Bind issuers to only issue for specified profiles (#8409)

Change how the CA determines which issuer to use (the `pickIssuer`
helper), to take into account the requested profile alongside the CSR's
key algorithm. This simple loop allows us to greatly simplify how the CA
has to track its set of issuers, resulting in some wider-reaching
changes to the NewCertificateAuthorityImpl constructor, the unit tests,
and boulder-ca/main.go.

Make the recently-added Issuer.Profiles config field required, and add
checks to ensure that all profiles are listed by at least one issuer,
and that all profiles listed by an issuer are actually configured.

Fixes #8390

Author: aarongable

ca/ca.go

@@ -14,6 +14,7 @@ import (
 	"fmt"
 	"math/big"
 	mrand "math/rand/v2"
+	"slices"
 
 	ct "github.com/google/certificate-transparency-go"
 	cttls "github.com/google/certificate-transparency-go/tls"
@@ -69,15 +70,6 @@ type issuanceEventResult struct {
 	Certificate    string `json:",omitempty"`
 }
 
-// Two maps of keys to Issuers. Lookup by PublicKeyAlgorithm is useful for
-// determining the set of issuers which can sign a given (pre)cert, based on its
-// PublicKeyAlgorithm. Lookup by NameID is useful for looking up a specific
-// issuer based on the issuer of a given (pre)certificate.
-type issuerMaps struct {
-	byAlg    map[x509.PublicKeyAlgorithm][]*issuance.Issuer
-	byNameID map[issuance.NameID]*issuance.Issuer
-}
-
 // caMetrics holds various metrics which are shared between caImpl and crlImpl.
 type caMetrics struct {
 	signatureCount *prometheus.CounterVec
@@ -129,11 +121,11 @@ func (m *caMetrics) noteSignError(err error) {
 // certificateAuthorityImpl represents a CA that signs certificates.
 type certificateAuthorityImpl struct {
 	capb.UnsafeCertificateAuthorityServer
-	sa           sapb.StorageAuthorityCertificateClient
-	sctClient    rapb.SCTProviderClient
-	pa           core.PolicyAuthority
-	issuers      issuerMaps
-	certProfiles map[string]*issuance.Profile
+	sa        sapb.StorageAuthorityCertificateClient
+	sctClient rapb.SCTProviderClient
+	pa        core.PolicyAuthority
+	issuers   []*issuance.Issuer
+	profiles  map[string]*issuance.Profile
 
 	// The prefix is prepended to the serial number.
 	prefix    byte
@@ -147,60 +139,14 @@ type certificateAuthorityImpl struct {
 
 var _ capb.CertificateAuthorityServer = (*certificateAuthorityImpl)(nil)
 
-// makeIssuerMaps processes a list of issuers into a set of maps for easy
-// lookup either by key algorithm (useful for picking an issuer for a precert)
-// or by unique ID (useful for final certs and CRLs). If two issuers with
-// the same unique ID are encountered, an error is returned.
-func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
-	issuersByAlg := make(map[x509.PublicKeyAlgorithm][]*issuance.Issuer, 2)
-	issuersByNameID := make(map[issuance.NameID]*issuance.Issuer, len(issuers))
-	for _, issuer := range issuers {
-		if _, found := issuersByNameID[issuer.NameID()]; found {
-			return issuerMaps{}, fmt.Errorf("two issuers with same NameID %d (%s) configured", issuer.NameID(), issuer.Name())
-		}
-		issuersByNameID[issuer.NameID()] = issuer
-		if issuer.IsActive() {
-			issuersByAlg[issuer.KeyType()] = append(issuersByAlg[issuer.KeyType()], issuer)
-		}
-	}
-	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
-		return issuerMaps{}, errors.New("no ECDSA issuers configured")
-	}
-	if i, ok := issuersByAlg[x509.RSA]; !ok || len(i) == 0 {
-		return issuerMaps{}, errors.New("no RSA issuers configured")
-	}
-	return issuerMaps{issuersByAlg, issuersByNameID}, nil
-}
-
-// makeCertificateProfilesMap processes a set of named certificate issuance
-// profile configs into a map from name to profile.
-func makeCertificateProfilesMap(profiles map[string]*issuance.ProfileConfig) (map[string]*issuance.Profile, error) {
-	if len(profiles) <= 0 {
-		return nil, fmt.Errorf("must pass at least one certificate profile")
-	}
-
-	profilesByName := make(map[string]*issuance.Profile, len(profiles))
-
-	for name, profileConfig := range profiles {
-		profile, err := issuance.NewProfile(profileConfig)
-		if err != nil {
-			return nil, err
-		}
-
-		profilesByName[name] = profile
-	}
-
-	return profilesByName, nil
-}
-
 // NewCertificateAuthorityImpl creates a CA instance that can sign certificates
 // from any number of issuance.Issuers and for any number of profiles.
 func NewCertificateAuthorityImpl(
 	sa sapb.StorageAuthorityCertificateClient,
 	sctService rapb.SCTProviderClient,
 	pa core.PolicyAuthority,
-	boulderIssuers []*issuance.Issuer,
-	certificateProfiles map[string]*issuance.ProfileConfig,
+	issuers []*issuance.Issuer,
+	profiles map[string]*issuance.Profile,
 	serialPrefix byte,
 	maxNames int,
 	keyPolicy goodkey.KeyPolicy,
@@ -212,33 +158,57 @@ func NewCertificateAuthorityImpl(
 		return nil, errors.New("serial prefix must be between 0x01 (1) and 0x7f (127)")
 	}
 
