3c8742ffaa
This PR reworks the original WFE2 JWS post validation code (primarily from `verifyPOST()` in WFE1) to use the new "ACME v2" style of JWS verification. For most endpoints this means switching to a style where the JWS does *not* contain an embedded JWK and instead contains a Key ID that is used to lookup the JWK to verify the JWS from the database. For some special endpoints (e.g. new-reg) there is a self-authenticated JWS style that uses the old method of embedding a JWK instead of using a Key ID (because no account to reference by ID exists yet). The JWS validation now lives in `wfe2/verify.go` to keep the main WFEv2 code cleaner. Compared to `verifyPOST` there has been substantial work done to create smaller easier to test functions instead of one big validation function. The existing WFE unit tests that were copied to the WFE2 are largely left as they were (e.g. cruddy) and updated as minimally as possible to support the new request validation. All tests for new code were written in a cleaner subtest style. Cleaning up the existing tests will be follow-up work (See https://github.com/letsencrypt/boulder/issues/2928). Since the POST validation for the key-change and revocation endpoints requires special care they were left out of the WFE2 implementation for now and will return a "not implemented" error if called. _Note to reviewers_: this is a large diff to `wfe2/wfe.go` and `wfe2/verify.go` that Github will hide by default. You will need to click to view the diffs. Resolves https://github.com/letsencrypt/boulder/issues/2858 |
||
|---|---|---|
| .. | ||
| probs.go | ||
| probs_test.go | ||