letsencrypt · pgporada · Aug 23, 2023 · Jul 19, 2023 · Jul 20, 2023 · Jul 20, 2023
@@ -9,12 +9,25 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"log"
 	"math/big"
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/letsencrypt/boulder/goodkey"
 )
 
+var kp goodkey.KeyPolicy
+
+func init() {
+	var err error
+	kp, err = goodkey.NewKeyPolicy(&goodkey.Config{FermatRounds: 100}, nil)
+	if err != nil {
+		log.Fatal("Could not create goodkey.KeyPolicy")
+	}
+}
+
 type policyInfoConfig struct {
 	OID string
 	// Deprecated: we do not include the id-qt-cps policy qualifier in our
@@ -147,15 +160,18 @@ func (profile *certProfile) verifyProfile(ct certType) error {
 		}
 	}
 
-	if ct == intermediateCert {
+	if ct == intermediateCert || ct == crossCert {
 		if profile.CRLURL == "" {
-			return errors.New("crl-url is required for intermediates")
+			return errors.New("crl-url is required for subordinate CAs")
 		}
 		if profile.IssuerURL == "" {
-			return errors.New("issuer-url is required for intermediates")
+			return errors.New("issuer-url is required for subordinate CAs")
 		}
+
+		// BR 7.1.2.10.5 CA Certificate Certificate Policies
+		// OID 2.23.140.1.2.1 is an anyPolicy
 		if len(profile.Policies) != 1 || profile.Policies[0].OID != "2.23.140.1.2.1" {
-			return errors.New("policy should be exactly BRs domain-validated for intermediates")
+			return errors.New("policy should be exactly BRs domain-validated for subordinate CAs")
 		}
 	}
 
@@ -282,7 +298,18 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, ct
 	}
 
 	switch ct {
-	// rootCert and crossCert do not get EKU or MaxPathZero
+	// rootCert and crossCert do not get EKU or MaxPathZero. This tool currently
+	// only produces "unrestricted" cross-signs.
+	// https://github.com/cabforum/servercert/blob/a0360b61e73476959220dc328e3b68d0224fa0b3/docs/BR.md#71223-cross-certified-subordinate-ca-extensions
+	//
+	// 7.1.2.1.2 Root CA Extensions
+	// Extension 	Presence 	Critical 	Description
+	// extKeyUsage 	MUST NOT 	N 	-
+	//
+	// 7.1.2.2.3 Cross-Certified Subordinate CA Extensions
+	// Extension 	Presence 	Critical 	Description
+	// extKeyUsage 	SHOULD	 	N 			See Section 7.1.2.2.4
+	//
 	case ocspCert:
 		cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageOCSPSigning}
 		// ASN.1 NULL is 0x05, 0x00

@@ -10,6 +10,7 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
+	"io/fs"
 	"testing"
 
 	"github.com/letsencrypt/boulder/pkcs11helpers"
@@ -59,7 +60,7 @@ func TestMakeSubject(t *testing.T) {
 	test.AssertDeepEquals(t, profile.Subject(), expectedSubject)
 }
 
-func TestMakeTemplate(t *testing.T) {
+func TestMakeTemplateRoot(t *testing.T) {
 	s, ctx := pkcs11helpers.NewSessionWithMock()
 	profile := &certProfile{}
 	randReader := newRandReader(s)
@@ -146,8 +147,8 @@ func TestMakeTemplateCrossCertificate(t *testing.T) {
 		OCSPURL:            "ocsp",
 		CRLURL:             "crl",
 		IssuerURL:          "issuer",
-		NotAfter:           "2018-05-18 11:31:00",
-		NotBefore:          "2018-05-18 11:31:00",
+		NotAfter:           "2020-10-10 11:31:00",
+		NotBefore:          "2020-10-10 11:31:00",
 	}
 
