boulder

Commit Graph

Author	SHA1	Message	Date
Phil Porada	5c98bf6724	ceremony: Add support for CRL onlyContainsCACerts (#7064 ) * Allows the ceremony tool to add the `onlyContainsCACerts` flag to the `IssuingDistributionPoint` extension[1] for CRLs. * Add a lint to detect basic usage of this new flag. * Add a helper function which doesn't (yet) exist in golang x/crypto/cryptobyte named `ReadOptionalASN1BooleanWithTag` which searches for an optional DER-encoded ASN.1 element tagged with a given tag e.g. onlyContainsUserCerts and reports values back to the caller. * Each revoked certificate in the CRL config is checked for is `IsCA` to maintain conformance with RFC 5280 Section 6.3.3 b.2.iii [2]. > (iii) If the onlyContainsCACerts boolean is asserted in the > IDP CRL extension, verify that the certificate > includes the basic constraints extension with the cA > boolean asserted. Fixes https://github.com/letsencrypt/boulder/issues/7047 1. https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5 2. https://datatracker.ietf.org/doc/html/rfc5280#section-6.3.3	2023-10-02 17:03:36 -07:00
Aaron Gable	b090ffbd2e	Use zlint to check our CRLs (#6972 ) Update zlint to v3.5.0, which introduces scaffolding for running lints over CRLs. Convert all of our existing CRL checks to structs which match the zlint interface, and add them to the registry. Then change our linter's CheckCRL function, and crl-checker's Validate function, to run all lints in the zlint registry. Finally, update the ceremony tool to run these lints as well. This change touches a lot of files, but involves almost no logic changes. It's all just infrastructure, changing the way our lints and their tests are shaped, and moving test files into new homes. Fixes https://github.com/letsencrypt/boulder/issues/6934 Fixes https://github.com/letsencrypt/boulder/issues/6979	2023-07-11 15:39:05 -07:00

Author

SHA1

Message

Date

Phil Porada

5c98bf6724

ceremony: Add support for CRL onlyContainsCACerts (#7064 )

* Allows the ceremony tool to add the `onlyContainsCACerts` flag to the
`IssuingDistributionPoint` extension[1] for CRLs.
* Add a lint to detect basic usage of this new flag.
* Add a helper function which doesn't (yet) exist in golang
x/crypto/cryptobyte named `ReadOptionalASN1BooleanWithTag` which
searches for an optional DER-encoded ASN.1 element tagged with a given
tag e.g. onlyContainsUserCerts and reports values back to the caller.
* Each revoked certificate in the CRL config is checked for is `IsCA` to
maintain conformance with RFC 5280 Section 6.3.3 b.2.iii [2].
    >  (iii) If the onlyContainsCACerts boolean is asserted in the
    >        IDP CRL extension, verify that the certificate
    >        includes the basic constraints extension with the cA
    >        boolean asserted.

Fixes https://github.com/letsencrypt/boulder/issues/7047

1. https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5
2. https://datatracker.ietf.org/doc/html/rfc5280#section-6.3.3

2023-10-02 17:03:36 -07:00

Aaron Gable

b090ffbd2e

Use zlint to check our CRLs (#6972 )

Update zlint to v3.5.0, which introduces scaffolding for running lints
over CRLs.

Convert all of our existing CRL checks to structs which match the zlint
interface, and add them to the registry. Then change our linter's
CheckCRL function, and crl-checker's Validate function, to run all lints
in the zlint registry.

Finally, update the ceremony tool to run these lints as well.

This change touches a lot of files, but involves almost no logic
changes. It's all just infrastructure, changing the way our lints and
their tests are shaped, and moving test files into new homes.

Fixes https://github.com/letsencrypt/boulder/issues/6934
Fixes https://github.com/letsencrypt/boulder/issues/6979

2023-07-11 15:39:05 -07:00

2 Commits