Skip to content

Commit b587d4e

Browse files
benileoRoland Bracewell Shoemaker
benileo
authored and
Roland Bracewell Shoemaker
committed
Simplify KeyPolicy code (letsencrypt#2092)
This PR, removes the allowedSigningAlgos configuration struct and hard codes a key policy. Fixes letsencrypt#1844
1 parent 9a57ba9 commit b587d4e

File tree

8 files changed

+18
-61
lines changed

8 files changed

+18
-61
lines changed

cmd/boulder-ca/main.go

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ import (
1616
"github.com/letsencrypt/boulder/ca"
1717
"github.com/letsencrypt/boulder/cmd"
1818
"github.com/letsencrypt/boulder/core"
19+
"github.com/letsencrypt/boulder/goodkey"
1920
bgrpc "github.com/letsencrypt/boulder/grpc"
2021
"github.com/letsencrypt/boulder/policy"
2122
pubPB "github.com/letsencrypt/boulder/publisher/proto"
@@ -27,8 +28,6 @@ const clientName = "CA"
2728
type config struct {
2829
CA cmd.CAConfig
2930

30-
AllowedSigningAlgos *cmd.AllowedSigningAlgos
31-
3231
PA cmd.PAConfig
3332

3433
Statsd cmd.StatsdConfig
@@ -155,7 +154,7 @@ func main() {
155154
clock.Default(),
156155
stats,
157156
issuers,
158-
c.AllowedSigningAlgos.KeyPolicy(),
157+
goodkey.NewKeyPolicy(),
159158
logger)
160159
cmd.FailOnError(err, "Failed to create CA impl")
161160
cai.PA = pa

cmd/boulder-ra/main.go

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ import (
1111
"github.com/letsencrypt/boulder/bdns"
1212
"github.com/letsencrypt/boulder/cmd"
1313
"github.com/letsencrypt/boulder/core"
14+
"github.com/letsencrypt/boulder/goodkey"
1415
bgrpc "github.com/letsencrypt/boulder/grpc"
1516
"github.com/letsencrypt/boulder/metrics"
1617
"github.com/letsencrypt/boulder/policy"
@@ -63,8 +64,6 @@ type config struct {
6364
PendingAuthorizationLifetimeDays int
6465
}
6566

66-
AllowedSigningAlgos *cmd.AllowedSigningAlgos
67-
6867
PA cmd.PAConfig
6968

7069
Statsd cmd.StatsdConfig
@@ -144,7 +143,7 @@ func main() {
144143
logger,
145144
stats,
146145
c.RA.MaxContactsPerRegistration,
147-
c.AllowedSigningAlgos.KeyPolicy(),
146+
goodkey.NewKeyPolicy(),
148147
c.RA.MaxNames,
149148
c.RA.DoNotForceCN,
150149
c.RA.ReuseValidAuthz,

cmd/boulder-wfe/main.go

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ import (
1010
"github.com/jmhodges/clock"
1111

1212
"github.com/letsencrypt/boulder/cmd"
13+
"github.com/letsencrypt/boulder/goodkey"
1314
blog "github.com/letsencrypt/boulder/log"
1415
"github.com/letsencrypt/boulder/metrics"
1516
"github.com/letsencrypt/boulder/rpc"
@@ -39,8 +40,6 @@ type config struct {
3940
CheckMalformedCSR bool
4041
}
4142

42-
AllowedSigningAlgos *cmd.AllowedSigningAlgos
43-
4443
Statsd cmd.StatsdConfig
4544

4645
SubscriberAgreementURL string
@@ -82,7 +81,7 @@ func main() {
8281
defer logger.AuditPanic()
8382
logger.Info(cmd.VersionString(clientName))
8483

85-
wfe, err := wfe.NewWebFrontEndImpl(stats, clock.Default(), c.AllowedSigningAlgos.KeyPolicy(), logger)
84+
wfe, err := wfe.NewWebFrontEndImpl(stats, clock.Default(), goodkey.NewKeyPolicy(), logger)
8685
cmd.FailOnError(err, "Unable to create WFE")
8786
rac, sac := setupWFE(c, logger, stats)
8887
wfe.RA = rac
@@ -106,7 +105,7 @@ func main() {
106105
wfe.IssuerCert, err = cmd.LoadCert(c.Common.IssuerCert)
107106
cmd.FailOnError(err, fmt.Sprintf("Couldn't read issuer cert [%s]", c.Common.IssuerCert))
108107

109-
logger.Info(fmt.Sprintf("WFE using key policy: %#v", c.AllowedSigningAlgos.KeyPolicy()))
108+
logger.Info(fmt.Sprintf("WFE using key policy: %#v", goodkey.NewKeyPolicy()))
110109

