Add support for intermediate certificate chain in RootCAProvider

Author: vishesh92

plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManager.java

@@ -40,17 +40,17 @@ public final class RootCACustomTrustManager implements X509TrustManager {
     private boolean authStrictness = true;
     private boolean allowExpiredCertificate = true;
     private CrlDao crlDao;
-    private X509Certificate caCertificate;
+    private List<X509Certificate> caCertificates;
     private Map<String, X509Certificate> activeCertMap;
 
-    public RootCACustomTrustManager(final String clientAddress, final boolean authStrictness, final boolean allowExpiredCertificate, final Map<String, X509Certificate> activeCertMap, final X509Certificate caCertificate, final CrlDao crlDao) {
+    public RootCACustomTrustManager(final String clientAddress, final boolean authStrictness, final boolean allowExpiredCertificate, final Map<String, X509Certificate> activeCertMap, final List<X509Certificate> caCertificates, final CrlDao crlDao) {
         if (StringUtils.isNotEmpty(clientAddress)) {
             this.clientAddress = clientAddress.replace("/", "").split(":")[0];
         }
         this.authStrictness = authStrictness;
         this.allowExpiredCertificate = allowExpiredCertificate;
         this.activeCertMap = activeCertMap;
-        this.caCertificate = caCertificate;
+        this.caCertificates = caCertificates;
         this.crlDao = crlDao;
     }
 
@@ -151,6 +151,6 @@ public void checkServerTrusted(X509Certificate[] x509Certificates, String s) thr
 
     @Override
     public X509Certificate[] getAcceptedIssuers() {
-        return new X509Certificate[]{caCertificate};
+        return caCertificates.toArray(new X509Certificate[0]);
     }
 }

plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java

@@ -40,7 +40,6 @@
 import java.security.spec.InvalidKeySpecException;
 import java.util.ArrayList;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.List;
@@ -92,6 +91,7 @@ public final class RootCAProvider extends AdapterBase implements CAProvider, Con
 
     private static KeyPair caKeyPair = null;
     private static X509Certificate caCertificate = null;
+    private static List<X509Certificate> caCertificates = null;
     private static KeyStore managementKeyStore = null;
 
     @Inject
@@ -106,20 +106,21 @@ public final class RootCAProvider extends AdapterBase implements CAProvider, Con
     private static ConfigKey<String> rootCAPrivateKey = new ConfigKey<>("Hidden", String.class,
             "ca.plugin.root.private.key",
             null,
-            "The ROOT CA private key in PEM format (PKCS#8: must start with 'BEGIN PRIVATE KEY'). " +
+            "The ROOT CA private key in PEM format. " +
             "When set along with the public key and certificate, CloudStack uses this custom CA instead of auto-generating one. " +
             "All three ca.plugin.root.* keys must be set together. Restart management server(s) when changed.", true);
 
     private static ConfigKey<String> rootCAPublicKey = new ConfigKey<>("Hidden", String.class,
             "ca.plugin.root.public.key",
             null,
-            "The ROOT CA public key in PEM format (X.509/SPKI: must start with 'BEGIN PUBLIC KEY'). " +
+            "The ROOT CA public key in PEM format (X.509/SPKI: must start with '-----BEGIN PUBLIC KEY-----'). " +
             "Required when providing a custom CA. Restart management server(s) when changed.", true);
 
     private static ConfigKey<String> rootCACertificate = new ConfigKey<>("Hidden", String.class,
             "ca.plugin.root.ca.certificate",
             null,
-            "The ROOT CA X.509 certificate in PEM format (must start with 'BEGIN CERTIFICATE'). " +
+            "The CA certificate(s) in PEM format (must start with '-----BEGIN CERTIFICATE-----'). " +
+            "For intermediate CAs, concatenate the signing cert first, followed by intermediate(s) and root. " +
             "Required when providing a custom CA. Restart management server(s) when changed.", true);
 
     private static ConfigKey<String> rootCAIssuerDN = new ConfigKey<>("Advanced", String.class,
@@ -155,7 +156,7 @@ private Certificate generateCertificate(final List<String> domainNames, final Li
                 caCertificate, caKeyPair, keyPair.getPublic(),
                 subject, CAManager.CertSignatureAlgorithm.value(),
                 validityDays, domainNames, ipAddresses);
-        return new Certificate(clientCertificate, keyPair.getPrivate(), Collections.singletonList(caCertificate));
+        return new Certificate(clientCertificate, keyPair.getPrivate(), caCertificates);
     }
 
     private Certificate generateCertificateUsingCsr(final String csr, final List<String> names, final List<String> ips, final int validityDays) throws NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, CertificateException, SignatureException, IOException, OperatorCreationException {
@@ -209,7 +210,7 @@ private Certificate generateCertificateUsingCsr(final String csr, final List<Str
                 caCertificate, caKeyPair, request.getPublicKey(),
                 subject, CAManager.CertSignatureAlgorithm.value(),
                 validityDays, dnsNames, ipAddresses);
-        return new Certificate(clientCertificate, null, Collections.singletonList(caCertificate));
+        return new Certificate(clientCertificate, null, caCertificates);
     }
 
