Remove "ocsp-response" Ceremony type (#8396)

Remove the configuration, validation, logic, and tests which support the
"ocsp-response" ceremony type. We have not used this ceremony type to
produce OCSP responses in many years, and do not anticipate doing so at
any time in the foreseeable future. None of our CA certificates contain
AIA OCSP URIs, so we could not serve such responses even if we did
generate them.

Author: aarongable

cmd/ceremony/README.md

@@ -13,7 +13,6 @@ ceremony --config path/to/config.yml
 - `cross-csr`: creates a CSR for signing by a third party, outputting a PEM CSR.
 - `cross-certificate`: issues a certificate for one root, signed by another root. This is distinct from an intermediate because there is no path length constraint and there are no EKUs.
 - `key`: generates a signing key on HSM, outputting a PEM public key
-- `ocsp-response`: creates a OCSP response for the provided certificate and signs it using a signing key already on a HSM, outputting a base64 encoded response
 - `crl`: creates a CRL with the IDP extension and `onlyContainsCACerts = true` from the provided profile and signs it using a signing key already on a HSM, outputting a PEM CRL
 
 These modes are set in the `ceremony-type` field of the configuration file.
@@ -296,61 +295,6 @@ outputs:
 
 This config generates an ECDSA P-384 key in the HSM with the object label `intermediate signing key`. The public key is written to `/home/user/intermediate-signing-pub.pem`.
 
-### OCSP Response ceremony
-
-- `ceremony-type`: string describing the ceremony type, `ocsp-response`.
-- `pkcs11`: object containing PKCS#11 related fields.
-
-    | Field | Description |
-    | --- | --- |
-    | `module` | Path to the PKCS#11 module to use to communicate with a HSM. |
-    | `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. |
-    | `signing-key-slot` | Specifies which HSM object slot the signing key is in. |
-    | `signing-key-label` | Specifies the HSM object label for the signing keypair's public key. |
-
-- `inputs`: object containing paths for inputs
-
-    | Field | Description |
-    | --- | --- |
-    | `certificate-path` | Path to PEM certificate to create a response for. |
-    | `issuer-certificate-path` | Path to PEM issuer certificate. |
-    | `delegated-issuer-certificate-path` | Path to PEM delegated issuer certificate, if one is being used. |
-
-- `outputs`: object containing paths to write outputs.
-
-    | Field | Description |
-    | --- | --- |
-    | `response-path` | Path to store signed base64 encoded response. |
-
-- `ocsp-profile`: object containing profile for the OCSP response.
-
-    | Field | Description |
-    | --- | --- |
-    | `this-update` | Specifies the OCSP response thisUpdate date, in the format `2006-01-02 15:04:05`. The time will be interpreted as UTC. |
-    | `next-update` | Specifies the OCSP response nextUpdate date, in the format `2006-01-02 15:04:05`. The time will be interpreted as UTC. |
-    | `status` | Specifies the OCSP response status, either `good` or `revoked`. |
-
-Example:
-
-```yaml
-ceremony-type: ocsp-response
-pkcs11:
-    module: /usr/lib/opensc-pkcs11.so
-    signing-key-slot: 0
-    signing-key-label: root signing key
-inputs:
-    certificate-path: /home/user/certificate.pem
-    issuer-certificate-path: /home/user/root-cert.pem
-outputs:
-    response-path: /home/user/ocsp-resp.b64
-ocsp-profile:
-    this-update: 2020-01-01 12:00:00
-    next-update: 2021-01-01 12:00:00
-    status: good
-```
-
-This config generates a OCSP response signed by a key in the HSM, identified by the object label `root signing key` and object ID `ffff`. The response will be for the certificate in `/home/user/certificate.pem`, and will be written to `/home/user/ocsp-resp.b64`.
-
 ### CRL ceremony
 
 - `ceremony-type`: string describing the ceremony type, `crl`.

cmd/ceremony/main.go

@@ -18,7 +18,6 @@ import (
 	"slices"
 	"time"
 
-	"golang.org/x/crypto/ocsp"
 	"gopkg.in/yaml.v3"
 
 	zlintx509 "github.com/zmap/zcrypto/x509"
@@ -379,59 +378,6 @@ func (kc keyConfig) validate() error {
 	return nil
 }
 
