-
-
Notifications
You must be signed in to change notification settings - Fork 610
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Profiles: allow for omission of KU, EKU, and SKID #7622
Conversation
504ed08
to
0ef7a60
Compare
I have used a locally-modified version of the eggsampler/acme client (capable of specifying a profile name in newOrder requests) to implement an integration test covering this new behavior: // TestIssuanceProfiles verifies that profile selection works, and results in
// measurable differences between certificates issued under different profiles.
// It does not test the omission of the keyEncipherment KU, because all of our
// integration test framework assumes ECDSA pubkeys for the sake of speed,
// and ECDSA certs don't get the keyEncipherment KU in either profile.
func TestIssuanceProfiles(t *testing.T) {
t.Parallel()
// Create an account.
client, err := makeClient("mailto:example@letsencrypt.org")
test.AssertNotError(t, err, "creating acme client")
profiles := client.Directory().Meta.Profiles
if len(profiles) < 2 {
t.Fatal("ACME server not advertising multiple profiles")
}
// Create a private key.
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
test.AssertNotError(t, err, "creating random cert key")
// Create a set of identifiers to request.
names := []string{random_domain()}
// Get one cert for each profile that we know the test server advertises.
res, err := authAndIssue(client, key, names, true, "legacy")
test.AssertNotError(t, err, "failed to issue under legacy profile")
test.AssertEquals(t, res.Order.Profile, "legacy")
legacy := res.certs[0]
res, err = authAndIssue(client, key, names, true, "modern")
test.AssertNotError(t, err, "failed to issue under modern profile")
test.AssertEquals(t, res.Order.Profile, "modern")
modern := res.certs[0]
// Check that each profile worked as expected.
test.AssertEquals(t, legacy.Subject.CommonName, names[0])
test.AssertEquals(t, modern.Subject.CommonName, "")
test.AssertDeepEquals(t, legacy.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
test.AssertDeepEquals(t, modern.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth})
test.AssertEquals(t, len(legacy.SubjectKeyId), 20)
test.AssertEquals(t, len(modern.SubjectKeyId), 0)
} This test passes with one additional modification: configuring the CA to also ignore the edit: I have now made per-profile lints. |
@aarongable, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some small changes, otherwise good!
Add three new keys to the CA's ProfileConfig:
Make substantive changes to issuer.requestValid and issuer.Prepare to implement the desired behavior for each of these options. Make a very slight change to ra.matchesCSR to generally allow for serverAuth-only EKUs. Improve the unit tests of both the //ca and //issuance packages to cover the new behavior.
Part of #7610
No config changes at this time; they will be made as part of #7309