Generate ECDSA keys and certs in integration tests (#5150)

This adds an ECDSA hierarchy along-side the RSA hierarchy
which our integration tests already rely on. This does not yet
integrate the new hierarchy into the services (none of the
generated keys or certs are referenced from test service config
files yet), but it lays the groundwork for that to happen after our
services all have multi-issuer support.

Part of #5113

test/cert-ceremonies/generate.go

@@ -85,51 +85,79 @@ func main() {
 	} else if err != nil && !os.IsNotExist(err) {
 		log.Fatalf("statting %q: %s", outputFile, err)
 	}
-	// Create a SoftHSM slot for the root signing key
-	rootKeySlot, err := createSlot("root signing key (rsa)")
+	// Create SoftHSM slots for the root signing keys
+	rsaRootKeySlot, err := createSlot("root signing key (rsa)")
+	cmd.FailOnError(err, "failed creating softhsm2 slot for RSA root key")
+	ecdsaRootKeySlot, err := createSlot("root signing key (ecdsa)")
 	cmd.FailOnError(err, "failed creating softhsm2 slot for root key")
 
-	// Generate the root signing key and certificate
-	err = genKey("test/cert-ceremonies/root-ceremony-rsa.yaml", rootKeySlot)
-	cmd.FailOnError(err, "failed to generate root key + root cert")
+	// Generate the root signing keys and certificates
+	err = genKey("test/cert-ceremonies/root-ceremony-rsa.yaml", rsaRootKeySlot)
+	cmd.FailOnError(err, "failed to generate RSA root key + root cert")
+	err = genKey("test/cert-ceremonies/root-ceremony-ecdsa.yaml", ecdsaRootKeySlot)
+	cmd.FailOnError(err, "failed to generate ECDSA root key + root cert")
 
-	// Create a SoftHSM slot for the intermediate signing key
-	intermediateKeySlot, err := createSlot("intermediate signing key (rsa)")
-	cmd.FailOnError(err, "failed to create softhsm2 slot for intermediate key")
+	// Create SoftHSM slots for the intermediate signing keys
+	rsaIntermediateKeySlot, err := createSlot("intermediate signing key (rsa)")
+	cmd.FailOnError(err, "failed to create softhsm2 slot for RSA intermediate key")
+	ecdsaIntermediateKeySlot, err := createSlot("intermediate signing key (ecdsa)")
+	cmd.FailOnError(err, "failed to create softhsm2 slot for ECDSA intermediate key")
 
-	// Generate the intermediate signing key
-	err = genKey("test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml", intermediateKeySlot)
-	cmd.FailOnError(err, "failed to generate intermediate key")
+	// Generate the intermediate signing keys
+	err = genKey("test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml", rsaIntermediateKeySlot)
+	cmd.FailOnError(err, "failed to generate RSA intermediate key")
+	err = genKey("test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml", ecdsaIntermediateKeySlot)
+	cmd.FailOnError(err, "failed to generate ECDSA intermediate key")
 
-	// Create the A intermediate ceremony config file with the root
-	// signing key slot and ID
-	tmpRSAIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
-		"SlotID":     rootKeySlot,
+	// Create the A intermediate ceremony config files with the root
+	// signing key slots and IDs
+	rsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
+		"SlotID":     rsaRootKeySlot,
 		"CertPath":   "/tmp/intermediate-cert-rsa-a.pem",
 		"CommonName": "CA intermediate (RSA) A",
 	})
-	cmd.FailOnError(err, "failed to rewrite intermediate cert config with key ID")
-	// Create the A intermediate certificate
-	err = genCert(tmpRSAIntermediateA)
-	cmd.FailOnError(err, "failed to generate intermediate cert")
+	cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID")
+	ecdsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{
+		"SlotID":     ecdsaRootKeySlot,
+		"CertPath":   "/tmp/intermediate-cert-ecdsa-a.pem",
+		"CommonName": "CA intermediate (ECDSA) A",
+	})
+	cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID")
 
