boulder

Commit Graph

Author	SHA1	Message	Date
Aaron Gable	7672d9bc99	CA: Verify digitalSignature and certSign key usages (#5091 ) When the CA loads new issuers (both their certificates and their private keys), it performs a variety of sanity checks, such as ensuring that the profile's signature algorithm matches the key type. With this change, we also check that the issuer's certificate has the appropriate key usage bits set: `certSign`, if it is going to be issuing end-entity certs; and `digitalSignature`, because it will be signing OCSP responses for previously-issued certificates. Fixes #5068	2020-09-18 16:10:12 -07:00
Aaron Gable	2d10cce1a3	Refactor CA configs for more modularity (#5087 ) The CA is the only service which still defines its json config format in the package itself, rather than in its corresponding boulder-ca cmd package. This has allowed the CA's constructor interface to hide arbitrary complexity inside its first argument, the whole config blob. This change moves the CA's config to boulder-ca/main.go, to match the other Boulder components. In the process, it makes a host of other improvements: It refactors the issuance package to have a cleaner configuration interface. It also separates the config into a high-level profile (which applies equally to all issuers), and issuer-level profiles (which apply only to a single issuer). This does involve some code duplication, but that will be removed when CFSSL goes away. It adds helper functions to the issuance package to make it easier to construct a new issuer, and takes advantage of these in the boulder-ca package. As a result, the CA now receives fully-formed Issuers at construction time, rather than constructing them from nearly-complete configs during its own initialization. It adds a Linter struct to the lint package, so that an issuer can simply carry around a Linter, rather than a separate lint signing key and registry of lints to run. It makes CFSSL-specific code more clearly marked as such, making future removal easier and cleaner. Fixes #5070 Fixes #5076	2020-09-14 18:38:12 -07:00
Aaron Gable	d8a786ea08	Unify usage of 'issuer' and 'signer' as nouns (#5085 ) We define a "signer" to be a private key, or something that satisfies the crypto.Signer interface. We define an "issuer" to be an object which has both a signer (so it can sign things) and a certificate (so that the things it signs can have appropriate issuer fields set). As a result, this change: - moves the new "signer" library to be called "issuance" instead - renames several "signers" to instead be "issuers", as defined above - renames several "issuers" to instead be "certs", to reduce confusion more There are some further cleanups which could be made, but most of them will be made irrelevant by the removal of the CFSSL code, so I'm leaving them be for now.	2020-09-10 17:18:42 -07:00

Author

SHA1

Message

Date

Aaron Gable

7672d9bc99

CA: Verify digitalSignature and certSign key usages (#5091 )

When the CA loads new issuers (both their certificates and their
private keys), it performs a variety of sanity checks, such as
ensuring that the profile's signature algorithm matches the key
type.

With this change, we also check that the issuer's certificate has
the appropriate key usage bits set:
`certSign`, if it is going to be issuing end-entity certs; and
`digitalSignature`, because it will be signing OCSP responses for
previously-issued certificates.

Fixes #5068

2020-09-18 16:10:12 -07:00

Aaron Gable

2d10cce1a3

Refactor CA configs for more modularity (#5087 )

The CA is the only service which still defines its json config format
in the package itself, rather than in its corresponding boulder-ca cmd
package. This has allowed the CA's constructor interface to hide
arbitrary complexity inside its first argument, the whole config blob.

This change moves the CA's config to boulder-ca/main.go, to match
the other Boulder components. In the process, it makes a host of
other improvements:

It refactors the issuance package to have a cleaner configuration
interface. It also separates the config into a high-level profile (which
applies equally to all issuers), and issuer-level profiles (which apply
only to a single issuer). This does involve some code duplication,
but that will be removed when CFSSL goes away.

It adds helper functions to the issuance package to make it easier
to construct a new issuer, and takes advantage of these in the
boulder-ca package. As a result, the CA now receives fully-formed
Issuers at construction time, rather than constructing them from
nearly-complete configs during its own initialization.

It adds a Linter struct to the lint package, so that an issuer can
simply carry around a Linter, rather than a separate lint signing
key and registry of lints to run.

It makes CFSSL-specific code more clearly marked as such,
making future removal easier and cleaner.

Fixes #5070
Fixes #5076

2020-09-14 18:38:12 -07:00

Aaron Gable

d8a786ea08

Unify usage of 'issuer' and 'signer' as nouns (#5085 )

We define a "signer" to be a private key, or something that satisfies the
crypto.Signer interface. We define an "issuer" to be an object which has
both a signer (so it can sign things) and a certificate (so that the things
it signs can have appropriate issuer fields set).

As a result, this change:
- moves the new "signer" library to be called "issuance" instead
- renames several "signers" to instead be "issuers", as defined above
- renames several "issuers" to instead be "certs", to reduce confusion more

There are some further cleanups which could be made, but most of them
will be made irrelevant by the removal of the CFSSL code, so I'm leaving
them be for now.

2020-09-10 17:18:42 -07:00

3 Commits