Fix cryptographic certificates for post go 1.19 #3161
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
Go 1.19 changed the way cryptographic certificates were verified, which broke a certain edge case of root CA rotation. This edge case is now disallowed.
- How I did it
As of go 1.19, the logic for certificate trust chain validation changed, and a chain including two certs with the same key will not validate. This case would usually occur when reissuing the same cert with a later expiration date. Because of this validation failure, our root rotation algorithm fails. While it might be possible to adjust the rotation procedure to accommodate such a cert change, it is somewhat of an edge case, and, more importantly, we do not currently possess the cryptographic expertise to safely make such a change. So, as a result, this operation is disallowed. The new root cert must have a new key.
- How to test it
Test changes within.