Cannot issue intermediates from cross-signed intermediate due to error validating chain

[lboynton]

Describe the bug
I've followed the Build your own CA tutorial, and set up a cross-signed intermediate using a new root. In the tutorial this involves setting the manual_chain attribute on both the existing and cross-signed intermediate so that when new intermediate or leaf certs are issued, the chain includes the multiple trust paths to both roots.

The problem comes if you want to issue a new intermediate from an intermediate that has multiple trust paths. The following error occurs when attempting to sign a CSR using an intermediate with multiple trust paths:

vault write -format=json pki_int/issuer/xc-example-dot-com-intermediate/sign-intermediate \
     csr=@pki_intermediate_two.csr \
     format=pem_bundle ttl="43800h" \
     | jq -r '.data.certificate' > intermediate_two.cert.pem
Error writing data to pki_int/issuer/xc-example-dot-com-intermediate/sign-intermediate: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/pki_int/issuer/xc-example-dot-com-intermediate/sign-intermediate
Code: 500. Errors:

* 1 error occurred:
	* verification of parsed bundle failed: certificate 2 of certificate chain ca trust path is incorrect ("example.com Intermediate Authority"/"example.com Intermediate Authority") (7FF8A6666B32CCD3E87669EC99D60104943D8B6D/B2C40D49346490E05B2044C8B1CD88B5B76A1168)

Reading the code that verifies the chain, it looks like it only handles a single trust path:

vault/sdk/helper/certutil/types.go

Lines 388 to 398 in 9097689

	for i, caCert := range certPath[1:] {
	if !caCert.Certificate.IsCA {
	return fmt.Errorf("certificate %d of certificate chain is not a certificate authority", i+1)
	}
	if !bytes.Equal(certPath[i].Certificate.AuthorityKeyId, caCert.Certificate.SubjectKeyId) {
	return fmt.Errorf("certificate %d of certificate chain ca trust path is incorrect (%q/%q) (%X/%X)",
	i+1,
	certPath[i].Certificate.Subject.CommonName, caCert.Certificate.Subject.CommonName,
	certPath[i].Certificate.AuthorityKeyId, caCert.Certificate.SubjectKeyId)
	}
	}

To Reproduce
Steps to reproduce the behavior:

1. Follow the build your own CA tutorial, specifically steps 1, 2, 3, 7 and 9. It's important that you set the manual_chain attribute by running:

vault patch pki_int/issuer/xc-example-dot-com-intermediate \
    manual_chain=self,"$(vault read -field=default pki_int/config/issuers)"

3. Enable a new pki secrets engine vault secrets enable -path=pki_int_two pki
4. Tune the secrets engine vault secrets tune -max-lease-ttl=43800h pki_int_two
5. Generate an intermediate CSR

vault write -format=json pki_int_two/intermediate/generate/internal \                 
     common_name="example.com Intermediate Two Authority" \
     issuer_name="example-dot-com-intermediate-two" \
     | jq -r '.data.csr' > pki_intermediate_two.csr

6. Sign the intermediate certificate

vault write -format=json pki_int/issuer/xc-example-dot-com-intermediate/sign-intermediate \
     csr=@pki_intermediate_two.csr \
     format=pem_bundle ttl="43800h" \
     | jq -r '.data.certificate' > intermediate_two.cert.pem

Expected behavior
The sign-intermediate command should sign the new intermediate.

Instead we get verification of parsed bundle failed: certificate 2 of certificate chain ca trust path is incorrect.

Environment:

• Vault Server Version (retrieve with vault status): 1.16.11 (but also reproduced with main branch, currently 1.19.0-beta1)
• Vault CLI Version (retrieve with vault version): 1.17.3
• Server Operating System/Architecture: Linux/MacOS