Change X509-SVID subject values (spiffe#3367)

* Change X509-SVID subject values

As outlined in spiffe#3341, this change behavior that controls the subject
of X509-SVIDs signed by the SPIRE Server CA.

Instead of a fixed subject (i.e. "O=SPIRE,C=US"), the subject now
 also has a UniqueID attribute. The Unique ID is per SPIFFE
ID. This brings us into RFC 5280 conformance.

The new behavior can be disabled with an immediately deprecated flag,
"omit_x509svid_uid". This flag will be removed in a future release.

Author: Andrew Harding

cmd/spire-server/cli/run/run.go

@@ -82,9 +82,11 @@ type serverConfig struct {
 	LogFile         string             `hcl:"log_file"`
 	LogLevel        string             `hcl:"log_level"`
 	LogFormat       string             `hcl:"log_format"`
-	RateLimit       rateLimitConfig    `hcl:"ratelimit"`
-	SocketPath      string             `hcl:"socket_path"`
-	TrustDomain     string             `hcl:"trust_domain"`
+	// Deprecated: remove in SPIRE 1.6.0
+	OmitX509SVIDUID *bool           `hcl:"omit_x509svid_uid"`
+	RateLimit       rateLimitConfig `hcl:"ratelimit"`
+	SocketPath      string          `hcl:"socket_path"`
+	TrustDomain     string          `hcl:"trust_domain"`
 
 	ConfigPath string
 	ExpandEnv  bool
@@ -563,6 +565,11 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 		sc.CASubject = defaultCASubject
 	}
 
+	if c.Server.OmitX509SVIDUID != nil {
+		sc.Log.Warn("The omit_x509svid_uid flag is deprecated and will be removed from a future release")
+		sc.OmitX509SVIDUID = *c.Server.OmitX509SVIDUID
+	}
+
 	sc.PluginConfigs = *c.Plugins
 	sc.Telemetry = c.Telemetry
 	sc.HealthChecks = c.HealthChecks

cmd/spire-server/cli/run/run_test.go

@@ -430,6 +430,21 @@ func TestMergeInput(t *testing.T) {
 }
 
 func TestNewServerConfig(t *testing.T) {
+	assertLogsContainEntries := func(expectedEntries []spiretest.LogEntry) func(t *testing.T) []log.Option {
+		return func(t *testing.T) []log.Option {
+			return []log.Option{
+				func(logger *log.Logger) error {
+					logger.SetOutput(io.Discard)
+					hook := test.NewLocal(logger.Logger)
+					t.Cleanup(func() {
+						spiretest.AssertLogsContainEntries(t, hook.AllEntries(), expectedEntries)
+					})
+					return nil
+				},
+			}
+		}
+	}
+
 	cases := []newServerConfigCase{
 		{
 			msg: "bind_address and bind_port should be correctly parsed",
@@ -831,25 +846,14 @@ func TestNewServerConfig(t *testing.T) {
 			input: func(c *Config) {
 				c.Server.TrustDomain = strings.Repeat("a", 256)
 			},
-			logOptions: func(t *testing.T) []log.Option {
-				return []log.Option{
-					func(logger *log.Logger) error {
-						logger.SetOutput(io.Discard)
-						hook := test.NewLocal(logger.Logger)
-						t.Cleanup(func() {
-							spiretest.AssertLogsContainEntries(t, hook.AllEntries(), []spiretest.LogEntry{
-								{
-									Data:  map[string]interface{}{"trust_domain": strings.Repeat("a", 256)},
-									Level: logrus.WarnLevel,
-									Message: "Configured trust domain name should be less than 255 characters to be " +
-										"SPIFFE compliant; a longer trust domain name may impact interoperability",
-								},
-							})
-						})
-						return nil
-					},
-				}
-			},
+			logOptions: assertLogsContainEntries([]spiretest.LogEntry{
+				{
+					Data:  map[string]interface{}{"trust_domain": strings.Repeat("a", 256)},
+					Level: logrus.WarnLevel,
+					Message: "Configured trust domain name should be less than 255 characters to be " +
+						"SPIFFE compliant; a longer trust domain name may impact interoperability",
+				},
+			}),
 			test: func(t *testing.T, c *server.Config) {
 				assert.NotNil(t, c)
 			},
@@ -918,6 +922,47 @@ func TestNewServerConfig(t *testing.T) {
 				require.Nil(t, c)
 			},
 		},
+		{
+			msg: "omit_x509svid_uid is unset",
+			input: func(c *Config) {
+				c.Server.OmitX509SVIDUID = nil
+			},
+			test: func(t *testing.T, c *server.Config) {
+				require.False(t, c.OmitX509SVIDUID)
+			},
+		},
+		{
+			msg: "omit_x509svid_uid is set to false",
+			input: func(c *Config) {
+				value := false
+				c.Server.OmitX509SVIDUID = &value
+			},
+			logOptions: assertLogsContainEntries([]spiretest.LogEntry{
+				{
+					Level:   logrus.WarnLevel,
+					Message: "The omit_x509svid_uid flag is deprecated and will be removed from a future release",
+				},
+			}),
+			test: func(t *testing.T, c *server.Config) {
+				require.False(t, c.OmitX509SVIDUID)
+			},
+		},
+		{
+			msg: "omit_x509svid_uid is set to true",
+			input: func(c *Config) {
+				value := true
+				c.Server.OmitX509SVIDUID = &value
+			},
+			logOptions: assertLogsContainEntries([]spiretest.LogEntry{
+				{
+					Level:   logrus.WarnLevel,
+					Message: "The omit_x509svid_uid flag is deprecated and will be removed from a future release",
+				},
+			}),
+			test: func(t *testing.T, c *server.Config) {
+				require.True(t, c.OmitX509SVIDUID)
+			},
+		},
 	}
 	cases = append(cases, newServerConfigCasesOS()...)
 