-	if len(boulderIssuers) == 0 {
+	if len(issuers) == 0 {
 		return nil, errors.New("must have at least one issuer")
 	}
 
-	certProfiles, err := makeCertificateProfilesMap(certificateProfiles)
-	if err != nil {
-		return nil, err
+	if len(profiles) == 0 {
+		return nil, errors.New("must have at least one certificate profile")
 	}
 
-	issuers, err := makeIssuerMaps(boulderIssuers)
-	if err != nil {
-		return nil, err
+	issuableKeys := make(map[x509.PublicKeyAlgorithm]bool)
+	issuableProfiles := make(map[string]bool)
+	for _, issuer := range issuers {
+		if issuer.IsActive() && len(issuer.Profiles()) == 0 {
+			return nil, fmt.Errorf("issuer %q is active but has no profiles", issuer.Name())
+		}
+
+		for _, profile := range issuer.Profiles() {
+			_, ok := profiles[profile]
+			if !ok {
+				return nil, fmt.Errorf("issuer %q lists profile %q, which is not configured", issuer.Name(), profile)
+			}
+			issuableProfiles[profile] = true
+		}
+
+		issuableKeys[issuer.KeyType()] = true
+	}
+
+	for profile := range profiles {
+		if !issuableProfiles[profile] {
+			return nil, fmt.Errorf("profile %q configured, but no issuer lists it", profile)
+		}
+	}
+
+	for _, keyAlg := range []x509.PublicKeyAlgorithm{x509.ECDSA, x509.RSA} {
+		if !issuableKeys[keyAlg] {
+			return nil, fmt.Errorf("no %s issuers configured", keyAlg)
+		}
 	}
 
 	return &certificateAuthorityImpl{
-		sa:           sa,
-		sctClient:    sctService,
-		pa:           pa,
-		issuers:      issuers,
-		certProfiles: certProfiles,
-		prefix:       serialPrefix,
-		maxNames:     maxNames,
-		keyPolicy:    keyPolicy,
-		log:          logger,
-		metrics:      metrics,
-		tracer:       otel.GetTracerProvider().Tracer("github.com/letsencrypt/boulder/ca"),
-		clk:          clk,
+		sa:        sa,
+		sctClient: sctService,
+		pa:        pa,
+		issuers:   issuers,
+		profiles:  profiles,
+		prefix:    serialPrefix,
+		maxNames:  maxNames,
+		keyPolicy: keyPolicy,
+		log:       logger,
+		metrics:   metrics,
+		tracer:    otel.GetTracerProvider().Tracer("github.com/letsencrypt/boulder/ca"),
+		clk:       clk,
 	}, nil
 }
 
@@ -265,7 +235,7 @@ func (ca *certificateAuthorityImpl) IssueCertificate(ctx context.Context, req *c
 		return nil, errors.New("IssueCertificate called with a nil SCT service")
 	}
 
-	profile, ok := ca.certProfiles[req.CertProfileName]
+	profile, ok := ca.profiles[req.CertProfileName]
 	if !ok {
 		return nil, fmt.Errorf("incapable of using a profile named %q", req.CertProfileName)
 	}
@@ -282,7 +252,7 @@ func (ca *certificateAuthorityImpl) IssueCertificate(ctx context.Context, req *c
 		return nil, err
 	}
 
-	issuer, err := ca.pickIssuer(csr.PublicKeyAlgorithm)
+	issuer, err := ca.pickIssuer(req.CertProfileName, csr.PublicKeyAlgorithm)
 	if err != nil {
 		return nil, err
 	}
@@ -496,13 +466,25 @@ func (ca *certificateAuthorityImpl) IssueCertificate(ctx context.Context, req *c
 }
 
 // pickIssuer returns an issuer which is willing to issue certificates for the
-// given public key algorithm. If no such issuer exists, it returns
+// given profile and public key algorithm. If no such issuer exists, it returns
 // an error. If multiple such issuers exist, it selects one at random.
-func (ca *certificateAuthorityImpl) pickIssuer(keyAlg x509.PublicKeyAlgorithm) (*issuance.Issuer, error) {
-	pool, ok := ca.issuers.byAlg[keyAlg]
+func (ca *certificateAuthorityImpl) pickIssuer(profileName string, keyAlg x509.PublicKeyAlgorithm) (*issuance.Issuer, error) {
+	var pool []*issuance.Issuer
+	for _, issuer := range ca.issuers {
+		if !issuer.IsActive() {
+			continue
+		}
+		if issuer.KeyType() != keyAlg {
+			continue
+		}
+		if !slices.Contains(issuer.Profiles(), profileName) {
+			continue
+		}
+		pool = append(pool, issuer)
+	}
 
-	if !ok || len(pool) == 0 {
-		return nil, fmt.Errorf("no issuer found for key algorithm %s", keyAlg)
+	if len(pool) == 0 {
+		return nil, fmt.Errorf("no issuer found for profile %q and key algorithm %s", profileName, keyAlg)
 	}
 
 	return pool[mrand.IntN(len(pool))], nil