Merge pull request #2129 from openziti/fix.2084.construct.enrollment.…

…chains.from.config

fixes #2084 enrollment chains built from config certs

controller/config/config.go

@@ -23,6 +23,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"github.com/michaelquigley/pfxlog"
+	nfpem "github.com/openziti/foundation/v2/pem"
 	"github.com/openziti/identity"
 	"github.com/openziti/ziti/controller/command"
 	"github.com/pkg/errors"
@@ -101,6 +102,7 @@ type Config struct {
 	caPemsOnce      sync.Once
 	Totp            Totp
 	AuthRateLimiter command.AdaptiveRateLimiterConfig
+	caCerts         []*x509.Certificate
 }
 
 type HttpTimeouts struct {
@@ -133,22 +135,31 @@ func (c *Config) SessionTimeoutDuration() time.Duration {
 
 func (c *Config) CaPems() []byte {
 	c.caPemsOnce.Do(func() {
-		c.RefreshCaPems()
+		c.RefreshCas()
 	})
 
 	return c.caPems.Bytes()
 }
 
+func (c *Config) CaCerts() []*x509.Certificate {
+	c.caPemsOnce.Do(func() {
+		c.RefreshCas()
+	})
+
+	return c.caCerts
+}
+
 // AddCaPems adds a byte array of certificates to the current buffered list of CAs. The certificates
-// should be in PEM format separated by new lines. RefreshCaPems should be called after all
+// should be in PEM format separated by new lines. RefreshCas should be called after all
 // calls to AddCaPems are completed.
 func (c *Config) AddCaPems(caPems []byte) {
 	c.caPems.WriteString("\n")
 	c.caPems.Write(caPems)
 }
 
-func (c *Config) RefreshCaPems() {
+func (c *Config) RefreshCas() {
 	c.caPems = CalculateCaPems(c.caPems)
+	c.caCerts = nfpem.PemBytesToCertificates(c.caPems.Bytes())
 }
 
 func (c *Config) loadTotpSection(edgeConfigMap map[any]any) error {

controller/model/enrollment_manager.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"github.com/michaelquigley/pfxlog"
 	"github.com/openziti/foundation/v2/errorz"
+	"github.com/openziti/identity"
 	"github.com/openziti/storage/boltz"
 	"github.com/openziti/ziti/common/cert"
 	"github.com/openziti/ziti/common/eid"
@@ -218,23 +219,26 @@ func (self *EnrollmentManager) ReplaceWithAuthenticator(enrollmentId string, aut
 // GetCertChainPem parses a given certificate in raw DER and attempt to provide string in PEM format of the
 // original certificate followed by each signing intermediate up to but not including the root CA.
 func (self *EnrollmentManager) GetCertChainPem(certRaw []byte) (string, error) {
-	clientCert, err := x509.ParseCertificate(certRaw)
+	targetCert, err := x509.ParseCertificate(certRaw)
 	if err != nil {
 		pfxlog.Logger().WithError(err).Error("error parsing cert raw during enrollment, attempting to assemble chain")
 		return "", err
 	}
 
-	var clientChainPem []byte
-	clientChain := self.env.GetHostController().Identity().CaPool().GetChainMinusRoot(clientCert)
-	for _, c := range clientChain {
+	var targetChainPem []byte
+
+	pool := identity.NewCaPool(self.env.GetConfig().CaCerts())
+	targetChain := pool.GetChainMinusRoot(targetCert)
+
+	for _, c := range targetChain {
 		pemData, err := cert.RawToPem(c.Raw)
 		if err != nil {
 			return "", err
 		}
-		clientChainPem = append(clientChainPem, pemData...)
+		targetChainPem = append(targetChainPem, pemData...)
 	}
 
-	return string(clientChainPem), nil
+	return string(targetChainPem), nil
 }
 
 func (self *EnrollmentManager) ApplyReplaceEncoderWithAuthenticatorCommand(cmd *ReplaceEnrollmentWithAuthenticatorCmd, ctx boltz.MutateContext) error {

controller/server/client-api.go

@@ -68,7 +68,7 @@ func (factory ClientApiFactory) Validate(config *xweb.InstanceConfig) error {
 		}
 	}
 
-	factory.appEnv.Config.RefreshCaPems()
+	factory.appEnv.Config.RefreshCas()
 
 	if !clientApiFound {
 		return errors.Errorf("could not find [edge.api.address] value [%s] as a bind point any instance of ApiConfig [%s]", factory.appEnv.Config.Api.Address, controller.ClientApiBinding)