letsencrypt
diff --git a/‎cmd/ceremony/README.md‎
Lines changed: 87 additions & 84 deletions b/‎cmd/ceremony/README.md‎
Lines changed: 87 additions & 84 deletions
diff --git a/‎cmd/ceremony/cert.go‎
Lines changed: 1 addition & 29 deletions b/‎cmd/ceremony/cert.go‎
Lines changed: 1 addition & 29 deletions
diff --git a/‎cmd/ceremony/cert_test.go‎
Lines changed: 0 additions & 176 deletions b/‎cmd/ceremony/cert_test.go‎
Lines changed: 0 additions & 176 deletions
diff --git a/‎cmd/ceremony/ecdsa.go‎
Lines changed: 3 additions & 2 deletions b/‎cmd/ceremony/ecdsa.go‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎cmd/ceremony/key.go‎
Lines changed: 7 additions & 6 deletions b/‎cmd/ceremony/key.go‎
Lines changed: 7 additions & 6 deletions
@@ -76,8 +76,6 @@ type certType int
 const (
 	rootCert certType = iota
 	intermediateCert
-	ocspCert
-	crlCert
 	crossCert
 	requestCert
 )
@@ -153,23 +151,12 @@ func (profile *certProfile) verifyProfile(ct certType) error {
 		}
 
 		// BR 7.1.2.10.5 CA Certificate Certificate Policies
-		// OID 2.23.140.1.2.1 is an anyPolicy
+		// OID 2.23.140.1.2.1 is CABF BRs Domain Validated
 		if len(profile.Policies) != 1 || profile.Policies[0].OID != "2.23.140.1.2.1" {
 			return errors.New("policy should be exactly BRs domain-validated for subordinate CAs")
 		}
 	}
 
-	if ct == ocspCert || ct == crlCert {
-		if len(profile.KeyUsages) != 0 {
-			return errors.New("key-usages cannot be set for a delegated signer")
-		}
-		if profile.CRLURL != "" {
-			return errors.New("crl-url cannot be set for a delegated signer")
-		}
-		if profile.OCSPURL != "" {
-			return errors.New("ocsp-url cannot be set for a delegated signer")
-		}
-	}
 	return nil
 }
 
@@ -194,8 +181,6 @@ var stringToKeyUsage = map[string]x509.KeyUsage{
 	"Cert Sign":         x509.KeyUsageCertSign,
 }
 
-var oidOCSPNoCheck = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5}
-
 func generateSKID(pk []byte) ([]byte, error) {
 	var pkixPublicKey struct {
 		Algo      pkix.AlgorithmIdentifier
@@ -252,11 +237,6 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 		}
 		ku |= kuBit
 	}
-	if ct == ocspCert {
-		ku = x509.KeyUsageDigitalSignature
-	} else if ct == crlCert {
-		ku = x509.KeyUsageCRLSign
-	}
 	if ku == 0 {
 		return nil, errors.New("at least one key usage must be set")
 	}
@@ -296,14 +276,6 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 	// 		BR 7.1.2.1.2 Root CA Extensions
 	// 		Extension 	Presence 	Critical 	Description
 	// 		extKeyUsage 	MUST NOT 	N 	-
-	case ocspCert:
-		cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageOCSPSigning}
-		// ASN.1 NULL is 0x05, 0x00
-		ocspNoCheckExt := pkix.Extension{Id: oidOCSPNoCheck, Value: []byte{5, 0}}
-		cert.ExtraExtensions = append(cert.ExtraExtensions, ocspNoCheckExt)
-		cert.IsCA = false
-	case crlCert:
-		cert.IsCA = false
 	case requestCert, intermediateCert:
 		// id-kp-serverAuth is included in intermediate certificates, as required by
 		// Section 7.1.2.10.6 of the CA/BF Baseline Requirements.
 
@@ -1,7 +1,6 @@
 package main
 
 import (
-	"bytes"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
@@ -174,73 +173,6 @@ func TestMakeTemplateRestrictedCrossCertificate(t *testing.T) {
 	test.AssertEquals(t, cert.ExtKeyUsage[0], x509.ExtKeyUsageServerAuth)
 }
 
