Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ceremony: Distinguish between intermediate and cross-sign ceremonies #7005

Merged
merged 56 commits into from
Aug 23, 2023
Merged

ceremony: Distinguish between intermediate and cross-sign ceremonies #7005

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
56 commits
Select commit Hold shift + click to select a range
076abd3
ceremony: Handle distinctions between intermediate and cross-sign cer…
pgporada Jul 19, 2023
8b5b434
Merge remote-tracking branch 'origin/main' into ceremony-cross-cert-r…
pgporada Jul 20, 2023
4163d40
Make a specific cross-cert profile and ceremony function
pgporada Jul 20, 2023
a7a1cfb
Add cross-cert config validation unit test
pgporada Jul 21, 2023
59c470b
Split linting certificate into separate function
pgporada Jul 24, 2023
21d737d
Don't throwaway linting certificate bytes from //linter package
pgporada Jul 24, 2023
a91c75f
Extra validations on RawIssuer and RawSubject fields
pgporada Jul 25, 2023
881389a
More verifications
pgporada Jul 25, 2023
3fe4e96
Perform checks on root and intermediate ceremony too
pgporada Jul 25, 2023
21ed896
Wire up GoodKey checking
pgporada Jul 26, 2023
11638af
Fix self-signed root linting and move utility functions into cert.go
pgporada Jul 26, 2023
46fe904
Fix context lint warning by using an empty non-nil context
pgporada Jul 26, 2023
9c57814
intermediate and crossCert ceremony profiles should check the same fi…
pgporada Jul 26, 2023
09aa2f2
Add cross-certificate ceremonies integration tests
pgporada Jul 26, 2023
b50b22d
Use correct InputCertPath for cross sign ceremonies and output more i…
pgporada Jul 27, 2023
ab89802
Skip lints not relevant to cross-signed subordinate CAs
pgporada Jul 27, 2023
6786449
Remove arg from crossCert.validate
pgporada Jul 27, 2023
177461b
Add cross-signed intermediates to CA configs
pgporada Jul 27, 2023
454a4c0
Use term subordinate CA instead of intermediate
pgporada Jul 27, 2023
618bc0e
Add test cases for cross signed certs and update expected error messages
pgporada Jul 27, 2023
63a4cb7
Increase startup timeout and add additional log line about it
pgporada Jul 27, 2023
2a71a8d
Add function to load public key and do more testing
pgporada Jul 28, 2023
8a11f16
Fix cross-certificate generation for integration tests
pgporada Jul 28, 2023
6697bd5
Add cross-signed intermediates to the issuerCerts list
pgporada Jul 28, 2023
95cc539
Fix lints
pgporada Jul 28, 2023
4f404b7
Only need to serve the issuer chains from the WFE
pgporada Jul 31, 2023
9608749
Only create ECDSA cross-signed by an RSA root to match the 2023 ceremony
pgporada Jul 31, 2023
043a39c
Fix issuer ordering problem that doesnt exist in staging/prod
pgporada Aug 2, 2023
f9730d5
Remove redundant text
pgporada Aug 2, 2023
fdde489
Add helper functions to edit the running ECDSA allow list and to down…
pgporada Aug 2, 2023
fe0aed7
Integration test for cross-signed intermediates
pgporada Aug 2, 2023
3d67b19
Remove deubg line
pgporada Aug 2, 2023
07475fa
Check that a client is served the expected certificate chains
pgporada Aug 2, 2023
e16bb18
Remove commented out code
pgporada Aug 2, 2023
3e49add
Use correct cross-sign cert filepath
pgporada Aug 2, 2023
04af1f9
Add extra information to log
pgporada Aug 2, 2023
b06e5e1
Remove debug line
pgporada Aug 2, 2023
8c82c2c
Change boolean name
pgporada Aug 2, 2023
659958d
Update PKI.md
pgporada Aug 2, 2023
daee81a
Merge branch 'main' into ceremony-cross-cert-rework
pgporada Aug 3, 2023
a0f8423
Musical functions
pgporada Aug 7, 2023
1211161
Address comments
pgporada Aug 7, 2023
e99b427
Been awake too many hours and removed too much code
pgporada Aug 7, 2023
64f8b94
Address stylistic comments
pgporada Aug 11, 2023
ca1f430
Still working on more BR and CPS verifications
pgporada Aug 11, 2023
567e1f2
Still addressing comments
pgporada Aug 14, 2023
9978b82
Fix ineffectual assignment
pgporada Aug 14, 2023
c20dcc5
Allow genCert to display command output
pgporada Aug 16, 2023
fc6fc4c
Copy EKUs from to-be-cross-signed cert over to the lint cert
pgporada Aug 16, 2023
9d38688
Test that EKUs match between lintcert and to-be-cross-signed
pgporada Aug 16, 2023
4e7a822
Update cmd/ceremony/cert.go
pgporada Aug 17, 2023
979ee46
Address comments
pgporada Aug 17, 2023
72b7d76
Prevent issuance if linting hasn't been done
pgporada Aug 17, 2023
950333e
Fix error message
pgporada Aug 17, 2023
308a6d0
I should learn how to use structs and types
pgporada Aug 17, 2023
676f793
I'm of the type that fails at types
pgporada Aug 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 20 additions & 6 deletions cmd/ceremony/cert.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,15 +147,18 @@ func (profile *certProfile) verifyProfile(ct certType) error {
}
}