 	ctx.GenerateRandomFunc = realRand
@@ -228,27 +229,27 @@ func TestMakeTemplateCRL(t *testing.T) {
 func TestVerifyProfile(t *testing.T) {
 	for _, tc := range []struct {
 		profile     certProfile
-		certType    certType
+		certType    []certType
 		expectedErr string
 	}{
 		{
 			profile:     certProfile{},
-			certType:    intermediateCert,
+			certType:    []certType{intermediateCert, crossCert},
 			expectedErr: "not-before is required",
 		},
 		{
 			profile: certProfile{
 				NotBefore: "a",
 			},
-			certType:    intermediateCert,
+			certType:    []certType{intermediateCert, crossCert},
 			expectedErr: "not-after is required",
 		},
 		{
 			profile: certProfile{
 				NotBefore: "a",
 				NotAfter:  "b",
 			},
-			certType:    intermediateCert,
+			certType:    []certType{intermediateCert, crossCert},
 			expectedErr: "signature-algorithm is required",
 		},
 		{
@@ -257,7 +258,7 @@ func TestVerifyProfile(t *testing.T) {
 				NotAfter:           "b",
 				SignatureAlgorithm: "c",
 			},
-			certType:    intermediateCert,
+			certType:    []certType{intermediateCert, crossCert},
 			expectedErr: "common-name is required",
 		},
 		{
@@ -267,7 +268,7 @@ func TestVerifyProfile(t *testing.T) {
 				SignatureAlgorithm: "c",
 				CommonName:         "d",
 			},
-			certType:    intermediateCert,
+			certType:    []certType{intermediateCert, crossCert},
 			expectedErr: "organization is required",
 		},
 		{
@@ -278,7 +279,7 @@ func TestVerifyProfile(t *testing.T) {
 				CommonName:         "d",
 				Organization:       "e",
 			},
-			certType:    intermediateCert,
+			certType:    []certType{intermediateCert, crossCert},
 			expectedErr: "country is required",
 		},
 		{
@@ -291,8 +292,22 @@ func TestVerifyProfile(t *testing.T) {
 				Country:            "f",
 				OCSPURL:            "g",
 			},
-			certType:    intermediateCert,
-			expectedErr: "crl-url is required for intermediates",
+			certType:    []certType{intermediateCert, crossCert},
+			expectedErr: "crl-url is required for subordinate CAs",
+		},
+		{
+			profile: certProfile{
+				NotBefore:          "a",
+				NotAfter:           "b",
+				SignatureAlgorithm: "c",
+				CommonName:         "d",
+				Organization:       "e",
+				Country:            "f",
+				OCSPURL:            "g",
+				CRLURL:             "h",
+			},
+			certType:    []certType{intermediateCert, crossCert},
+			expectedErr: "issuer-url is required for subordinate CAs",
 		},
 		{
 			profile: certProfile{
@@ -304,9 +319,10 @@ func TestVerifyProfile(t *testing.T) {
 				Country:            "f",
 				OCSPURL:            "g",
 				CRLURL:             "h",
+				IssuerURL:          "i",
 			},
-			certType:    intermediateCert,
-			expectedErr: "issuer-url is required for intermediates",
+			certType:    []certType{intermediateCert, crossCert},
+			expectedErr: "policy should be exactly BRs domain-validated for subordinate CAs",
 		},
 		{
 			profile: certProfile{
@@ -319,9 +335,10 @@ func TestVerifyProfile(t *testing.T) {
 				OCSPURL:            "g",
 				CRLURL:             "h",
 				IssuerURL:          "i",
+				Policies:           []policyInfoConfig{{OID: "1.2.3"}, {OID: "4.5.6"}},
 			},
-			certType:    intermediateCert,
-			expectedErr: "policy should be exactly BRs domain-validated for intermediates",
+			certType:    []certType{intermediateCert, crossCert},
+			expectedErr: "policy should be exactly BRs domain-validated for subordinate CAs",
 		},
 		{
 			profile: certProfile{
@@ -332,7 +349,7 @@ func TestVerifyProfile(t *testing.T) {
 				Organization:       "e",
 				Country:            "f",
 			},
-			certType: rootCert,
+			certType: []certType{rootCert},
 		},
 		{
 			profile: certProfile{
@@ -345,7 +362,7 @@ func TestVerifyProfile(t *testing.T) {
 				IssuerURL:          "g",
 				KeyUsages:          []string{"j"},
 			},
-			certType:    ocspCert,
+			certType:    []certType{ocspCert},
 			expectedErr: "key-usages cannot be set for a delegated signer",
 		},
 		{
@@ -359,7 +376,7 @@ func TestVerifyProfile(t *testing.T) {
 				IssuerURL:          "g",
 				CRLURL:             "i",
 			},
-			certType:    ocspCert,
+			certType:    []certType{ocspCert},
 			expectedErr: "crl-url cannot be set for a delegated signer",
 		},
 		{
@@ -373,7 +390,7 @@ func TestVerifyProfile(t *testing.T) {
 				IssuerURL:          "g",
 				OCSPURL:            "h",
 			},
