-
-
Notifications
You must be signed in to change notification settings - Fork 609
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow admin command to block key from a CSR file #7770
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: the test only covers one path through the new function: the signature is bad, but we're not checking it. It would be nice to have tests for a) the signature is good and we are checking it, and b) the signature is bad but we are checking it.
I worry a bit that it could be a foot gun. A CSR isn't always proof of control of a private key and this could trigger bad-key-revoker to revoke certificates without proof of key compromise. Perhaps we should check the subject for a particular set of phrases and require the CSR to have a subject that matches. Even better would be if the requestor used acme to revoke the certificate with proof of key compromise which already supports blocking of the key. EDIT: In a side discussion I was reminded that an operator has to use |
This case is tested already, I could add a "Signature is good" test too, and I can see value in that. |
It's important to have this sort of manual override, but I think it's also important to support human operators with as much automation as possible. I think this mode should have a second flag, Basically I agree with @andygabby's original take: this should have an additional guardrail on by default. Also, what do you think of audit-logging the CSR we relied on? And perhaps its parsed Subject for convenience? |
(I believe we're waiting for this PR to grow a "check the subject is an expected value" flag, which @jsha indicated he would contribute.) |
Also audit logging of the CSR too. I have other things to do today but could get to this tomorrow. |
One format we receive key compromise reports is as a CSR file. For example, from https://pwnedkeys.com/revokinator
This allows the admin command to block a key from a CSR directly, instead of needing to validate it manually and get the SPKI or key from it.
I've added a flag (default true) to check the signature on the CSR, in case we ever decide we want to block a key from a CSR with a bad signature for whatever reason.