     ////////////////////////////////////////////////////////
@@ -223,7 +224,7 @@ public boolean canProvisionCertificates() {
 
     @Override
     public List<X509Certificate> getCaCertificate() {
-        return Collections.singletonList(caCertificate);
+        return caCertificates;
     }
 
     @Override
@@ -258,8 +259,8 @@ public boolean revokeCertificate(final BigInteger certSerial, final String certC
     private KeyStore getCaKeyStore() throws CertificateException, NoSuchAlgorithmException, IOException, KeyStoreException {
         final KeyStore ks = KeyStore.getInstance("JKS");
         ks.load(null, null);
-        if (caKeyPair != null && caCertificate != null) {
-            ks.setKeyEntry(caAlias, caKeyPair.getPrivate(), getKeyStorePassphrase(), new X509Certificate[]{caCertificate});
+        if (caKeyPair != null && CollectionUtils.isNotEmpty(caCertificates)) {
+            ks.setKeyEntry(caAlias, caKeyPair.getPrivate(), getKeyStorePassphrase(), caCertificates.toArray(new X509Certificate[0]));
         } else {
             return null;
         }
@@ -278,7 +279,7 @@ public SSLEngine createSSLEngine(final SSLContext sslContext, final String remot
         final boolean authStrictness = rootCAAuthStrictness.value();
         final boolean allowExpiredCertificate = rootCAAllowExpiredCert.value();
 
-        TrustManager[] tms = new TrustManager[]{new RootCACustomTrustManager(remoteAddress, authStrictness, allowExpiredCertificate, certMap, caCertificate, crlDao)};
+        TrustManager[] tms = new TrustManager[]{new RootCACustomTrustManager(remoteAddress, authStrictness, allowExpiredCertificate, certMap, caCertificates, crlDao)};
 
         sslContext.init(kmf.getKeyManagers(), tms, new SecureRandom());
         final SSLEngine sslEngine = sslContext.createSSLEngine();
@@ -364,9 +365,23 @@ private boolean loadRootCACertificate() {
             return false;
         }
         try {
-            caCertificate = CertUtils.pemToX509Certificate(rootCACertificate.value());
-            caCertificate.verify(caKeyPair.getPublic());
-        } catch (final IOException | CertificateException | NoSuchAlgorithmException | InvalidKeyException | SignatureException | NoSuchProviderException e) {
+            caCertificates = CertUtils.pemToX509Certificates(rootCACertificate.value());
+            if (CollectionUtils.isEmpty(caCertificates)) {
+                logger.error("No certificates found in ca.plugin.root.ca.certificate");
+                return false;
+            }
+            caCertificate = caCertificates.get(0);
+
+            // Verify key ownership without enforcing self-signature
+            if (!caCertificate.getPublicKey().equals(caKeyPair.getPublic())) {
+                logger.error("The public key in the CA certificate does not match the configured CA public key");
+                return false;
+            }
+
+            if (caCertificates.size() > 1) {
+                logger.info("Loaded CA certificate chain with {} certificate(s)", caCertificates.size());
+            }
+        } catch (final IOException | CertificateException e) {
             logger.error("Failed to load saved RootCA certificate due to exception:", e);
             return false;
         }
@@ -393,9 +408,15 @@ private boolean loadManagementKeyStore() {
         try {
             managementKeyStore = KeyStore.getInstance("JKS");
             managementKeyStore.load(null, null);
-            managementKeyStore.setCertificateEntry(caAlias, caCertificate);
+            int caIndex = 0;
+            for (final X509Certificate cert : caCertificates) {
+                managementKeyStore.setCertificateEntry(caAlias + "-" + caIndex++, cert);
+            }
+            final List<X509Certificate> fullChain = new ArrayList<>();
+            fullChain.add(serverCertificate.getClientCertificate());
+            fullChain.addAll(caCertificates);
             managementKeyStore.setKeyEntry(managementAlias, serverCertificate.getPrivateKey(), getKeyStorePassphrase(),
-                    new X509Certificate[]{serverCertificate.getClientCertificate(), caCertificate});
+                    fullChain.toArray(new X509Certificate[0]));
         } catch (final CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException  e) {
             logger.error("Failed to load root CA management-server keystore due to exception: ", e);
             return false;
@@ -430,8 +451,7 @@ private boolean setupCA() {
             if (hasUserProvidedCAKeys()) {
                 logger.error("Failed to load user-provided CA keys from configuration. " +
                     "Check that ca.plugin.root.private.key, ca.plugin.root.public.key, and " +
-                    "ca.plugin.root.ca.certificate are all set and in the correct PEM format " +
-                    "(private key must be PKCS#8: 'BEGIN PRIVATE KEY'). " +
+                    "ca.plugin.root.ca.certificate are all set and in the correct PEM format. " +
                     "Overwriting with auto-generated keys.");
             }
             if (!saveNewRootCAKeypair()) {

plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManagerTest.java

@@ -63,14 +63,14 @@ public void setUp() throws Exception {
 
     @Test
     public void testAuthNotStrictWithInvalidCert() throws Exception {
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(null, null);
     }
 