conf/server/server_full.conf

@@ -145,6 +145,11 @@ server {
 
     # default_svid_ttl: The default SVID TTL. Default: 1h.
     # default_svid_ttl = "1h"
+    
+    # omit_x509svid_uid: If true, the subject on X509-SVIDs will not contain
+    # the unique ID attribute. This configurable is deprecated and will be
+    # removed from a future release.
+    # omit_x509svid_uid = false
 
     # trust_domain: The trust domain that this server belongs to.
     trust_domain = "example.org"

doc/spire_server.md

@@ -69,6 +69,7 @@ This may be useful for templating configuration files, for example across differ
 | `log_file`                  | File to write logs to                                                                                                          |                                                                |
 | `log_level`                 | Sets the logging level \<DEBUG\|INFO\|WARN\|ERROR\>                                                                            | INFO                                                           |
 | `log_format`                | Format of logs, \<text\|json\>                                                                                                 | text                                                           |
+| `omit_x509svid_uid`         | If true, the subject on X509-SVIDs will not contain the unique ID attribute (deprecated)                                       | false                                                          |
 | `profiling_enabled`         | If true, enables a [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint                                                | false                                                          |
 | `profiling_freq`                  | Frequency of dumping profiling data to disk. Only enabled when `profiling_enabled` is `true` and `profiling_freq` > 0.         |                                  |
 | `profiling_names`                 | List of profile names that will be dumped to disk on each profiling tick, see [Profiling Names](#profiling-names)             |                                  |

pkg/common/x509svid/uniqueid.go

@@ -0,0 +1,41 @@
+package x509svid
+
+import (
+	"crypto/sha256"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/hex"
+	"io"
+
+	"github.com/spiffe/go-spiffe/v2/spiffeid"
+)
+
+var (
+	uniqueIDOID = asn1.ObjectIdentifier{2, 5, 4, 45}
+)
+
+// UniqueIDAttribute returns a X.500 Unique ID attribute (OID 2.5.4.45) for the
+// given SPIFFE ID for inclusion in an X509-SVID to satisfy RFC 5280
+// requirements that the subject "DN MUST be unique for each subject entity
+// certified by the one CA as defined by the issuer field" (see issue #3110 for
+// the discussion on this).
+//
+// The unique ID is composed of a SHA256 hash of the SPIFFE ID, truncated to
+// 128-bits (16 bytes), and then hex encoded. This *SHOULD* be large enough to
+// provide collision resistance on the input domain (i.e. registration entry
+// SPIFFE IDs registered with this server), which ranges from very- to
+// somewhat-restricted depending on the registration scheme and how much
+// influence an attacker can have on workload registration.
+func UniqueIDAttribute(id spiffeid.ID) pkix.AttributeTypeAndValue {
+	return pkix.AttributeTypeAndValue{
+		Type:  uniqueIDOID,
+		Value: calculateUniqueIDValue(id),
+	}
+}
+
+func calculateUniqueIDValue(id spiffeid.ID) string {
+	h := sha256.New()
+	_, _ = io.WriteString(h, id.String())
+	sum := h.Sum(nil)
+	return hex.EncodeToString(sum[:len(sum)/2])
+}

