feat!(stackable-certs): Use builder pattern and support SAN entries

[sbernauer]

Description

Needed for CRD conversions, as the apiserver needs to trust our cert

Current example code

let ca = CertificateAuthority::builder_with_ecdsa()
    .build()
    .expect("failed to build CA");

let certificate = CertificateBuilder::builder()
    .subject("CN=trino-coordinator-default-0")
    .signed_by(&ca)
    .build()
    .expect("failed to build certificate");

Definition of Done Checklist

• Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
• Please make sure all these things are done and tick the boxes

# Author
- [ ] Changes are OpenShift compatible
- [ ] CRD changes approved
- [ ] Integration tests passed (for non trivial changes)

# Reviewer
- [ ] Code contains useful comments
- [ ] (Integration-)Test cases added
- [ ] Documentation added or updated
- [ ] Changelog updated
- [ ] Cargo.toml only contains references to git tags (not specific commits or branches)

# Acceptance
- [ ] Feature Tracker has been updated
- [ ] Proper release label has been added

[NickLarsenNZ]

Just commenting on a few things. Mostly thoughts.

[NickLarsenNZ]

This feels a little awkward to me. I'm not (yet) sure what the two build methods do differently?

It looks like the build() method still returns a builder, and build_ca() self-signs and returns a CertificateAuthority.

Point is, I don't find it intuitive and I think it should be.

[NickLarsenNZ]

I worked it out below, and recommended renaming the struct.

[NickLarsenNZ]

I think this should be:

Suggested change

	pub struct CertificateAuthorityBuilder<'a, SKP>
	pub struct CertificateAuthority<'a, SKP>

So when we call build(), we get back a CA and not a CA Builder.

Note, the Builder macro would otherwise generate CertificateAuthorityBuilderBuilder (ie: it generates the Builder, not us).

[NickLarsenNZ]

To illustrate further:

• CertificateAuthority::builder() -> CertificateAuthorityBuilder
• CertificateAuthorityBuilder::build() -> a valid CertificateAuthority

[NickLarsenNZ]

Oh, but we already have a struct: CertificateAuthority<SK> at

operator-rs/crates/stackable-certs/src/ca/mod.rs

Line 19 in 88d850d

pub struct CertificateAuthority<SK>

in my mind, that one should be the one that derives Builder. Otherwise we need to revise what each struct is, because the current CertificateAuthorityBuilder is not a builder (per previous message above).

[Techassi]

note: While we are at it, I think this should use expect instead. This subject name must always pass.

[sbernauer]

I think I tend to disagree here. My argumentation would be that stackable-certs doesn't know where the subject is coming from. It could be CN=<pod-name>, but maybe also a certificate we issue for users (user-provided subject?), so they can connect to e.g. mTLS Kafka.
Better safe than sorry I'd say

[Techassi]

suggestion: Rename the variant and adjust error message.

Suggested change

	#[snafu(display("The subject alternative DNS name \"{dns_name}\" is not a Ia5String"))]
	SaDnsNameNotAIa5String {
	dns_name: String,
	source: x509_cert::der::Error,
	},
	#[snafu(display("failed to parse subject alternative name {subject_alternative_name:?} as a Ia5 string"))]
	ParseSubjectAlternativeName {
	subject_alternative_name: String,
	source: x509_cert::der::Error,
	},

[sbernauer]

Changed to

    #[snafu(display(
        "failed to parse subject alternative DNS name \"{subject_alternative_dns_name}\" as a Ia5 string"
    ))]
    ParseSubjectAlternativeDnsName {
        subject_alternative_dns_name: String,
        source: x509_cert::der::Error,
    },

in 8f86a93

[Techassi]

note: This is an internal detail we shouldn't allow being customized by the user of this library. I'm sure there is something like

Suggested change

	/// Serial number of the generated certificate.
	///
	/// If not specified a random serial will be generated.
	serial_number: Option<u64>,
	/// Serial number of the generated certificate.
	#[builder(skip)]
	serial_number: Option<u64>,

[NickLarsenNZ]

Agreed. On that topic, if we want to have proper CAs... then serial should increment.
So, if we restore a CA (eg: on startup, read from a secret to get the CA keypair), we also need information for the certs that have been issued (not by reading available signed certs, since they might be gone already). We basically need an atomic counter.

