boulder

Commit Graph

Author	SHA1	Message	Date
Patrick Figel	6ba8aadfd7	Use X.509 AIA Issuer URL in rel="up" link header (#2545 ) In order to provide the correct issuer certificate for older certificates after an issuer certificate rollover or when using multiple issuer certificates (e.g. RSA and ECDSA), use the AIA CA Issuer URL embedded in the certificate for the rel="up" link served by WFE. This behaviour is gated behind the UseAIAIssuerURL feature, which defaults to false. To prevent MitM vulnerabilities in cases where the AIA URL is HTTP-only, it is upgraded to HTTPS. This also adds a test for the issuer URL returned by the /acme/cert endpoint. wfe/test/178.{crt,key} were regenerated to add the AIA extension required to pass the test. /acme/cert was changed to return an absolute URL to the issuer endpoint (making it consistent with /acme/new-cert). Fixes #1663 Based on #1780	2017-02-07 11:19:22 -08:00
Jacob Hoffman-Andrews	80d5e50e42	Enable revocation by account key. In addition to cert private key. This required modifying the GetCertificate* functions to return core.Certificate instead of certificate bytes.	2015-06-15 12:33:50 -07:00

Author

SHA1

Message

Date

Patrick Figel

6ba8aadfd7

Use X.509 AIA Issuer URL in rel="up" link header (#2545 )

In order to provide the correct issuer certificate for older certificates after an issuer certificate rollover or when using multiple issuer certificates (e.g. RSA and ECDSA), use the AIA CA Issuer URL embedded in the certificate for the rel="up" link served by WFE. This behaviour is gated behind the UseAIAIssuerURL feature, which defaults to false.

To prevent MitM vulnerabilities in cases where the AIA URL is HTTP-only, it is upgraded to HTTPS.

This also adds a test for the issuer URL returned by the /acme/cert endpoint. wfe/test/178.{crt,key} were regenerated to add the AIA extension required to pass the test.

/acme/cert was changed to return an absolute URL to the issuer endpoint (making it consistent with /acme/new-cert).

Fixes #1663
Based on #1780

2017-02-07 11:19:22 -08:00

Jacob Hoffman-Andrews

80d5e50e42

Enable revocation by account key.

In addition to cert private key. This required modifying the GetCertificate*
functions to return core.Certificate instead of certificate bytes.

2015-06-15 12:33:50 -07:00

2 Commits