     @Test
     public void testAuthNotStrictWithRevokedCert() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(new CrlVO());
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{caCertificate}, "RSA");
         Assert.assertTrue(certMap.containsKey(clientIp));
         Assert.assertEquals(certMap.get(clientIp), caCertificate);
@@ -79,7 +79,7 @@ public void testAuthNotStrictWithRevokedCert() throws Exception {
     @Test
     public void testAuthNotStrictWithInvalidCertOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{caCertificate}, "RSA");
         Assert.assertTrue(certMap.containsKey(clientIp));
         Assert.assertEquals(certMap.get(clientIp), caCertificate);
@@ -88,50 +88,50 @@ public void testAuthNotStrictWithInvalidCertOwnership() throws Exception {
     @Test(expected = CertificateException.class)
     public void testAuthNotStrictWithDenyExpiredCertAndOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, false, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, false, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{expiredClientCertificate}, "RSA");
     }
 
     @Test
     public void testAuthNotStrictWithAllowExpiredCertAndOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, false, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{expiredClientCertificate}, "RSA");
         Assert.assertTrue(certMap.containsKey(clientIp));
         Assert.assertEquals(certMap.get(clientIp), expiredClientCertificate);
     }
 
     @Test(expected = CertificateException.class)
     public void testAuthStrictWithInvalidCert() throws Exception {
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(null, null);
     }
 
     @Test(expected = CertificateException.class)
     public void testAuthStrictWithRevokedCert() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(new CrlVO());
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{caCertificate}, "RSA");
     }
 
     @Test(expected = CertificateException.class)
     public void testAuthStrictWithInvalidCertOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{caCertificate}, "RSA");
     }
 
     @Test(expected = CertificateException.class)
     public void testAuthStrictWithDenyExpiredCertAndOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, false, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, false, certMap, Collections.singletonList(caCertificate), crlDao);
         trustManager.checkClientTrusted(new X509Certificate[]{expiredClientCertificate}, "RSA");
     }
 
     @Test
     public void testAuthStrictWithAllowExpiredCertAndOwnership() throws Exception {
         Mockito.when(crlDao.findBySerial(Mockito.any(BigInteger.class))).thenReturn(null);
-        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, caCertificate, crlDao);
+        final RootCACustomTrustManager trustManager = new RootCACustomTrustManager(clientIp, true, true, certMap, Collections.singletonList(caCertificate), crlDao);
         Assert.assertTrue(trustManager.getAcceptedIssuers() != null);
         Assert.assertTrue(trustManager.getAcceptedIssuers().length == 1);
         Assert.assertEquals(trustManager.getAcceptedIssuers()[0], caCertificate);

plugins/ca/root-ca/src/test/java/org/apache/cloudstack/ca/provider/RootCAProviderTest.java

@@ -31,6 +31,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 import java.util.UUID;
 
@@ -75,7 +76,7 @@ public void setUp() throws Exception {
 
         addField(provider, "caKeyPair", caKeyPair);
         addField(provider, "caCertificate", caCertificate);
-        addField(provider, "caKeyPair", caKeyPair);
+        addField(provider, "caCertificates", Collections.singletonList(caCertificate));
     }
 
     @After

utils/src/main/java/org/apache/cloudstack/utils/security/CertUtils.java

@@ -98,9 +98,17 @@ public static KeyFactory getKeyFactory() {
         return keyFactory;
     }
 
-    public static X509Certificate pemToX509Certificate(final String pem) throws CertificateException, IOException {
+    public static List<X509Certificate> pemToX509Certificates(final String pem) throws CertificateException, IOException {
+        final List<X509Certificate> certs = new ArrayList<>();
         final PEMParser pemParser = new PEMParser(new StringReader(pem));
-        return new JcaX509CertificateConverter().setProvider("BC").getCertificate((X509CertificateHolder) pemParser.readObject());
+        final JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter().setProvider("BC");
+        Object parsedObj;
+        while ((parsedObj = pemParser.readObject()) != null) {
+            if (parsedObj instanceof X509CertificateHolder) {
+                certs.add(certConverter.getCertificate((X509CertificateHolder) parsedObj));
+            }
+        }
+        return certs;
     }
 
     public static String x509CertificateToPem(final X509Certificate cert) throws IOException {

utils/src/test/java/org/apache/cloudstack/utils/security/CertUtilsTest.java

@@ -53,7 +53,7 @@ public void testGenerateRandomKeyPair() throws Exception {
     public void testCertificateConversionMethods() throws Exception {
         final X509Certificate in = caCertificate;
         final String pem = CertUtils.x509CertificateToPem(in);
-        final X509Certificate out = CertUtils.pemToX509Certificate(pem);
+        final X509Certificate out = CertUtils.pemToX509Certificates(pem).get(0);
         Assert.assertTrue(pem.startsWith("-----BEGIN CERTIFICATE-----\n"));
         Assert.assertTrue(pem.endsWith("-----END CERTIFICATE-----\n"));
         Assert.assertEquals(in.getSerialNumber(), out.getSerialNumber());