History

Phil Porada 5c98bf6724 ceremony: Add support for CRL onlyContainsCACerts (#7064 ) * Allows the ceremony tool to add the `onlyContainsCACerts` flag to the `IssuingDistributionPoint` extension[1] for CRLs. * Add a lint to detect basic usage of this new flag. * Add a helper function which doesn't (yet) exist in golang x/crypto/cryptobyte named `ReadOptionalASN1BooleanWithTag` which searches for an optional DER-encoded ASN.1 element tagged with a given tag e.g. onlyContainsUserCerts and reports values back to the caller. * Each revoked certificate in the CRL config is checked for is `IsCA` to maintain conformance with RFC 5280 Section 6.3.3 b.2.iii [2]. > (iii) If the onlyContainsCACerts boolean is asserted in the > IDP CRL extension, verify that the certificate > includes the basic constraints extension with the cA > boolean asserted. Fixes https://github.com/letsencrypt/boulder/issues/7047 1. https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5 2. https://datatracker.ietf.org/doc/html/rfc5280#section-6.3.3	2023-10-02 17:03:36 -07:00
..
README.md	ceremony: Add support for CRL onlyContainsCACerts (#7064 )	2023-10-02 17:03:36 -07:00
helpers.go	Use zlint to check our CRLs (#6972 )	2023-07-11 15:39:05 -07:00

ceremony: Add support for CRL onlyContainsCACerts (#7064 )

* Allows the ceremony tool to add the `onlyContainsCACerts` flag to the
`IssuingDistributionPoint` extension[1] for CRLs.
* Add a lint to detect basic usage of this new flag.
* Add a helper function which doesn't (yet) exist in golang
x/crypto/cryptobyte named `ReadOptionalASN1BooleanWithTag` which
searches for an optional DER-encoded ASN.1 element tagged with a given
tag e.g. onlyContainsUserCerts and reports values back to the caller.
* Each revoked certificate in the CRL config is checked for is `IsCA` to
maintain conformance with RFC 5280 Section 6.3.3 b.2.iii [2].
    >  (iii) If the onlyContainsCACerts boolean is asserted in the
    >        IDP CRL extension, verify that the certificate
    >        includes the basic constraints extension with the cA
    >        boolean asserted.

Fixes https://github.com/letsencrypt/boulder/issues/7047

1. https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5
2. https://datatracker.ietf.org/doc/html/rfc5280#section-6.3.3

2023-10-02 17:03:36 -07:00

README.md

ceremony: Add support for CRL onlyContainsCACerts (#7064 )

2023-10-02 17:03:36 -07:00

helpers.go

Use zlint to check our CRLs (#6972 )

2023-07-11 15:39:05 -07:00

README.md

Test Lint CRLs

The contents of this directory are a variety of PEM-encoded CRLs uses to test the CRL linting functions in the parent directory.

To create a new test CRL to exercise a new lint:

Install the der2text and text2der tools:

$ go install github.com/syncsynchalt/der2text/cmds/text2der@latest
$ go install github.com/syncsynchalt/der2text/cmds/der2text@latest

Use der2text to create an editable version of CRL you want to start with, usually crl_good.pem:
```
$ der2text crl_good.pem > my_new_crl.txt
```
Edit the text file. See the der2text readme for details about the file format.
Write the new PEM file and run the tests to see if it works! Repeat steps 3 and 4 as necessary until you get the correct result.
```
$ text2der my_new_crl.txt >| my_new_crl.pem
$ go test ..
```
Remove the text file and commit your new CRL.
```
$ rm my_new_crl.txt
$ git add .
```