-	// Create the B intermediate ceremony config file with the root
-	// signing key slot and ID
-	tmpRSAIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
-		"SlotID":     rootKeySlot,
+	// Create the A intermediate certificates
+	err = genCert(rsaTmpIntermediateA)
+	cmd.FailOnError(err, "failed to generate RSA intermediate cert")
+	err = genCert(ecdsaTmpIntermediateA)
+	cmd.FailOnError(err, "failed to generate ECDSA intermediate cert")
+
+	// Create the B intermediate ceremony config files with the root
+	// signing key slots and IDs
+	rsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
+		"SlotID":     rsaRootKeySlot,
 		"CertPath":   "/tmp/intermediate-cert-rsa-b.pem",
 		"CommonName": "CA intermediate (RSA) B",
 	})
-	cmd.FailOnError(err, "failed to rewrite intermediate cert config with key ID")
-	// Create the B intermediate certificate
-	err = genCert(tmpRSAIntermediateB)
-	cmd.FailOnError(err, "failed to generate intermediate cert")
-
-	// Create an OCSP response for the A intermediate
-	tmpOCSPConfig, err := rewriteConfig("test/cert-ceremonies/intermediate-ocsp.yaml", map[string]string{
-		"SlotID": rootKeySlot,
+	cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID")
+	ecdsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{
+		"SlotID":     ecdsaRootKeySlot,
+		"CertPath":   "/tmp/intermediate-cert-ecdsa-b.pem",
+		"CommonName": "CA intermediate (ECDSA) B",
 	})
-	cmd.FailOnError(err, "failed to rewrite intermediate OCSP config with key ID")
-	err = genCert(tmpOCSPConfig)
-	cmd.FailOnError(err, "failed to generate intermediate OCSP response")
+	cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID")
+
+	// Create the B intermediate certificates
+	err = genCert(rsaTmpIntermediateB)
+	cmd.FailOnError(err, "failed to generate RSA intermediate cert")
+	err = genCert(ecdsaTmpIntermediateB)
+	cmd.FailOnError(err, "failed to generate ECDSA intermediate cert")
+
+	// Rewrite OCSP configs and generate OCSP responses for the A intermediates
+	rsaTmpOCSPConfig, err := rewriteConfig("test/cert-ceremonies/intermediate-ocsp-rsa.yaml", map[string]string{
+		"SlotID": rsaRootKeySlot,
+	})
+	cmd.FailOnError(err, "failed to rewrite RSA intermediate OCSP config with key ID")
+	err = genCert(rsaTmpOCSPConfig)
+	cmd.FailOnError(err, "failed to generate RSA intermediate OCSP response")
+	// We do not generate OCSP for the ECDSA intermediates, as our new issuers
+	// only use CRLs, not OCSP.
 }

test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml

@@ -0,0 +1,29 @@
+ceremony-type: intermediate
+pkcs11:
+    module: /usr/local/lib/softhsm/libsofthsm2.so
+    pin: 1234
+    signing-key-slot: {{ .SlotID}}
+    signing-key-label: root signing key (ecdsa)
+inputs:
+    public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem
+    issuer-certificate-path: /tmp/root-cert-ecdsa.pem
+outputs:
+    certificate-path: {{ .CertPath }}
+certificate-profile:
+    signature-algorithm: ECDSAWithSHA384
+    common-name: {{ .CommonName }}
+    organization: good guys
+    country: US
+    not-before: 2020-01-01 12:00:00
+    not-after: 2040-01-01 12:00:00
+    ocsp-url: http://example.com/ocsp
+    crl-url:  http://example.com/crl
+    issuer-url:  http://example.com/root
+    policies:
+        - oid: 1.2.3
+        - oid: 1.5.6
+          cps-uri: "http://example.com/cps"
+    key-usages:
+        - Digital Signature
+        - Cert Sign
+        - CRL Sign

test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml

@@ -0,0 +1,11 @@
+ceremony-type: key
+pkcs11:
+    module: /usr/local/lib/softhsm/libsofthsm2.so
+    pin: 1234
+    store-key-in-slot: {{ .SlotID }}
+    store-key-with-label: intermediate signing key (ecdsa)
+key:
+    type: ecdsa
+    ecdsa-curve: P-384
+outputs:
+    public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem

test/cert-ceremonies/intermediate-ocsp-rsa.yaml

@@ -8,7 +8,7 @@ inputs:
     certificate-path: /tmp/intermediate-cert-rsa-a.pem
     issuer-certificate-path: /tmp/root-cert-rsa.pem
 outputs:
-    response-path: /tmp/intermediate-ocsp.b64
+    response-path: /tmp/intermediate-ocsp-rsa.b64
 ocsp-profile:
     this-update: 2020-01-01 12:00:00
     next-update: 2039-01-01 12:00:00

test/cert-ceremonies/root-ceremony-ecdsa.yaml

@@ -0,0 +1,32 @@
+ceremony-type: root
+pkcs11:
+    module: /usr/local/lib/softhsm/libsofthsm2.so
+    pin: 1234
+    store-key-in-slot: {{ .SlotID }}
+    store-key-with-label: root signing key (ecdsa)
+key:
+    type: ecdsa
+    ecdsa-curve: P-384
+outputs:
+    public-key-path: /tmp/root-signing-pub-ecdsa.pem
+    certificate-path: /tmp/root-cert-ecdsa.pem
+certificate-profile:
+    signature-algorithm: ECDSAWithSHA384
+    common-name: CA root (ECDSA)
+    organization: good guys
+    country: US
+    not-before: 2020-01-01 12:00:00
+    not-after: 2040-01-01 12:00:00
+    key-usages:
+        - Cert Sign
+        - CRL Sign
+skip-lints:
+   - e_ext_authority_key_identifier_missing
+   - e_ext_authority_key_identifier_no_key_identifier
+   - e_sub_ca_aia_missing
+   - e_sub_ca_certificate_policies_missing
+   - e_sub_ca_crl_distribution_points_missing
+   - n_ca_digital_signature_not_set
+   - n_mp_allowed_eku
+   - n_sub_ca_eku_missing
+   - w_sub_ca_aia_does_not_contain_issuing_ca_url

test/issuer-ocsp-responder.json

@@ -1,6 +1,6 @@
 {
   "ocspResponder": {
-    "source": "file:///tmp/intermediate-ocsp.b64",
+    "source": "file:///tmp/intermediate-ocsp-rsa.b64",
     "path": "/",
     "listenAddress": "0.0.0.0:4003",
     "shutdownStopTimeout": "10s",