Fine grained certificates for Goldmane and Whisker #10708
Description
Goldmane and Whisker are currently issuing or accepting certificates with overly broad Extended Key Usage (EKU) fields. While EKU is typically a non-critical extension and used primarily for fine-grained control, from a security and compliance standpoint, this introduces ambiguity and may lead to failures in compliance audits or policy checks.
Specifically, both components include both server and client roles in their EKU, even where a single role should be enforced.
Expected Behavior
Goldmane should only permit
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Whisker should only permit
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Current Behavior
Goldmane
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Server Authentication, TLS Web Client Authentication
Whisker-backend
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Server Authentication, TLS Web Client Authentication
Possible Solution
Update the certificate generation logic or validate certs during bootstrap/init to ensure:
- Only relevant Extended Key Usage values are included (server for Goldmane, client for Whisker).
- Optionally, mark EKU as critical to enforce stricter interpretation by all consumers.
Steps to Reproduce (for bugs)
download the cert and open it.
Context
After trying Goldmane manifest installation I noticed it.
Your Environment
- Calico version v3.30.2
- Calico dataplane (bpf, nftables, iptables, windows etc.) N/A
- Orchestrator version (e.g. kubernetes, openshift, etc.): k3s
- Operating System and version: N/A
- Link to your project (optional): projectcalico.org :D