OCPBUGS-45290: Block Upgrades for SHA1 Intermediate Certs

Previously, upgrades were blocked for SHA1 leaf certificates, while
SHA1 root CA certificates were allowed. However, SHA1 intermediate
certificates, are also rejected in 4.16.

This update adds the `UnservableInFutureVersions` condition when a
route's `spec.tls.caCertificate` includes an intermediate certificate
with SHA1. This blocks upgrades using the admin-ack mechanism.

Author: gcs278

pkg/router/routeapihelpers/validation.go

@@ -411,5 +411,26 @@ func UpgradeRouteValidation(route *routev1.Route) field.ErrorList {
 			result = append(result, field.Invalid(tlsCertFieldPath, "redacted certificate data", message))
 		}
 	}
+
+	if len(tlsConfig.CACertificate) > 0 {
+		certs, err := cert.ParseCertsPEM([]byte(tlsConfig.CACertificate))
+		if err != nil {
+			// Handling cert parsing errors, like malformed or invalid certs, isn't necessary here,
+			// as the ExtendedValidator plugin is responsible for handling these errors.
+			return result
+		}
+
+		for _, cert := range certs {
+			// Only intermediate CAs are affected, not root CAs.
+			if cert.IsCA && cert.BasicConstraintsValid && cert.Issuer.CommonName != cert.Subject.CommonName {
+				if cert.SignatureAlgorithm == x509.SHA1WithRSA || cert.SignatureAlgorithm == x509.ECDSAWithSHA1 {
+					tlsCertFieldPath := field.NewPath("spec").Child("tls").Child("caCertificate")
+					message := "OpenShift 4.16 does not support intermediate CA certificates using SHA1 signature algorithms. This route will be rejected in OpenShift 4.16. To maintain functionality in OpenShift 4.16, generate a new certificate using a supported signature algorithm such as SHA256, SHA384, or SHA512, and update this route accordingly."
+					result = append(result, field.Invalid(tlsCertFieldPath, "redacted certificate data", message))
+				}
+			}
+		}
+	}
+
 	return result
 }