boulder

Commit Graph

Author	SHA1	Message	Date
Jacob Hoffman-Andrews	d2d9078213	privatekey: emit clearer error on parse (#6620 ) If the input key asserts that it is a PKCS#1 key ("BEGIN RSA PRIVATE KEY"), we can safely return the error from parsing as PKCS1, rather than trying all key types and returning a generic error.	2023-01-30 00:12:12 -08:00
Aaron Gable	9c197e1f43	Use io and os instead of deprecated ioutil (#6286 ) The iotuil package has been deprecated since go1.16; the various functions it provided now exist in the os and io packages. Replace all instances of ioutil with either io or os, as appropriate.	2022-08-10 13:30:17 -07:00
Samantha	83a7220f4e	admin-revoker: Block and revoke by private key (#5878 ) Incidents of key compromise where proof is supplied in the form of a private key have historically been labor intensive for SRE. This PR seeks to automate the process of embedded public key validation , query for issuance, revocation, and blocking by SPKI hash. For an example of private keys embedding a mismatched public key, see: https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html. Adds two new sub-commands (private-key-block and private-key-revoke) and one new flag (-dry-run) to admin-revoker. Both new sub-commands validate that the provided private key and provide the operator with an issuance count. Any blocking and revocation actions are gated by the new '-dry-run' flag, which is 'true' by default. private-key-block: if -dry-run=false, will immediately block issuance for the provided key. The operator is informed that bad-key-revoker will eventually revoke any certificates using the provided key. private-key-revoke: if -dry-run=false, will revoke all certificates using the provided key and then blocks future issuance. This avoids a race with the bad-key-revoker. This command will execute successfully even if issuance for the provided key is already blocked. - Add support for blocking issuance by private key to admin-revoker - Add support for revoking certificates by private key to admin-revoker - Create new package called 'privatekey' - Move private key loading logic from 'issuance' to 'privatekey' - Add embedded public key verification to 'privatekey' - Add new field `skipBlockKey` to `AdministrativelyRevokeCertificate` protobuf - Add check in RA to ensure that only KeyCompromise revocations use `skipBlockKey` Fixes #5785	2022-01-21 10:29:12 -08:00

Author

SHA1

Message

Date

Jacob Hoffman-Andrews

d2d9078213

privatekey: emit clearer error on parse (#6620 )

If the input key asserts that it is a PKCS#1 key ("BEGIN RSA PRIVATE
KEY"), we can safely return the error from parsing as PKCS1, rather than
trying all key types and returning a generic error.

2023-01-30 00:12:12 -08:00

Aaron Gable

9c197e1f43

Use io and os instead of deprecated ioutil (#6286 )

The iotuil package has been deprecated since go1.16; the various
functions it provided now exist in the os and io packages. Replace all
instances of ioutil with either io or os, as appropriate.

2022-08-10 13:30:17 -07:00

Samantha

83a7220f4e

admin-revoker: Block and revoke by private key (#5878 )

Incidents of key compromise where proof is supplied in the form of a private key
have historically been labor intensive for SRE. This PR seeks to automate the
process of embedded public key validation , query for issuance, revocation, and
blocking by SPKI hash.

For an example of private keys embedding a mismatched public key, see:
https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html.

Adds two new sub-commands (private-key-block and private-key-revoke) and one new
flag (-dry-run) to admin-revoker. Both new sub-commands validate that the
provided private key and provide the operator with an issuance count. Any
blocking and revocation actions are gated by the new '-dry-run' flag, which is
'true' by default.

private-key-block: if -dry-run=false, will immediately block issuance for the
provided key. The operator is informed that bad-key-revoker will eventually
revoke any certificates using the provided key.

private-key-revoke: if -dry-run=false, will revoke all certificates using the
provided key and then blocks future issuance. This avoids a race with the
bad-key-revoker. This command will execute successfully even if issuance for the
provided key is already blocked.

- Add support for blocking issuance by private key to admin-revoker
- Add support for revoking certificates by private key to admin-revoker
- Create new package called 'privatekey'
- Move private key loading logic from 'issuance' to 'privatekey'
- Add embedded public key verification to 'privatekey'
- Add new field `skipBlockKey` to `AdministrativelyRevokeCertificate` protobuf
- Add check in RA to ensure that only KeyCompromise revocations use
  `skipBlockKey`

Fixes #5785

2022-01-21 10:29:12 -08:00

3 Commits