-			certType:    ocspCert,
+			certType:    []certType{ocspCert},
 			expectedErr: "ocsp-url cannot be set for a delegated signer",
 		},
 		{
@@ -386,7 +403,7 @@ func TestVerifyProfile(t *testing.T) {
 				Country:            "f",
 				IssuerURL:          "g",
 			},
-			certType: ocspCert,
+			certType: []certType{ocspCert},
 		},
 		{
 			profile: certProfile{
@@ -399,7 +416,7 @@ func TestVerifyProfile(t *testing.T) {
 				IssuerURL:          "g",
 				KeyUsages:          []string{"j"},
 			},
-			certType:    crlCert,
+			certType:    []certType{crlCert},
 			expectedErr: "key-usages cannot be set for a delegated signer",
 		},
 		{
@@ -413,7 +430,7 @@ func TestVerifyProfile(t *testing.T) {
 				IssuerURL:          "g",
 				CRLURL:             "i",
 			},
-			certType:    crlCert,
+			certType:    []certType{crlCert},
 			expectedErr: "crl-url cannot be set for a delegated signer",
 		},
 		{
@@ -427,7 +444,7 @@ func TestVerifyProfile(t *testing.T) {
 				IssuerURL:          "g",
 				OCSPURL:            "h",
 			},
-			certType:    crlCert,
+			certType:    []certType{crlCert},
 			expectedErr: "ocsp-url cannot be set for a delegated signer",
 		},
 		{
@@ -440,72 +457,74 @@ func TestVerifyProfile(t *testing.T) {
 				Country:            "f",
 				IssuerURL:          "g",
 			},
-			certType: crlCert,
+			certType: []certType{crlCert},
 		},
 		{
 			profile: certProfile{
 				NotBefore: "a",
 			},
-			certType:    requestCert,
+			certType:    []certType{requestCert},
 			expectedErr: "not-before cannot be set for a CSR",
 		},
 		{
 			profile: certProfile{
 				NotAfter: "a",
 			},
-			certType:    requestCert,
+			certType:    []certType{requestCert},
 			expectedErr: "not-after cannot be set for a CSR",
 		},
 		{
 			profile: certProfile{
 				SignatureAlgorithm: "a",
 			},
-			certType:    requestCert,
+			certType:    []certType{requestCert},
 			expectedErr: "signature-algorithm cannot be set for a CSR",
 		},
 		{
 			profile: certProfile{
 				OCSPURL: "a",
 			},
-			certType:    requestCert,
+			certType:    []certType{requestCert},
 			expectedErr: "ocsp-url cannot be set for a CSR",
 		},
 		{
 			profile: certProfile{
 				CRLURL: "a",
 			},
-			certType:    requestCert,
+			certType:    []certType{requestCert},
 			expectedErr: "crl-url cannot be set for a CSR",
 		},
 		{
 			profile: certProfile{
 				IssuerURL: "a",
 			},
-			certType:    requestCert,
+			certType:    []certType{requestCert},
 			expectedErr: "issuer-url cannot be set for a CSR",
 		},
 		{
 			profile: certProfile{
 				Policies: []policyInfoConfig{{OID: "1.2.3"}},
 			},
-			certType:    requestCert,
+			certType:    []certType{requestCert},
 			expectedErr: "policies cannot be set for a CSR",
 		},
 		{
 			profile: certProfile{
 				KeyUsages: []string{"a"},
 			},
-			certType:    requestCert,
+			certType:    []certType{requestCert},
 			expectedErr: "key-usages cannot be set for a CSR",
 		},
 	} {
-		err := tc.profile.verifyProfile(tc.certType)
-		if err != nil {
-			if tc.expectedErr != err.Error() {
-				t.Fatalf("Expected %q, got %q", tc.expectedErr, err.Error())
+		for _, ct := range tc.certType {
+			err := tc.profile.verifyProfile(ct)
+			if err != nil {
+				if tc.expectedErr != err.Error() {
+					t.Fatalf("Expected %q, got %q", tc.expectedErr, err.Error())
+				}
+			} else if tc.expectedErr != "" {
+				t.Fatalf("verifyProfile didn't fail, expected %q", tc.expectedErr)
 			}
-		} else if tc.expectedErr != "" {
-			t.Fatalf("verifyProfile didn't fail, expected %q", tc.expectedErr)
 		}
 	}
 }
@@ -531,3 +550,18 @@ func TestGenerateCSR(t *testing.T) {
 	test.AssertEquals(t, csr.Subject.String(), fmt.Sprintf("CN=%s,O=%s,C=%s",
 		profile.CommonName, profile.Organization, profile.Country))
 }
+
+func TestLoadCert(t *testing.T) {
+	_, err := loadCert("../../test/hierarchy/int-e1.cert.pem")
+	test.AssertNotError(t, err, "should not have errored")
+
+	_, err = loadCert("/path/that/will/not/ever/exist/ever")
+	test.AssertError(t, err, "should have failed opening certificate at non-existent path")
+	test.AssertErrorIs(t, err, fs.ErrNotExist)
+
+	_, err = loadCert("../../test/hierarchy/int-e1.key.pem")
+	test.AssertError(t, err, "should have failed when trying to parse a private key")
+
+	_, err = loadCert("../../test/test-root.pubkey.pem")
+	test.AssertError(t, err, "should have failed when trying to parse a public key")
+}