CA: Deprecate field ECDSAAllowedAccounts (#5477)
- Remove field `ECDSAAllowedAccounts` from CA - Remove `ECDSAAllowedAccounts` from CA tests - Replace `ECDSAAllowedAccounts` with `ECDSAAllowListFilename` in `test/config/ca-a.json` and `test/config/ca-b.json` - Add YAML allow list file at `test/config/ecdsaAllowList.yml` Fixes #5394
This commit is contained in:
Samantha
GitHub
parent
52ba25f3a5
commit
d574b50c41
|
|
@ -531,42 +531,6 @@ func TestECDSAAllowList(t *testing.T) {
|
|||
test.AssertByteEquals(t, cert.RawIssuer, caCert2.RawSubject)
|
||||
}
|
||||
|
||||
// TODO(#5394): This is deprecated and exists to support deployability
|
||||
// until `ECDSAAllowedAccounts` is replaced by `ECDSAAllowListFilename`
|
||||
// in all staging and production configs.
|
||||
func TestDeprecatedECDSAAllowList(t *testing.T) {
|
||||
req := &capb.IssueCertificateRequest{Csr: ECDSACSR, RegistrationID: arbitraryRegID}
|
||||
|
||||
// With allowlist containing arbitraryRegID, issuance should come from ECDSA issuer.
|
||||
ca, _ := issueCertificateSubTestSetup(t)
|
||||
ca.ecdsaAllowList.regIDsMap = make(map[int64]bool)
|
||||
ca.ecdsaAllowList.regIDsMap[arbitraryRegID] = true
|
||||
result, err := ca.IssuePrecertificate(ctx, req)
|
||||
test.AssertNotError(t, err, "Failed to issue certificate")
|
||||
cert, err := x509.ParseCertificate(result.DER)
|
||||
test.AssertNotError(t, err, "Certificate failed to parse")
|
||||
test.AssertByteEquals(t, cert.RawIssuer, caCert2.RawSubject)
|
||||
|
||||
// With allowlist not containing arbitraryRegID, issuance should fall back to RSA issuer.
|
||||
delete(ca.ecdsaAllowList.regIDsMap, arbitraryRegID)
|
||||
ca.ecdsaAllowList.regIDsMap[2002] = true
|
||||
result, err = ca.IssuePrecertificate(ctx, req)
|
||||
test.AssertNotError(t, err, "Failed to issue certificate")
|
||||
cert, err = x509.ParseCertificate(result.DER)
|
||||
test.AssertNotError(t, err, "Certificate failed to parse")
|
||||
test.AssertByteEquals(t, cert.RawIssuer, caCert.RawSubject)
|
||||
|
||||
// With empty allowlist but ECDSAForAll enabled, issuance should come from ECDSA issuer.
|
||||
ca, _ = issueCertificateSubTestSetup(t)
|
||||
_ = features.Set(map[string]bool{"ECDSAForAll": true})
|
||||
defer features.Reset()
|
||||
result, err = ca.IssuePrecertificate(ctx, req)
|
||||
test.AssertNotError(t, err, "Failed to issue certificate")
|
||||
cert, err = x509.ParseCertificate(result.DER)
|
||||
test.AssertNotError(t, err, "Certificate failed to parse")
|
||||
test.AssertByteEquals(t, cert.RawIssuer, caCert2.RawSubject)
|
||||
}
|
||||
|
||||
func TestInvalidCSRs(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name string
|
||||
|
|
|
|||
|
|
@ -99,17 +99,3 @@ func NewECDSAAllowListFromFile(filename string, logger log.Logger, metric *prome
|
|||
allowList.reloader = reloader
|
||||
return allowList, allowList.length(), nil
|
||||
}
|
||||
|
||||
// NewECDSAAllowListFromConfig is exported to allow `boulder-ca` to
|
||||
// construct a new `ECDSAAllowList` object and set the inner `regIDsMap`
|
||||
// from a list of registration IDs received in the CA config JSON.
|
||||
//
|
||||
// TODO(#5394): This is deprecated and exists to support deployability
|
||||
// until `ECDSAAllowedAccounts` is replaced by `ECDSAAllowListFilename`
|
||||
// in all staging and production configs. An initial entry count is
|
||||
// returned to `boulder-ca` for logging purposes.
