[Feature Request]: Support X.509 Name Constraints #428
Description
Describe why this change is needed
aws-privateca-issuer does not currently honour X.509 name constraints present in CertificateRequests.
cert-manager itself does support name constraints. However, when aws-privateca-issuer processes a CertificateRequest with name constraints, they are silently ignored and the certificate is issued without the specified constraints.
Why this matters
A user wants to issue a CA certificate for use in a cluster. They want it to only able to issue certificates within a subset of domains, e.g. the trust domain of a service mesh in the cluster.
They create a Certificate resource in which they specify name constraints. But, at present, any CA certificate issued via aws-privateca-issuer will be able to sign leaf certificates under any domains allowed the parent PCA CA. The upstream PCA CA may not even have name constraints, in which case the newly created subordinate CA would be able to issue leaf certificates for any domains. In many environments this would be a huge security problem.
The user would only become aware of the security issue if they manually inspect the CA certificate and observe it is missing the constraints that they specified.
Currently, my company is unable to use AWS PCA for a significant project due to this missing functionality in aws-privateca-issuer.
Describe solutions and alternatives considered (optional)
When issuing a CA cert, aws-pca-issuer currently always selects the SubordinateCACertificate_PathLen0/V1 template:
https://github.com/cert-manager/aws-privateca-issuer/blob/main/pkg/aws/pca.go#L285-L287
In order to pass name constraints to PCA, aws-pca-issuer would need to use either SubordinateCACertificate_PathLen0_CSRPassthrough/V1 or SubordinateCACertificate_PathLen0_APIPassthrough/V1 instead.
It should only use one of these if the name constraints extension is present in the CR.
Configuration should be exposed to allow the aws-pca-issuer administrator to choose which template to use when name constraints are present.
If SubordinateCACertificate_PathLen0_APIPassthrough/V1 is selected, aws-privateca-issuer will have to construct the ApiPassthrough struct to pass through to PCA.
I think it would make sense to add support specifically for name constraints first, and possibly consider building on this to add more flexible, general support for custom extensions in the future.
Supporting documentation
https://cert-manager.io/docs/usage/certificate/#creating-certificate-with-name-constraints
https://docs.aws.amazon.com/privateca/latest/APIReference/API_ApiPassthrough.html
https://docs.aws.amazon.com/privateca/latest/userguide/template-order-of-operations.html
https://aws.amazon.com/blogs/security/how-to-enforce-dns-name-constraints-in-aws-private-ca/
Is there anything else you would like to add?
I have POC'd adding ApiPassthrough for name constraints in this commit on my fork - nickperry@3a78b1d
Note - this does not implement template selection logic. I may try implementing it, but I wanted to get feedback on the feature request first.