forked from letsencrypt/boulder
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement unpredictable issuance from similar intermediates (letsencr…
…ypt#7418) Replace the CA's "useForRSA" and "useForECDSA" config keys with a single "active" boolean. When the CA starts up, all active RSA issuers will be used to issue precerts with RSA pubkeys, and all ECDSA issuers will be used to issue precerts with ECDSA pubkeys (if the ECDSAForAll flag is true; otherwise just those that are on the allow-list). All "inactive" issuers can still issue OCSP responses, CRLs, and (notably) final certificates. Instead of using the "useForRSA" and "useForECDSA" flags, plus implicit config ordering, to determine which issuer to use to handle a given issuance, simply use the issuer's public key algorithm to determine which issuances it should be handling. All implicit ordering considerations are removed, because the "active" certificates now just form a pool that is sampled from randomly. To facilitate this, update some unit and integration tests to be more flexible and try multiple potential issuing intermediates, particularly when constructing OCSP requests. For this change to be safe to deploy with no user-visible behavior changes, the CA configs must contain: - Exactly one RSA-keyed intermediate with "useForRSALeaves" set to true; and - Exactly one ECDSA-keyed intermediate with "useForECDSALeaves" set to true. If the configs contain more than one intermediate meeting one of the bullets above, then randomized issuance will begin immediately. Fixes letsencrypt#7291 Fixes letsencrypt#7290
- Loading branch information
1 parent
1c39101
commit 13d5573
Showing
11 changed files
with
302 additions
and
366 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.