f02e9da38f
We occasionally have reason to block public keys from being used in CSRs or for JWKs. This work adds support for loading a YAML blocked keys list to the WFE, the RA and the CA (all the components already using the `goodekey` package). The list is loaded in-memory and is intended to be used sparingly and not for more complicated mass blocking scenarios. This augments the existing debian weak key checking which is specific to RSA keys and operates on a truncated hash of the key modulus. In comparison the admin. blocked keys are identified by the Base64 encoding of a SHA256 hash over the DER encoding of the public key expressed as a PKIX subject public key. For ECDSA keys in particular we believe a more thorough solution would have to consider inverted curve points but to start we're calling this approach "Good Enough". A utility program (`block-a-key`) is provided that can read a PEM formatted x509 certificate or a JSON formatted JWK and emit lines to be added to the blocked keys YAML to block the related public key. A test blocked keys YAML file is included (`test/example-blocked-keys.yml`), initially populated with a few of the keys from the `test/` directory. We may want to do a more through pass through Boulder's source code and add a block entry for every test private key. Resolves https://github.com/letsencrypt/boulder/issues/4404 |
||
|---|---|---|
| .. | ||
| test | ||
| main.go | ||
| main_test.go | ||