-func TestMakeTemplateOCSP(t *testing.T) {
-	s, ctx := pkcs11helpers.NewSessionWithMock()
-	ctx.GenerateRandomFunc = realRand
-	randReader := newRandReader(s)
-	profile := &certProfile{
-		SignatureAlgorithm: "SHA256WithRSA",
-		CommonName:         "common name",
-		Organization:       "organization",
-		Country:            "country",
-		OCSPURL:            "ocsp",
-		CRLURL:             "crl",
-		IssuerURL:          "issuer",
-		NotAfter:           "2018-05-18 11:31:00",
-		NotBefore:          "2018-05-18 11:31:00",
-	}
-	pubKey := samplePubkey()
-
-	cert, err := makeTemplate(randReader, profile, pubKey, nil, ocspCert)
-	test.AssertNotError(t, err, "makeTemplate failed")
-
-	test.Assert(t, !cert.IsCA, "IsCA is set")
-	// Check KU is only KeyUsageDigitalSignature
-	test.AssertEquals(t, cert.KeyUsage, x509.KeyUsageDigitalSignature)
-	// Check there is a single EKU with id-kp-OCSPSigning
-	test.AssertEquals(t, len(cert.ExtKeyUsage), 1)
-	test.AssertEquals(t, cert.ExtKeyUsage[0], x509.ExtKeyUsageOCSPSigning)
-	// Check ExtraExtensions contains a single id-pkix-ocsp-nocheck
-	hasExt := false
-	asnNULL := []byte{5, 0}
-	for _, ext := range cert.ExtraExtensions {
-		if ext.Id.Equal(oidOCSPNoCheck) {
-			if hasExt {
-				t.Error("template contains multiple id-pkix-ocsp-nocheck extensions")
-			}
-			hasExt = true
-			if !bytes.Equal(ext.Value, asnNULL) {
-				t.Errorf("id-pkix-ocsp-nocheck has unexpected content: want %x, got %x", asnNULL, ext.Value)
-			}
-		}
-	}
-	test.Assert(t, hasExt, "template doesn't contain id-pkix-ocsp-nocheck extensions")
-}
-
-func TestMakeTemplateCRL(t *testing.T) {
-	s, ctx := pkcs11helpers.NewSessionWithMock()
-	ctx.GenerateRandomFunc = realRand
-	randReader := newRandReader(s)
-	profile := &certProfile{
-		SignatureAlgorithm: "SHA256WithRSA",
-		CommonName:         "common name",
-		Organization:       "organization",
-		Country:            "country",
-		OCSPURL:            "ocsp",
-		CRLURL:             "crl",
-		IssuerURL:          "issuer",
-		NotAfter:           "2018-05-18 11:31:00",
-		NotBefore:          "2018-05-18 11:31:00",
-	}
-	pubKey := samplePubkey()
-
-	cert, err := makeTemplate(randReader, profile, pubKey, nil, crlCert)
-	test.AssertNotError(t, err, "makeTemplate failed")
-
-	test.Assert(t, !cert.IsCA, "IsCA is set")
-	test.AssertEquals(t, cert.KeyUsage, x509.KeyUsageCRLSign)
-}
-
 func TestVerifyProfile(t *testing.T) {
 	for _, tc := range []struct {
 		profile     certProfile
@@ -366,114 +298,6 @@ func TestVerifyProfile(t *testing.T) {
 			},
 			certType: []certType{rootCert},
 		},
-		{
-			profile: certProfile{
-				NotBefore:          "a",
-				NotAfter:           "b",
-				SignatureAlgorithm: "c",
-				CommonName:         "d",
-				Organization:       "e",
-				Country:            "f",
-				IssuerURL:          "g",
-				KeyUsages:          []string{"j"},
-			},
-			certType:    []certType{ocspCert},
-			expectedErr: "key-usages cannot be set for a delegated signer",
-		},
-		{
-			profile: certProfile{
-				NotBefore:          "a",
-				NotAfter:           "b",
-				SignatureAlgorithm: "c",
-				CommonName:         "d",
-				Organization:       "e",
-				Country:            "f",
-				IssuerURL:          "g",
-				CRLURL:             "i",
-			},
-			certType:    []certType{ocspCert},
-			expectedErr: "crl-url cannot be set for a delegated signer",
-		},
-		{
-			profile: certProfile{
-				NotBefore:          "a",
-				NotAfter:           "b",
-				SignatureAlgorithm: "c",
-				CommonName:         "d",
-				Organization:       "e",
-				Country:            "f",
-				IssuerURL:          "g",
-				OCSPURL:            "h",
-			},
-			certType:    []certType{ocspCert},
-			expectedErr: "ocsp-url cannot be set for a delegated signer",
-		},
-		{
-			profile: certProfile{
-				NotBefore:          "a",
-				NotAfter:           "b",
-				SignatureAlgorithm: "c",
-				CommonName:         "d",
-				Organization:       "e",
-				Country:            "f",
-				IssuerURL:          "g",
-			},
-			certType: []certType{ocspCert},
-		},
-		{
-			profile: certProfile{
-				NotBefore:          "a",
-				NotAfter:           "b",
-				SignatureAlgorithm: "c",
-				CommonName:         "d",
-				Organization:       "e",
-				Country:            "f",
-				IssuerURL:          "g",
-				KeyUsages:          []string{"j"},
-			},
-			certType:    []certType{crlCert},
-			expectedErr: "key-usages cannot be set for a delegated signer",
-		},
-		{
-			profile: certProfile{
-				NotBefore:          "a",
-				NotAfter:           "b",
-				SignatureAlgorithm: "c",
-				CommonName:         "d",
-				Organization:       "e",
-				Country:            "f",
-				IssuerURL:          "g",
-				CRLURL:             "i",
-			},
-			certType:    []certType{crlCert},
-			expectedErr: "crl-url cannot be set for a delegated signer",
-		},
-		{
-			profile: certProfile{
-				NotBefore:          "a",
-				NotAfter:           "b",
-				SignatureAlgorithm: "c",
-				CommonName:         "d",
-				Organization:       "e",
-				Country:            "f",
-				IssuerURL:          "g",
-				OCSPURL:            "h",
-			},
-			certType:    []certType{crlCert},
-			expectedErr: "ocsp-url cannot be set for a delegated signer",
-		},
-		{
-			profile: certProfile{
-				NotBefore:          "a",
-				NotAfter:           "b",
-				SignatureAlgorithm: "c",
-				CommonName:         "d",
-				Organization:       "e",
-				Country:            "f",
-				IssuerURL:          "g",
-			},
-			certType: []certType{crlCert},
-		},
 		{
 			profile: certProfile{
 				NotBefore: "a",
 
