Add support for setting pathlen on CA certificates and intermediate CA

[socheatsok78]

Taken from RFC 5280, section 4.2.1.9:

A pathLenConstraint of zero indicates that no non-self-issued intermediate CA certificates may follow in a valid certification path. Where it appears, the pathLenConstraint field MUST be greater than or equal to zero. Where pathLenConstraint does not appear, no limit is imposed.

I.e. a pathLenConstraintof 0 does still allow the CA to issue certificates, but these certificates must be end-entity-certificates (the CA flag in BasicConstraints is false - these are the "normal" certificates that are issued to people or organizations).

It also implies that with this certificate, the CA must not issue intermediate CA certificates (where the CA flag is true again - these are certificates that could potentially issue further certificates, thereby increasing the pathLen by 1).

An absent pathLenConstraint on the other hand means that there is no limitation considering the length of certificate paths built from an end-entity certificate that would lead up to our example CA certificate. This implies that the CA could issue an intermediate certificate for a sub CA, this sub CA could again issue an intermediate certificate, this sub CA could again... until finally one sub CA would issue an end-entity certificate.

If the pathLenConstraintof a given CA certificate is > 0, then it expresses the number of possible intermediate CA certificates in a path built from an end-entity certificate up to the CA certificate. Let's say CA X has a pathLenConstraint of 2, the end-entity certificate is issued to EE. Then the following scenarios are valid (I denoting an intermediate CA certificate)

Example

Create CA key

$ certstrap init --common-name CA --exclude-path-length
[...]
$ openssl x509 -noout -text -in out/CA.crt
[...]
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                AE:1B:C3:B5:2C:29:05:3B:D2:94:D7:09:27:15:28:5A:04:D7:78:C7
[...]

Create intermediate CA 1 key

$ certstrap request-cert --common-name ICA1
[...]
$ certstrap sign ICA1 --CA CA --intermediate --path-length 1
[...]
$ openssl x509 -noout -text -in out/ICA1.crt
[...]
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Subject Key Identifier:
                1D:86:5B:08:0B:81:4A:12:02:0E:F0:B0:32:A1:F8:6D:88:F5:3A:4E
            X509v3 Authority Key Identifier:
                keyid:AE:1B:C3:B5:2C:29:05:3B:D2:94:D7:09:27:15:28:5A:04:D7:78:C7
[...]

Create intermediate CA 2 key

$ certstrap request-cert --common-name ICA2
[...]
$ certstrap sign ICA2 --CA ICA1 --intermediate
[...]
$ openssl x509 -noout -text -in out/ICA12crt
[...]
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier:
                47:0C:F5:1B:A8:72:64:D1:56:4B:D6:FB:AC:40:68:39:58:77:38:AA
            X509v3 Authority Key Identifier:
                keyid:1D:86:5B:08:0B:81:4A:12:02:0E:F0:B0:32:A1:F8:6D:88:F5:3A:4E
[...]

[CLAassistant]

All committers have signed the CLA.

[socheatsok78]

Thanks to #112 for original idea.

[MousyBusiness]

I've recently hit this as an issue. A rootCA created with CreateCertificateAuthority used to create intermediaries with CreateIntermediateCertificateAuthority will create the certs, the intermediary even work in Go. But when using python or node (which require the full authority chain), it fails.

[jdtw]

MaxPathLenZero is only checked when MaxPathLen == 0. With that in mind, can we simplify this logic? Something like:

authTemplate.MaxPathLen = pathlen
if excludePathLen {
  authTemplate.MaxPathLen = -1
}

Then MaxPathLenZero can remain true and we use the explicit MaxPathLen = -1 to unset it.

[socheatsok78]

Sorry for late to response. I should have went with that in the first place xD. Thank you for pointing out.

[socheatsok78]

Already made the change. Please give it a look.

[socheatsok78]

To be honest, the change I've just made doesn't seem right. Let me see what I can do or if you have any suggestion for making it better. Please let me know.

[jdtw]

Added a comment on the current iteration.

[jdtw]

Sorry, it's taken me so long to review these changes because I needed to be sure that this change to the public pkix package wouldn't break anyone. Unfortunately, looks like it will, for example https://cs.github.com/cloudfoundry/locket/blob/ad30c800960d38a0090acd7aa2acfc3f439b1f82/cmd/locket/certauthority/certauthority.go#L88.

Since we're not ready for a v2, I propose we add new functions (CreateIntermediateCertificateAuthorityWithOptions and CreateCertificateAuthorityWithOptions) to take opts ...Option to keep backwards compatibility:

type Option func(*x509.Certificate)

func WithPathlen(pathlen int, excludePathlen bool) {
  return func(template *x509.Certificate) {
    // Set MaxPathLen appropriately....
  }
}

[jdtw]

(Note that part of the v2 changes will be moving things into an internal package so that it's clear we won't guarantee backward compatibility of thee APIs -- this isn't the first time it's hampered contributions. Thanks again for your patience.)

[socheatsok78]

Okay, let me revert the original function back. I kinda don't want other people code to break as well :D

[socheatsok78]

For the init command, it is okay to add the extra flag right?

[jdtw]

Yes, I think it's fine to have the exclude flag in init.

[socheatsok78]

Should we check the MaxPathLen when trying to sign an intermediate certificate?

if raw_crt.MaxPathLen == 0 {
	fmt.Fprintln(os.Stderr, "Selected CA certificate is not allowed to issue intermediate certificates.")
	os.Exit(1)
}

[jdtw]

Should we check the MaxPathLen when trying to sign an intermediate certificate?

That might be a nice future improvement, but let's leave it out of this PR to keep the change minimal.

[jdtw]

Added a comment on the current iteration.

[jdtw]

Yes, I think it's fine to have the exclude flag in init.

[jdtw]

Thanks again for your patience on this one!

[jdtw]

Nit: you can remove these comments (here and below).

[socheatsok78]

Will do in the morning, it's 3am over here! And I'm commenting from my phone 😄

[socheatsok78]

Thanks again for your patience on this one!

Thank you for reviewing the PR!