-
-
Notifications
You must be signed in to change notification settings - Fork 608
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ceremony: Distinguish between intermediate and cross-sign ceremonies #7005
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If any of OCSPURL, CRLURL, or IssuingCertificateURL are present in the parent certificate, should we either use that over the values provided in the config file, perform an equality check, or just leave this section alone and only configure it via the config file? |
pgporada
changed the title
ceremony: Handle distinctions between intermediate and cross-sign ceremonies
ceremony: Distinguish between intermediate and cross-sign ceremonies
Jul 20, 2023
pgporada
force-pushed
the
ceremony-cross-cert-rework
branch
2 times, most recently
from
July 20, 2023 15:02
6e6037e
to
076abd3
Compare
…elds. Remove input for crossCert validation method
…nformative failure message
aarongable
reviewed
Aug 10, 2023
aarongable
previously approved these changes
Aug 16, 2023
Co-authored-by: Aaron Gable <[email protected]>
aarongable
approved these changes
Aug 22, 2023
beautifulentropy
approved these changes
Aug 23, 2023
pgporada
added a commit
that referenced
this pull request
Aug 31, 2023
Removes the SignatureAlgorithm field while constructing the lint issuer. Depending on the realIssuer, which could be either an intermediate or cross-signed intermediate, the SignatureAlgorithm of that certificate may differ from the root certificate that had signed it causing the following error during CA startup. ``` Starting service boulder-ca-a 16:49:29.437776 3 boulder-ca qM-tDQA [AUDIT] Couldn't load issuers: failed to create lint issuer: x509: requested SignatureAlgorithm does not match private key type ``` Related to work done in #7005. --------- Co-authored-by: Aaron Gable <[email protected]>
pgporada
added a commit
that referenced
this pull request
Jun 3, 2024
In #7005 several safety checks were added to the `ceremony` tool: This change extracts the `RawSubject` to `RawIssuer` DER byte comparison into the `//linter` package proper so that it can serve both `//ca` and `//cmd/ceremony`. Adds a helper function `verifyTBSCertificateDeterminism` to `//ca` similar to an existing check in `//cmd/ceremony`. This code is not shared because we want `//cmd/ceremony` to largely stand alone from boulder proper. The helper performs a byte comparison on the `RawTBSCertificate` DER bytes for a given linting certificate and leaf certificate. The goal is to verify that `x509.CreateCertificate` was deterministic and produced identical DER bytes after each signing operation. Fixes #6965
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In
//cmd/ceremony
:CertificateToCrossSignPath
to thecross-certificate
ceremony type. This new input field takes an existing certificate that will be cross-signed and performs checks against the manually configured data in each ceremony file.//goodkey
package to all functions that generate new key material.In
//linter
:tbsCertificate
bytes can be compared against the final certificate'stbsCertificate
bytes as a verification thatx509.CreateCertificate
was deterministic and produced identical DER bytes after each signing operation.Other notable changes:
ECDSAForAll
inconfig-next
CA configs to match Staging.Fixes #7003