boulder

Commit Graph

Author	SHA1	Message	Date
Phil Porada	ebb52990ca	test: Remove loop variable rebinding (#7587 ) [Gopls](https://github.com/golang/go/issues/66876) had a recent update which fixed my text editor from complaining about the "loop variable being captured by func literal". Fixes https://github.com/letsencrypt/boulder/issues/7454	2024-07-12 10:43:25 -04:00
Phil Porada	5c98bf6724	ceremony: Add support for CRL onlyContainsCACerts (#7064 ) * Allows the ceremony tool to add the `onlyContainsCACerts` flag to the `IssuingDistributionPoint` extension[1] for CRLs. * Add a lint to detect basic usage of this new flag. * Add a helper function which doesn't (yet) exist in golang x/crypto/cryptobyte named `ReadOptionalASN1BooleanWithTag` which searches for an optional DER-encoded ASN.1 element tagged with a given tag e.g. onlyContainsUserCerts and reports values back to the caller. * Each revoked certificate in the CRL config is checked for is `IsCA` to maintain conformance with RFC 5280 Section 6.3.3 b.2.iii [2]. > (iii) If the onlyContainsCACerts boolean is asserted in the > IDP CRL extension, verify that the certificate > includes the basic constraints extension with the cA > boolean asserted. Fixes https://github.com/letsencrypt/boulder/issues/7047 1. https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5 2. https://datatracker.ietf.org/doc/html/rfc5280#section-6.3.3	2023-10-02 17:03:36 -07:00

Author

SHA1

Message

Date

Phil Porada

ebb52990ca

test: Remove loop variable rebinding (#7587 )

[Gopls](https://github.com/golang/go/issues/66876) had a recent update
which fixed my text editor from complaining about the "loop variable
being captured by func literal".

Fixes https://github.com/letsencrypt/boulder/issues/7454

2024-07-12 10:43:25 -04:00

Phil Porada

5c98bf6724

ceremony: Add support for CRL onlyContainsCACerts (#7064 )

* Allows the ceremony tool to add the `onlyContainsCACerts` flag to the
`IssuingDistributionPoint` extension[1] for CRLs.
* Add a lint to detect basic usage of this new flag.
* Add a helper function which doesn't (yet) exist in golang
x/crypto/cryptobyte named `ReadOptionalASN1BooleanWithTag` which
searches for an optional DER-encoded ASN.1 element tagged with a given
tag e.g. onlyContainsUserCerts and reports values back to the caller.
* Each revoked certificate in the CRL config is checked for is `IsCA` to
maintain conformance with RFC 5280 Section 6.3.3 b.2.iii [2].
    >  (iii) If the onlyContainsCACerts boolean is asserted in the
    >        IDP CRL extension, verify that the certificate
    >        includes the basic constraints extension with the cA
    >        boolean asserted.

Fixes https://github.com/letsencrypt/boulder/issues/7047

1. https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5
2. https://datatracker.ietf.org/doc/html/rfc5280#section-6.3.3

2023-10-02 17:03:36 -07:00

2 Commits