@@ -7,8 +7,9 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/letsencrypt/boulder/pkcs11helpers"
 	"github.com/miekg/pkcs11"
+
+	"github.com/letsencrypt/boulder/pkcs11helpers"
 )
 
 var stringToCurve = map[string]elliptic.Curve{
@@ -70,7 +71,7 @@ func ecPub(
 		return nil, err
 	}
 	if pubKey.Curve != expectedCurve {
-		return nil, errors.New("Returned EC parameters doesn't match expected curve")
+		return nil, errors.New("returned EC parameters doesn't match expected curve")
 	}
 	log.Printf("\tX: %X\n", pubKey.X.Bytes())
 	log.Printf("\tY: %X\n", pubKey.Y.Bytes())
 
@@ -7,8 +7,9 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/letsencrypt/boulder/pkcs11helpers"
 	"github.com/miekg/pkcs11"
+
+	"github.com/letsencrypt/boulder/pkcs11helpers"
 )
 
 type hsmRandReader struct {
@@ -49,7 +50,7 @@ func generateKey(session *pkcs11helpers.Session, label string, outputPath string
 		{Type: pkcs11.CKA_LABEL, Value: []byte(label)},
 	})
 	if err != pkcs11helpers.ErrNoObject {
-		return nil, fmt.Errorf("expected no preexisting objects with label %q in slot for key storage. got error: %s", label, err)
+		return nil, fmt.Errorf("expected no preexisting objects with label %q in slot for key storage. got error: %w", label, err)
 	}
 
 	var pubKey crypto.PublicKey
@@ -58,25 +59,25 @@ func generateKey(session *pkcs11helpers.Session, label string, outputPath string
 	case "rsa":
 		pubKey, keyID, err = rsaGenerate(session, label, config.RSAModLength)
 		if err != nil {
-			return nil, fmt.Errorf("failed to generate RSA key pair: %s", err)
+			return nil, fmt.Errorf("failed to generate RSA key pair: %w", err)
 		}
 	case "ecdsa":
 		pubKey, keyID, err = ecGenerate(session, label, config.ECDSACurve)
 		if err != nil {
-			return nil, fmt.Errorf("failed to generate ECDSA key pair: %s", err)
+			return nil, fmt.Errorf("failed to generate ECDSA key pair: %w", err)
 		}
 	}
 
 	der, err := x509.MarshalPKIXPublicKey(pubKey)
 	if err != nil {
-		return nil, fmt.Errorf("Failed to marshal public key: %s", err)
+		return nil, fmt.Errorf("failed to marshal public key: %w", err)
 	}
 
 	pemBytes := pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: der})
 	log.Printf("Public key PEM:\n%s\n", pemBytes)
 	err = writeFile(outputPath, pemBytes)
 	if err != nil {
-		return nil, fmt.Errorf("Failed to write public key to %q: %s", outputPath, err)
+		return nil, fmt.Errorf("failed to write public key to %q: %w", outputPath, err)
 	}
 	log.Printf("Public key written to %q\n", outputPath)
Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,9 @@ import (`
`7`	`7`	`"fmt"`
`8`	`8`	`"log"`
`9`	`9`
`10`		`- "github.com/letsencrypt/boulder/pkcs11helpers"`
`11`	`10`	`"github.com/miekg/pkcs11"`
	`11`	`+`
	`12`	`+ "github.com/letsencrypt/boulder/pkcs11helpers"`
`12`	`13`	`)`
`13`	`14`
`14`	`15`	`var stringToCurve = map[string]elliptic.Curve{`
`@@ -70,7 +71,7 @@ func ecPub(`
`70`	`71`	`return nil, err`
`71`	`72`	`}`
`72`	`73`	`if pubKey.Curve != expectedCurve {`
`73`		`- return nil, errors.New("Returned EC parameters doesn't match expected curve")`
	`74`	`+ return nil, errors.New("returned EC parameters doesn't match expected curve")`
`74`	`75`	`}`
`75`	`76`	`log.Printf("\tX: %X\n", pubKey.X.Bytes())`
`76`	`77`	`log.Printf("\tY: %X\n", pubKey.Y.Bytes())`