I'm not 100% certain of the downside if we just always issue the same version though.

[sbernauer]

I copied the builder to mimic the current api, in which users can specify the serial:

operator-rs/crates/stackable-certs/src/ca/mod.rs

Line 196 in e0309b9

pub fn new_with(signing_key_pair: S, serial_number: u64, validity: Duration) -> Result<Self> {

secret-op generates random serials for cas and certs (https://github.com/stackabletech/secret-operator/blob/00909cfb92e61539a4baab9190235cd33b33a61b/rust/operator-binary/src/backend/tls/ca.rs#L258 and https://github.com/stackabletech/secret-operator/blob/00909cfb92e61539a4baab9190235cd33b33a61b/rust/operator-binary/src/backend/tls/mod.rs#L306), this seems to be fine.
I will update the PR to not let users choose the serial

[sbernauer]

e9e8bac

[Techassi]

note: I would like to see the same high-level functions to create a RSA or ECDSA based CA.

[sbernauer]

Added in fd19a03

[Techassi]

note: Compared to these docs, the current docs lack in depth and technical explanations. I've spent a significant amount of time on these and would like to see them carried over to the new implementation as complete as possible.

[sbernauer]

I tried carrying over everything that is still relevant: 1322779

[Techassi]

note: Again, I would like this to be an internal details not exposed to the user.

[sbernauer]

Same as #1044 (comment)

[Techassi]

note: This should be part of the .build() method on the CertificateBuilder.

[Techassi]

praise: Thank you for adding this.

note: This should be a hard error instead.

[sbernauer]

3d3e0c1

[Techassi]

suggestion: I would just go with

Suggested change

	/// Optional list of subject alternative names (SAN) DNS entries,
	/// that are added to the certificate.
	#[builder(default)]
	subject_alterative_dns_names: &'a [&'a str],
	/// Optional list of subject alternative names (SAN) DNS entries,
	/// that are added to the certificate.
	#[builder(default)]
	subject_alterative_names: &'a [&'a str],

[Techassi]

Also, there is no value in carrying this as &str. They need to be converted into owned values below anyway. The API should reflect that to not hide (possibly) unexpected cloning/allocation.

[NickLarsenNZ]

Do we want to allow for more things, like IP's, email addresses, etc... (just so we avoid premature restrictions)?

[nightkr]

Secret-op already does IP SANs, so yes.

[sbernauer]

Oh I misread, I though @nightkr requested to support IPs... I added support for that in 8f86a93 🙈

But as this is a builder I prefer to have a function to add DNs names and one to add IP addresses instead of passing a list of enums (which we first need to introduce).

Regarding the allocation, I see the point that this allocates. On the other hand I prefer the simple api, so that not every caller needs to deal with der::asn1::ia5_string::allocation::Ia5String

[nightkr]

Oh I misread, I though @nightkr requested to support IPs... I added support for that in 8f86a93 🙈

I was. (At least from the perspective of "if we want to use it for secret-op at some point".)

[Techassi]

note: Please flatten this a little bit. I'm not a huge fan of these nested code snippets.

[sbernauer]

The best I could come up was changing

        let san_dns = self.subject_alterative_dns_names.iter().map(|dns_name| {
            Ok(GeneralName::DnsName(
                Ia5String::new(dns_name).with_context(|_| ParseSubjectAlternativeDnsNameSnafu {
                    subject_alternative_dns_name: dns_name.to_string(),
                })?,
            ))
        });

to

        let san_dns = self.subject_alterative_dns_names.iter().map(
            |dns_name| -> Result<_, CreateCertificateError<KP::Error>> {
                Ia5String::new(dns_name)
                    .with_context(|_| ParseSubjectAlternativeDnsNameSnafu {
                        subject_alternative_dns_name: dns_name.to_string(),
                    })
                    .map(GeneralName::DnsName)
            },
        );

Not sure if that really improves the situation