72e01b337a
In `//cmd/ceremony`: * Added `CertificateToCrossSignPath` to the `cross-certificate` ceremony type. This new input field takes an existing certificate that will be cross-signed and performs checks against the manually configured data in each ceremony file. * Added byte-for-byte subject/issuer comparison checks to root, intermediate, and cross-certificate ceremonies to detect that signing is happening as expected. * Added Fermat factorization check from the `//goodkey` package to all functions that generate new key material. In `//linter`: * The Check function now exports linting certificate bytes. The idea is that a linting certificate's `tbsCertificate` bytes can be compared against the final certificate's `tbsCertificate` bytes as a verification that `x509.CreateCertificate` was deterministic and produced identical DER bytes after each signing operation. Other notable changes: * Re-orders the issuers list in each CA config to match staging and production. There is an ordering issue mentioned by @aarongable two years ago on IN-5913 that didn't make it's way back to this repository. > Order here matters – the default chain we serve for each intermediate should be the first listed chain containing that intermediate. * Enables `ECDSAForAll` in `config-next` CA configs to match Staging. * Generates 2x new ECDSA subordinate CAs cross-signed by an RSA root and adds these chains to the WFE for clients to download. * Increased the test.sh startup timeout to account for the extra ceremony run time. Fixes https://github.com/letsencrypt/boulder/issues/7003 --------- Co-authored-by: Aaron Gable <aaron@letsencrypt.org> |
||
|---|---|---|
| .. | ||
| generate.go | ||
| intermediate-ceremony-ecdsa.yaml | ||
| intermediate-ceremony-rsa.yaml | ||
| intermediate-cross-cert-ceremony.yaml | ||
| intermediate-key-ceremony-ecdsa.yaml | ||
| intermediate-key-ceremony-rsa.yaml | ||
| root-ceremony-ecdsa.yaml | ||
| root-ceremony-rsa.yaml | ||
| root-crl-ecdsa.yaml | ||
| root-crl-rsa.yaml | ||