pkg/common/x509svid/uniqueid_test.go

@@ -0,0 +1,20 @@
+package x509svid
+
+import (
+	"crypto/x509/pkix"
+	"testing"
+
+	"github.com/spiffe/go-spiffe/v2/spiffeid"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUniqueIDAttribute(t *testing.T) {
+	name := pkix.Name{
+		Names: []pkix.AttributeTypeAndValue{
+			UniqueIDAttribute(spiffeid.RequireFromString("spiffe://example.org/foo")),
+		},
+	}
+	require.Equal(t,
+		"2.5.4.45=#13206333343036663962313263656234663963393438333138633537396239303562",
+		name.String())
+}

pkg/server/api/svid/v1/service_test.go

@@ -20,6 +20,7 @@ import (
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/pkg/common/idutil"
 	"github.com/spiffe/spire/pkg/common/telemetry"
+	"github.com/spiffe/spire/pkg/common/x509svid"
 	"github.com/spiffe/spire/pkg/common/x509util"
 	"github.com/spiffe/spire/pkg/server/api"
 	"github.com/spiffe/spire/pkg/server/api/middleware"
@@ -76,7 +77,7 @@ func TestServiceMintX509SVID(t *testing.T) {
 				URIs: []*url.URL{workloadID.URL()},
 			},
 			expiredAt: expiredAt,
-			subject:   "O=SPIRE,C=US",
+			subject:   "O=SPIRE,C=US,2.5.4.45=#13203835323763353230323837636461376436323561613834373664386538336561",
 			expectLogs: func(csr []byte) []spiretest.LogEntry {
 				return []spiretest.LogEntry{
 					{
@@ -102,7 +103,7 @@ func TestServiceMintX509SVID(t *testing.T) {
 				URIs: []*url.URL{workloadID.URL()},
 			},
 			expiredAt: customExpiresAt,
-			subject:   "O=SPIRE,C=US",
+			subject:   "O=SPIRE,C=US,2.5.4.45=#13203835323763353230323837636461376436323561613834373664386538336561",
 			ttl:       10 * time.Second,
 			expectLogs: func(csr []byte) []spiretest.LogEntry {
 				return []spiretest.LogEntry{
@@ -131,7 +132,7 @@ func TestServiceMintX509SVID(t *testing.T) {
 			},
 			dns:       []string{"dns1", "dns2"},
 			expiredAt: expiredAt,
-			subject:   "CN=dns1,O=SPIRE,C=US",
+			subject:   "CN=dns1,O=SPIRE,C=US,2.5.4.45=#13203835323763353230323837636461376436323561613834373664386538336561",
 			expectLogs: func(csr []byte) []spiretest.LogEntry {
 				return []spiretest.LogEntry{
 					{
@@ -161,7 +162,7 @@ func TestServiceMintX509SVID(t *testing.T) {
 				},
 			},
 			expiredAt: expiredAt,
-			subject:   "O=ORG,C=EN+C=US",
+			subject:   "O=ORG,C=EN+C=US,2.5.4.45=#13203835323763353230323837636461376436323561613834373664386538336561",
 			expectLogs: func(csr []byte) []spiretest.LogEntry {
 				return []spiretest.LogEntry{
 					{
@@ -193,7 +194,7 @@ func TestServiceMintX509SVID(t *testing.T) {
 			},
 			dns:       []string{"dns1", "dns2"},
 			expiredAt: expiredAt,
-			subject:   "CN=dns1,O=ORG,C=EN+C=US",
+			subject:   "CN=dns1,O=ORG,C=EN+C=US,2.5.4.45=#13203835323763353230323837636461376436323561613834373664386538336561",
 			expectLogs: func(csr []byte) []spiretest.LogEntry {
 				return []spiretest.LogEntry{
 					{
@@ -1719,8 +1720,8 @@ func TestServiceBatchNewX509SVID(t *testing.T) {
 				require.NotEmpty(t, certChain)
 				svid := certChain[0]
 
-				entryID := idutil.RequireIDFromProto(entry.SpiffeId)
-				require.Equal(t, []*url.URL{entryID.URL()}, svid.URIs)
+				entrySPIFFEID := idutil.RequireIDFromProto(entry.SpiffeId)
+				require.Equal(t, []*url.URL{entrySPIFFEID.URL()}, svid.URIs)
 
