4a85abf25a
The `KeyPolicy.GoodKey` method is used to validate both public keys used to sign JWK messages, and public keys contained inside CSR messages. According to RFC8555 section 6.7, validation failure in the former case should result in `badPublicKey`, while validation failure in the latter case should result in `badCSR`. In either case, a failure due to reasons other than the key itself should result in `serverInternal`. However, the GoodKey method returns a variety of different errors which are not all applicable depending on the context in which it is called. In addition, the `csr.VerifyCSR` method passes these errors through verbatim, resulting in ACME clients receiving confusing and incorrect error message types. This change causes the GoodKey method to always return either a generic error or a KeyError. Calling methods should treat a `KeyError` as either a `badPublicKey` or a `badCSR` depending on their context, and may treat a generic error however they choose (though likely as a serverInternal error). Fixes #4930 |
||
|---|---|---|
| .. | ||
| config | ||
| proto | ||
| testdata | ||
| ca.go | ||
| ca_test.go | ||