 1); // suffix = ".example.com"
        if (!name.EndsWith(suffix)) return false;

        var labelLength = name.Length - suffix.Length;
        var label = name.Substring(startIndex: 0, length: labelLength); // label = "foo"
        if (label.Contains('.')) return false; // The wildcard applies only to one level of the domain name.

        return true;
    }

    [TestMethod]
    [DataRow("example.com", "example.com", true, DisplayName = "exact match")]
    [DataRow("*.example.com", "*.example.com", true, DisplayName = "two wildcards with same suffix")]
    [DataRow("*.example.com", "*.test.example.com", false, DisplayName = "two wildcards matches subdomain")] // Edited. The wildcard applies only to one level of the domain name.
    [DataRow(null, "www.example.com", true, DisplayName = "nil hostname matches all")]
    [DataRow(null, "*.example.com", true, DisplayName = "nil hostname matches subdomain")]
    [DataRow(null, null, true, DisplayName = "two nil hostnames")]
    [DataRow("*.example.com", "test.example.com", true, DisplayName = "wildcard matches exact")]
    [DataRow("*.example.com", "sub.test.example.com", false, DisplayName = "wildcard matches subdomain")] // Edited. The wildcard applies only to one level of the domain name.
    [DataRow("*.example.com", "example.com", false, DisplayName = "wildcard matches empty subdomain")] // Edited. The wildcard applies only to one level of the domain name.

    [DataRow("example.com", "test.com", false, DisplayName = "different domains")]
    [DataRow("*.example.com", "test.com", false, DisplayName = "wildcard doesn't match different domain")]
    [DataRow("*.example.com", "*.test.com", false, DisplayName = "different wildcard domains")]
    [DataRow("api.foo.dev", "testing-api.foo.dev", false, DisplayName = "different sub domains of same domain")]
    public void TestMethod(string? name1, string? name2, bool expected)
    {
        var actual = isOverlappingHostname(name1, name2);
        Assert.AreEqual(expected, actual);
    }
}

I haven't studied the Go language, so unable to submit code.

[rudrakhp]

@jing8956 should this be treated as overlap according to your suggestion? Because currently we do.

gateway/internal/gatewayapi/listener_test.go

Lines 122 to 127 in a4aa88d

	{
	name: "two wildcards matches subdomain",
	hostname1: ptr.To(gwapiv1.Hostname("*.example.com")),
	hostname2: ptr.To(gwapiv1.Hostname("*.test.example.com")),
	want: true,
	},

[jing8956]

@rudrakhp This test is incorrect.
*.example.com certificate is not valid for *.test.example.com, no overlap between them.
*.example.com is valid for test.example.com , foo-test.example.com , and so on.

[rudrakhp]

@jing8956 I think you might be right, found this in Istio.