111110
go cmd.ProfileCmd("WFE", stats)
112111

cmd/config.go

Lines changed: 0 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -12,33 +12,8 @@ import (
1212
"github.com/letsencrypt/pkcs11key"
1313

1414
"github.com/letsencrypt/boulder/core"
15-
"github.com/letsencrypt/boulder/goodkey"
1615
)
1716

18-
// AllowedSigningAlgos defines which algorithms be used for keys that we will
19-
// sign.
20-
type AllowedSigningAlgos struct {
21-
RSA bool
22-
ECDSANISTP256 bool
23-
ECDSANISTP384 bool
24-
ECDSANISTP521 bool
25-
}
26-
27-
// KeyPolicy returns a KeyPolicy reflecting the Boulder configuration.
28-
func (asa *AllowedSigningAlgos) KeyPolicy() goodkey.KeyPolicy {
29-
if asa != nil {
30-
return goodkey.KeyPolicy{
31-
AllowRSA: asa.RSA,
32-
AllowECDSANISTP256: asa.ECDSANISTP256,
33-
AllowECDSANISTP384: asa.ECDSANISTP384,
34-
AllowECDSANISTP521: asa.ECDSANISTP521,
35-
}
36-
}
37-
return goodkey.KeyPolicy{
38-
AllowRSA: true,
39-
}
40-
}
41-
4217
// PasswordConfig either contains a password or the path to a file
4318
// containing a password
4419
type PasswordConfig struct {

goodkey/good_key.go

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -35,16 +35,24 @@ var (
3535
smallPrimes []*big.Int
3636
)
3737

38-
// KeyPolicy etermines which types of key may be used with various boulder
38+
// KeyPolicy determines which types of key may be used with various boulder
3939
// operations.
4040
type KeyPolicy struct {
4141
AllowRSA bool // Whether RSA keys should be allowed.
4242
AllowECDSANISTP256 bool // Whether ECDSA NISTP256 keys should be allowed.
4343
AllowECDSANISTP384 bool // Whether ECDSA NISTP384 keys should be allowed.
44-
AllowECDSANISTP521 bool // Whether ECDSA NISTP521 keys should be allowed.
4544
}
4645

47-
// GoodKey returns true iff the key is acceptable for both TLS use and account
46+
// NewKeyPolicy returns a KeyPolicy that allows RSA, ECDSA256 and ECDSA384.
47+
func NewKeyPolicy() KeyPolicy {
48+
return KeyPolicy{
49+
AllowRSA: true,
50+
AllowECDSANISTP256: true,
51+
AllowECDSANISTP384: true,
52+
}
53+
}
54+
55+
// GoodKey returns true if the key is acceptable for both TLS use and account
4856
// key use (our requirements are the same for either one), according to basic
4957
// strength and algorithm checking.
5058
// TODO: Support JsonWebKeys once go-jose migration is done.
@@ -169,8 +177,6 @@ func (policy *KeyPolicy) goodCurve(c elliptic.Curve) (err error) {
169177
return nil
170178
case policy.AllowECDSANISTP384 && params == elliptic.P384().Params():
171179
return nil
172-
case policy.AllowECDSANISTP521 && params == elliptic.P521().Params():
173-
return nil
174180
default:
175181
return core.MalformedRequestError(fmt.Sprintf("ECDSA curve %v not allowed", params.Name))
176182
}

test/config-next/ca.json

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -119,13 +119,6 @@
119119
}
120120
},
121121

122-
"allowedSigningAlgos": {
123-
"rsa": true,
124-
"ecdsanistp256": true,
125-
"ecdsanistp384": true,
126-
"ecdsanistp521": false
127-
},
128-
129122
"pa": {
130123
"challenges": {
131124
"http-01": true,

test/config-next/ra.json

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -37,13 +37,6 @@
3737
}
3838
},
3939

40-
"allowedSigningAlgos": {
41-
"rsa": true,
42-
"ecdsanistp256": true,
43-
"ecdsanistp384": true,
44-
"ecdsanistp521": false
45-
},
46-
4740
"pa": {
4841
"challenges": {
4942
"http-01": true,

test/config-next/wfe.json

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -26,13 +26,6 @@
2626
}
2727
},
2828

29-
"allowedSigningAlgos": {
30-
"rsa": true,
31-
"ecdsanistp256": true,
32-
"ecdsanistp384": true,
33-
"ecdsanistp521": false
34-
},
35-
3629
"statsd": {
3730
"server": "localhost:8125",
3831
"prefix": "Boulder"

0 commit comments

Comments
 (0)