 				// Use entry ttl when defined
 				ttl := test.ca.X509SVIDTTL()
@@ -1734,14 +1735,16 @@ func TestServiceBatchNewX509SVID(t *testing.T) {
 
 				require.Equal(t, entry.DnsNames, svid.DNSNames)
 
-				expectedSubject := &pkix.Name{Country: []string{"US"}, Organization: []string{"SPIRE"}}
+				expectedSubject := &pkix.Name{
+					Organization: []string{"SPIRE"},
+					Country:      []string{"US"},
+					Names: []pkix.AttributeTypeAndValue{
+						x509svid.UniqueIDAttribute(entrySPIFFEID),
+					},
+				}
 				if len(entry.DnsNames) > 0 {
-					name := entry.DnsNames[0]
-
-					expectedSubject.CommonName = name
-					require.Equal(t, name, svid.Subject.CommonName)
+					expectedSubject.CommonName = entry.DnsNames[0]
 				}
-
 				require.Equal(t, expectedSubject.String(), svid.Subject.String())
 			}
 		})

pkg/server/ca/ca.go

@@ -17,6 +17,7 @@ import (
 	"github.com/spiffe/spire/pkg/common/jwtsvid"
 	"github.com/spiffe/spire/pkg/common/telemetry"
 	telemetry_server "github.com/spiffe/spire/pkg/common/telemetry/server"
+	"github.com/spiffe/spire/pkg/common/x509svid"
 	"github.com/spiffe/spire/pkg/common/x509util"
 	"github.com/spiffe/spire/pkg/server/api"
 	"github.com/zeebo/errs"
@@ -110,15 +111,16 @@ type JWTKey struct {
 }
 
 type Config struct {
-	Log           logrus.FieldLogger
-	Metrics       telemetry.Metrics
-	TrustDomain   spiffeid.TrustDomain
-	X509SVIDTTL   time.Duration
-	JWTSVIDTTL    time.Duration
-	JWTIssuer     string
-	Clock         clock.Clock
-	CASubject     pkix.Name
-	HealthChecker health.Checker
+	Log             logrus.FieldLogger
+	Metrics         telemetry.Metrics
+	TrustDomain     spiffeid.TrustDomain
+	X509SVIDTTL     time.Duration
+	JWTSVIDTTL      time.Duration
+	JWTIssuer       string
+	Clock           clock.Clock
+	CASubject       pkix.Name
+	HealthChecker   health.Checker
+	OmitX509SVIDUID bool
 }
 
 type CA struct {
@@ -194,7 +196,7 @@ func (ca *CA) SignX509SVID(ctx context.Context, params X509SVIDParams) ([]*x509.
 
 	notBefore, notAfter := ca.capLifetime(params.TTL, x509CA.Certificate.NotAfter)
 
-	x509SVID, err := signX509SVID(ca.c.TrustDomain, x509CA, params, notBefore, notAfter)
+	x509SVID, err := signX509SVID(ca.c.TrustDomain, x509CA, params, notBefore, notAfter, ca.c.OmitX509SVIDUID)
 	if err != nil {
 		return nil, err
 	}
@@ -279,7 +281,7 @@ func (ca *CA) capLifetime(ttl time.Duration, expirationCap time.Time) (notBefore
 	return notBefore, notAfter
 }
 
-func signX509SVID(td spiffeid.TrustDomain, x509CA *X509CA, params X509SVIDParams, notBefore, notAfter time.Time) ([]*x509.Certificate, error) {
+func signX509SVID(td spiffeid.TrustDomain, x509CA *X509CA, params X509SVIDParams, notBefore, notAfter time.Time, omitUID bool) ([]*x509.Certificate, error) {
 	if x509CA == nil {
 		return nil, errs.New("X509 CA is not available for signing")
 	}
@@ -294,9 +296,18 @@ func signX509SVID(td spiffeid.TrustDomain, x509CA *X509CA, params X509SVIDParams
 		return nil, err
 	}
 
-	// In case subject is provided use it
 	if params.Subject.String() != "" {
 		template.Subject = params.Subject
+	} else {
+		template.Subject = pkix.Name{
+			Country:      []string{"US"},
+			Organization: []string{"SPIRE"},
+		}
+	}
+
+	// Append the unique ID to the subject, unless disabled
+	if !omitUID {
+		template.Subject.ExtraNames = append(template.Subject.ExtraNames, x509svid.UniqueIDAttribute(params.SpiffeID))
 	}
 
 	// Explicitly set the AKI on the signed certificate, otherwise it won't be