Heimdall rejects valid CA-issued certificate configured for JWT finalizer

[dadrus]

Preflight checklist

• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines."
• I could not find a solution in the existing issues, docs, nor discussions.

Describe the bug

When configuring a JWT finalizer in heimdall, it requires the key material in a PEM file for creating signatures. If the PEM file contains a certificate issued by a CA, along with a certificate chain of more than two certificates (e.g., the signing certificate, the CA certificate, and a Root CA certificate), heimdall fails to load the PEM file and returns a certificate validation error.

How can the bug be reproduced

1. Create a PEM file with a key and a longer certificate chain (e.g. by setting up a PKI using OpenSSL)
2. Create a configuration file for heimdall with a mechanism catalogue consisting of an anonymous authenticator and a jwt finalizer.
3. Create a default rule, which makes use of both mechanisms from above
4. Start heimdall with that config file

Relevant log output

2024-10-16T11:32:13+02:00 ERR Failed loading finalizer definitions error="configuration error: configured certificate cannot be used for JWT signing purposes: certificate validation error: for certificate with DN='CN=Test EE 1,O=Test,C=EU' and SN=1: x509: certificate signed by unknown authority"

Relevant configuration

mechanisms:
  authenticators:
    - id: anonymous
      type: anonymous
    - id: deny
      type: unauthorized
  finalizers:
    - id: jwt
      type: jwt
      config:
        signer:
          key_store:
            path: keys.pem

default_rule:
  execute:
    - authenticator: anonymous
    - finalizer: jwt

Version

0.15.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

None

Additional Context

There is a workaround available: If the root CA certificate is added to heimdall's trust store, the certificate is accepted.