|
||||
func NewECDSAAllowListFromConfig(regIDs []int64) (*ECDSAAllowList, int, error) {
|
||||
regIDsMap := makeRegIDsMap(regIDs)
|
||||
allowList := &ECDSAAllowList{regIDsMap: regIDsMap, reloader: nil, logger: nil, statusGauge: nil}
|
||||
return allowList, allowList.length(), nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
package ca
|
||||
|
||||
import (
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
"github.com/letsencrypt/boulder/log"
|
||||
|
|
@ -71,39 +70,3 @@ func TestNewECDSAAllowListFromFile(t *testing.T) {
|
|||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewECDSAAllowListFromConfig(t *testing.T) {
|
||||
type args struct {
|
||||
regIDs []int64
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
wantAllowList *ECDSAAllowList
|
||||
wantEntries int
|
||||
wantErrBool bool
|
||||
}{
|
||||
{
|
||||
name: "one entry",
|
||||
args: args{[]int64{1337}},
|
||||
wantAllowList: &ECDSAAllowList{regIDsMap: map[int64]bool{1337: true}, reloader: nil, logger: nil, statusGauge: nil},
|
||||
wantEntries: 1,
|
||||
wantErrBool: false,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got, got1, err := NewECDSAAllowListFromConfig(tt.args.regIDs)
|
||||
if (err != nil) != tt.wantErrBool {
|
||||
t.Errorf("NewECDSAAllowListFromConfig() error = %v, wantErr %v", err, tt.wantErrBool)
|
||||
return
|
||||
}
|
||||
if !reflect.DeepEqual(got, tt.wantAllowList) {
|
||||
t.Errorf("NewECDSAAllowListFromConfig() got = %v, want %v", got, tt.wantAllowList)
|
||||
}
|
||||
if got1 != tt.wantEntries {
|
||||
t.Errorf("NewECDSAAllowListFromConfig() got1 = %v, want %v", got1, tt.wantEntries)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -86,19 +86,6 @@ type config struct {
|
|||
// Recommended to be around 500ms.
|
||||
OCSPLogPeriod cmd.ConfigDuration
|
||||
|
||||
// List of Registration IDs for which ECDSA issuance is allowed.
|
||||
// If an account is in this allowlist *and* requests issuance
|
||||
// for an ECDSA key *and* an ECDSA issuer is configured in the
|
||||
// CA, then the certificate will be issued from that ECDSA
|
||||
// issuer. This is temporary, and will be used for testing and
|
||||
// slow roll-out of ECDSA issuance, but will then be removed.
|
||||
//
|
||||
// TODO(#5394): This is deprecated and exists to support
|
||||
// deployability until `ECDSAAllowedAccounts` is replaced by
|
||||
// `ECDSAAllowListFilename` in all staging and production
|
||||
// configs.
|
||||
ECDSAAllowedAccounts []int64
|
||||
|
||||
// Path of a YAML file containing the list of int64 RegIDs
|
||||
// allowed to request ECDSA issuance
|
||||
ECDSAAllowListFilename string
|
||||
|
|
@ -247,15 +234,6 @@ func main() {
|
|||
cmd.FailOnError(err, "Unable to load ECDSA allow list from YAML file")
|
||||
logger.Infof("Created a reloadable allow list, it was initialized with %d entries", entries)
|
||||
|
||||
} else if len(c.CA.ECDSAAllowedAccounts) > 0 {
|
||||
// TODO(#5394): This clause exists to support deployability
|
||||
// until `ECDSAAllowedAccounts` is replaced by
|
||||
// `ECDSAAllowListFilename` in all staging and production
|
||||
// configs.
|
||||
var entries int
|
||||
ecdsaAllowList, entries, err = ca.NewECDSAAllowListFromConfig(c.CA.ECDSAAllowedAccounts)
|
||||
cmd.FailOnError(err, "Unable to load ECDSA allow list from JSON config")
|
||||
logger.Infof("Created an allow list from JSON config containing %d entries", entries)
|
||||
}
|
||||
|
||||
serverMetrics := bgrpc.NewServerMetrics(scope)
|
||||
|
|
|
|||
|
|
@ -88,7 +88,7 @@
|
|||
"features": {
|
||||
"NonCFSSLSigner": true
|
||||
},
|
||||
"ECDSAAllowedAccounts": [1337]
|
||||
"ECDSAAllowListFilename": "test/config/ecdsaAllowList.yml"
|
||||
},
|
||||
|
||||
"pa": {
|
||||
|
|
|
|||
|
|
@ -88,7 +88,7 @@
|
|||
"features": {
|
||||
"NonCFSSLSigner": true
|
||||
},
|
||||
"ECDSAAllowedAccounts": [1337]
|
||||
"ECDSAAllowListFilename": "test/config/ecdsaAllowList.yml"
|
||||
},
|
||||
|
||||
"pa": {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
- 1337
|
||||
Loading…
Reference in New Issue