-type ocspRespConfig struct {
-	CeremonyType string              `yaml:"ceremony-type"`
-	PKCS11       PKCS11SigningConfig `yaml:"pkcs11"`
-	Inputs       struct {
-		CertificatePath                string `yaml:"certificate-path"`
-		IssuerCertificatePath          string `yaml:"issuer-certificate-path"`
-		DelegatedIssuerCertificatePath string `yaml:"delegated-issuer-certificate-path"`
-	} `yaml:"inputs"`
-	Outputs struct {
-		ResponsePath string `yaml:"response-path"`
-	} `yaml:"outputs"`
-	OCSPProfile struct {
-		ThisUpdate string `yaml:"this-update"`
-		NextUpdate string `yaml:"next-update"`
-		Status     string `yaml:"status"`
-	} `yaml:"ocsp-profile"`
-}
-
-func (orc ocspRespConfig) validate() error {
-	err := orc.PKCS11.validate()
-	if err != nil {
-		return err
-	}
-
-	// Input fields
-	if orc.Inputs.CertificatePath == "" {
-		return errors.New("inputs.certificate-path is required")
-	}
-	if orc.Inputs.IssuerCertificatePath == "" {
-		return errors.New("inputs.issuer-certificate-path is required")
-	}
-	// DelegatedIssuerCertificatePath may be omitted
-
-	// Output fields
-	err = checkOutputFile(orc.Outputs.ResponsePath, "response-path")
-	if err != nil {
-		return err
-	}
-
-	// OCSP fields
-	if orc.OCSPProfile.ThisUpdate == "" {
-		return errors.New("ocsp-profile.this-update is required")
-	}
-	if orc.OCSPProfile.NextUpdate == "" {
-		return errors.New("ocsp-profile.next-update is required")
-	}
-	if orc.OCSPProfile.Status != "good" && orc.OCSPProfile.Status != "revoked" {
-		return errors.New("ocsp-profile.status must be either \"good\" or \"revoked\"")
-	}
-
-	return nil
-}
-
 type crlConfig struct {
 	CeremonyType string              `yaml:"ceremony-type"`
 	PKCS11       PKCS11SigningConfig `yaml:"pkcs11"`
@@ -879,76 +825,6 @@ func keyCeremony(configBytes []byte) error {
 	return nil
 }
 
-func ocspRespCeremony(configBytes []byte) error {
-	var config ocspRespConfig
-	err := strictyaml.Unmarshal(configBytes, &config)
-	if err != nil {
-		return fmt.Errorf("failed to parse config: %s", err)
-	}
-	err = config.validate()
-	if err != nil {
-		return fmt.Errorf("failed to validate config: %s", err)
-	}
-
-	cert, err := loadCert(config.Inputs.CertificatePath)
-	if err != nil {
-		return fmt.Errorf("failed to load certificate %q: %s", config.Inputs.CertificatePath, err)
-	}
-	issuer, err := loadCert(config.Inputs.IssuerCertificatePath)
-	if err != nil {
-		return fmt.Errorf("failed to load issuer certificate %q: %s", config.Inputs.IssuerCertificatePath, err)
-	}
-	var signer crypto.Signer
-	var delegatedIssuer *x509.Certificate
-	if config.Inputs.DelegatedIssuerCertificatePath != "" {
-		delegatedIssuer, err = loadCert(config.Inputs.DelegatedIssuerCertificatePath)
-		if err != nil {
-			return fmt.Errorf("failed to load delegated issuer certificate %q: %s", config.Inputs.DelegatedIssuerCertificatePath, err)
-		}
-
-		signer, _, err = openSigner(config.PKCS11, delegatedIssuer.PublicKey)
-		if err != nil {
-			return err
-		}
-	} else {
-		signer, _, err = openSigner(config.PKCS11, issuer.PublicKey)
-		if err != nil {
-			return err
-		}
-	}
-
-	thisUpdate, err := time.Parse(time.DateTime, config.OCSPProfile.ThisUpdate)
-	if err != nil {
-		return fmt.Errorf("unable to parse ocsp-profile.this-update: %s", err)
-	}
-	nextUpdate, err := time.Parse(time.DateTime, config.OCSPProfile.NextUpdate)
-	if err != nil {
-		return fmt.Errorf("unable to parse ocsp-profile.next-update: %s", err)
-	}
-	var status int
-	switch config.OCSPProfile.Status {
-	case "good":
-		status = int(ocsp.Good)
-	case "revoked":
-		status = int(ocsp.Revoked)
-	default:
-		// this shouldn't happen if the config is validated
-		return fmt.Errorf("unexpected ocsp-profile.stats: %s", config.OCSPProfile.Status)
-	}
-
-	resp, err := generateOCSPResponse(signer, issuer, delegatedIssuer, cert, thisUpdate, nextUpdate, status)
-	if err != nil {
-		return err
-	}
-
-	err = writeFile(config.Outputs.ResponsePath, resp)
-	if err != nil {
-		return fmt.Errorf("failed to write OCSP response to %q: %s", config.Outputs.ResponsePath, err)
-	}
-
-	return nil
-}
-
 func crlCeremony(configBytes []byte) error {
 	var config crlConfig
 	err := strictyaml.Unmarshal(configBytes, &config)
@@ -1075,17 +951,12 @@ func main() {
 		if err != nil {
 			log.Fatalf("key ceremony failed: %s", err)
 		}
-	case "ocsp-response":
-		err = ocspRespCeremony(configBytes)
-		if err != nil {
-			log.Fatalf("ocsp response ceremony failed: %s", err)
-		}
 	case "crl":
 		err = crlCeremony(configBytes)
 		if err != nil {
 			log.Fatalf("crl ceremony failed: %s", err)
 		}
 	default:
-		log.Fatalf("unknown ceremony-type, must be one of: root, cross-certificate, intermediate, cross-csr, key, ocsp-response, crl")
+		log.Fatalf("unknown ceremony-type, must be one of: root, cross-certificate, intermediate, cross-csr, key, crl")
 	}
 }