ceremony: Distinguish between intermediate and cross-sign ceremonies #7005
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
If any of OCSPURL, CRLURL, or IssuingCertificateURL are present in the parent certificate, should we either use that over the values provided in the config file, perform an equality check, or just leave this section alone and only configure it via the config file? |
pgporada
changed the title
pgporada
force-pushed
the
ceremony-cross-cert-rework
branch
2 times, most recently
from
6e6037e
to
076abd3
Compare
…elds. Remove input for crossCert validation method
…nformative failure message
aarongable
reviewed
Aug 10, 2023
aarongable
previously approved these changes
Aug 16, 2023
Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
aarongable
approved these changes
Aug 22, 2023
beautifulentropy
approved these changes
Aug 23, 2023
pgporada
added a commit
that referenced
this pull request
Aug 31, 2023
Removes the SignatureAlgorithm field while constructing the lint issuer. Depending on the realIssuer, which could be either an intermediate or cross-signed intermediate, the SignatureAlgorithm of that certificate may differ from the root certificate that had signed it causing the following error during CA startup. ``` Starting service boulder-ca-a 16:49:29.437776 3 boulder-ca qM-tDQA [AUDIT] Couldn't load issuers: failed to create lint issuer: x509: requested SignatureAlgorithm does not match private key type ``` Related to work done in #7005. --------- Co-authored-by: Aaron Gable <aaron@letsencrypt.org>
pgporada
added a commit
that referenced
this pull request
Jun 3, 2024
In #7005 several safety checks were added to the `ceremony` tool: This change extracts the `RawSubject` to `RawIssuer` DER byte comparison into the `//linter` package proper so that it can serve both `//ca` and `//cmd/ceremony`. Adds a helper function `verifyTBSCertificateDeterminism` to `//ca` similar to an existing check in `//cmd/ceremony`. This code is not shared because we want `//cmd/ceremony` to largely stand alone from boulder proper. The helper performs a byte comparison on the `RawTBSCertificate` DER bytes for a given linting certificate and leaf certificate. The goal is to verify that `x509.CreateCertificate` was deterministic and produced identical DER bytes after each signing operation. Fixes #6965
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In
//cmd/ceremony:CertificateToCrossSignPathto thecross-certificateceremony type. This new input field takes an existing certificate that will be cross-signed and performs checks against the manually configured data in each ceremony file.//goodkeypackage to all functions that generate new key material.In
//linter:tbsCertificatebytes can be compared against the final certificate'stbsCertificatebytes as a verification thatx509.CreateCertificatewas deterministic and produced identical DER bytes after each signing operation.Other notable changes:
ECDSAForAllinconfig-nextCA configs to match Staging.Fixes #7003