goodkey

package
v0.44.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 7, 2023 License: Apache-2.0, MPL-2.0, Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrBadKey = errors.New("")

ErrBadKey represents an error with a key. It is distinct from the various ways in which an ACME request can have an erroneous key (BadPublicKeyError, BadCSRError) because this library is used to check both JWS signing keys and keys in CSRs.

View Source
var ErrWrongDecodedSize = errors.New("not enough bytes decoded for sha256 hash")

Functions

This section is empty.

Types

type BlockedKeyCheckFunc

type BlockedKeyCheckFunc func(context.Context, *sapb.KeyBlockedRequest, ...grpc.CallOption) (*sapb.Exists, error)

BlockedKeyCheckFunc is used to pass in the sa.BlockedKey method to KeyPolicy, rather than storing a full sa.SQLStorageAuthority. This makes testing significantly simpler.

type Config

type Config struct {
	// WeakKeyFile is the path to a JSON file containing truncated modulus hashes
	// of known weak RSA keys. If this config value is empty, then RSA modulus
	// hash checking will be disabled.
	WeakKeyFile string
	// BlockedKeyFile is the path to a YAML file containing base64-encoded SHA256
	// hashes of PKIX Subject Public Keys that should be blocked. If this config
	// value is empty, then blocked key checking will be disabled.
	BlockedKeyFile string
	// FermatRounds is an integer number of rounds of Fermat's factorization
	// method that should be performed to attempt to detect keys whose modulus can
	// be trivially factored because the two factors are very close to each other.
	// If this config value is empty (0), no factorization will be attempted.
	FermatRounds int
}

type KeyPolicy

type KeyPolicy struct {
	AllowRSA           bool // Whether RSA keys should be allowed.
	AllowECDSANISTP256 bool // Whether ECDSA NISTP256 keys should be allowed.
	AllowECDSANISTP384 bool // Whether ECDSA NISTP384 keys should be allowed.
	// contains filtered or unexported fields
}

KeyPolicy determines which types of key may be used with various boulder operations.

func NewKeyPolicy

func NewKeyPolicy(config *Config, bkc BlockedKeyCheckFunc) (KeyPolicy, error)

NewKeyPolicy returns a KeyPolicy that allows RSA, ECDSA256 and ECDSA384. weakKeyFile contains the path to a JSON file containing truncated modulus hashes of known weak RSA keys. If this argument is empty RSA modulus hash checking will be disabled. blockedKeyFile contains the path to a YAML file containing Base64 encoded SHA256 hashes of pkix subject public keys that should be blocked. If this argument is empty then no blocked key checking is performed.

func (*KeyPolicy) GoodKey

func (policy *KeyPolicy) GoodKey(ctx context.Context, key crypto.PublicKey) error

GoodKey returns true if the key is acceptable for both TLS use and account key use (our requirements are the same for either one), according to basic strength and algorithm checking. GoodKey only supports pointers: *rsa.PublicKey and *ecdsa.PublicKey. It will reject non-pointer types. TODO: Support JSONWebKeys once go-jose migration is done.

type WeakRSAKeys

type WeakRSAKeys struct {
	// contains filtered or unexported fields
}

func LoadWeakRSASuffixes

func LoadWeakRSASuffixes(path string) (*WeakRSAKeys, error)

func (*WeakRSAKeys) Known

func (wk *WeakRSAKeys) Known(key *rsa.PublicKey) bool

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL