-
-
Notifications
You must be signed in to change notification settings - Fork 601
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CA: Create ECDSA issuance allowlist (#5258)
Currently, the CA is configured with a set of `internalIssuer`s, and a mapping of public key algorithms (e.g. `x509.RSA`) to which internalIssuer to use. In operation today, we use the same issuer for all kinds of public key algorithms. In the future, we will use different issuers for different algorithms (in particular, we will use R3 to issue for RSA keys, and E1 to issue for ECDSA keys). But we want to roll that out slowly, continuing to use our RSA issuer to issue for all types of public keys, except for ECDSA keys which are presented by a specific set of allowed accounts. This change adds a new config field to the CA, which lets us specify a small list of registration IDs which are allowed to have issuance from our ECDSA issuer. If the config list is empty, then all accounts are allowed. The CA checks to see if the key being issued for is ECDSA: if it is, it then checks to make sure that the associated registration ID is in the allowlist. If the account is not allowed, it then overrides the issuance algorithm to use RSA instead, mimicking our old behavior. It also adds a new feature flag, which can be enabled to skip the allowlist entirely (effectively allowing all registered accounts). This feature flag will be enabled when we're done with our testing and confident in our ECDSA issuance. Fixes #5259
- Loading branch information
1 parent
2a8f0fe
commit 68c393b
Showing
5 changed files
with
121 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters