/pki/root/sign-self-issued doesn't allow cross-signing CA roots with different key type

[banks]

Describe the bug

In Consul Connect we use sign-self-issued to cross-sign another CA root when transitioning between CAs. If the Vault root is using a different Key type to the new CA root it's cross signing, this endpoint will not allow the signing to take place.

Example response body:

* 1 error occurred:
    * error signing self-issued certificate: x509: requested SignatureAlgorithm does not match private key type

I think this is a bug in that it makes this legitimate operation impossible as far as I can see from the code and testing, but there are some subtleties.

It seems to stem from the slightly confusing API of x509.CreateCertificate where you pass it a populated x509.Certificate as a "template". In the case of this endpoint, the certificate to be signed is presumably self-consistent already (i.e. it's SignatureAlgorithm will match the algorithm it used to sign itself with it's own key). But by passing this cert as the template when signing it with the Vault key, we are actually attempting to force x509.CreateCertificate to use the same signature algorithm which will fail if the signing key type is not compatible.

I've considered passing an invalidly doctored certificate that has the SignatureAlgorithm set to the target Vault key type but this is actually hard without re-implementing a bunch of asn1 encoding details from the x509 lib. My feeling is that even if it worked it's a horrible hack because it would result in passing a certificate PEM that is totally invalid and unable to be verified itself (since its SignatureAlgorithm field wouldn't match the actual signature).

I think the correct behaviour here would be to explicitly zero the SignatureAlgorithm field from the certificate "template" passed in here:

vault/builtin/logical/pki/path_root.go

Line 432 in 34fd106

newCert, err := x509.CreateCertificate(rand.Reader, cert, signingBundle.Certificate, cert.PublicKey, signingBundle.PrivateKey)

If that field is zero, x509 will pick the correct algorithm based on the private key used to sign.

In the built-in Consul CA we explicitly override the SignatureAlgorithm coming from cross-signed CAs or CSRs to match the signing key type although zeroing should have the same effect.

To Reproduce
Steps to reproduce the behavior:

1. Create a vault PKI root with an RSA 2048 key
2. Generate a separate self-signed root with an EC key via some means
3. Submit the EC root to /pki/root/sign-self-issued to be signed. Observe error as noted above.

Expected behavior
Root should be signed using the correct algorithm for the configured private key. In the example above, the EC root should be cross-signed with Vault root's RSA key and x509.SHA256WithRSA.

Environment:

• Vault Server Version (retrieve with vault status):
  Vault v1.2.3 ('c14bd9a2b1d2c20f15b9f93f5c2d487507bb8a2f+CHANGES')
• Vault CLI Version (retrieve with vault version):
  Vault v1.2.3 ('c14bd9a2b1d2c20f15b9f93f5c2d487507bb8a2f+CHANGES')
• Server Operating System/Architecture:
  macOS (dev testing)

[briankassouf]

@banks This should be fixed by #12514. Going to close this issue, but feel free to re-open if you're still seeing issues.