if ct == intermediateCert {
if ct == intermediateCert || ct == crossCert {
if profile.CRLURL == "" {
return errors.New("crl-url is required for intermediates")
return errors.New("crl-url is required for subordinate CAs")
}
if profile.IssuerURL == "" {
return errors.New("issuer-url is required for intermediates")
return errors.New("issuer-url is required for subordinate CAs")
}

// BR 7.1.2.10.5 CA Certificate Certificate Policies
// OID 2.23.140.1.2.1 is an anyPolicy
if len(profile.Policies) != 1 || profile.Policies[0].OID != "2.23.140.1.2.1" {
return errors.New("policy should be exactly BRs domain-validated for intermediates")
return errors.New("policy should be exactly BRs domain-validated for subordinate CAs")
}
}

Expand Down Expand Up @@ -209,7 +212,12 @@ func generateSKID(pk []byte) ([]byte, error) {
}

// makeTemplate generates the certificate template for use in x509.CreateCertificate
func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, ct certType) (*x509.Certificate, error) {
func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbcs *x509.Certificate, ct certType) (*x509.Certificate, error) {
// Handle "unrestricted" vs "restricted" subordinate CA profile specifics.
if ct == crossCert && tbcs == nil {
return nil, fmt.Errorf("toBeCrossSigned cert field was nil, but was required to gather EKUs for the lint cert")
}

var ocspServer []string
if profile.OCSPURL != "" {
ocspServer = []string{profile.OCSPURL}
Expand Down Expand Up @@ -282,7 +290,10 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, ct
}

switch ct {
// rootCert and crossCert do not get EKU or MaxPathZero
// rootCert does not get EKU or MaxPathZero.
// BR 7.1.2.1.2 Root CA Extensions
// Extension Presence Critical Description
// extKeyUsage MUST NOT N -
case ocspCert:
cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageOCSPSigning}
// ASN.1 NULL is 0x05, 0x00
Expand All @@ -299,6 +310,9 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, ct
// it in our end-entity certificates.
cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
cert.MaxPathLenZero = true
case crossCert:
pgporada marked this conversation as resolved.
Show resolved Hide resolved
cert.ExtKeyUsage = tbcs.ExtKeyUsage
cert.MaxPathLenZero = tbcs.MaxPathLenZero
}

for _, policyConfig := range profile.Policies {
Expand Down
Loading