goodkey: early rejection of unsupported key types (#4809)

This prevents a confusing error being emitted by blockedKeys.blocked. Fixes #4728
letsencrypt · May 19, 2020 · 97147d8 · 97147d8
1 parent 63aa8ac
commit 97147d8
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 5 deletions.
diff --git a/goodkey/good_key.go b/goodkey/good_key.go
@@ -91,6 +91,13 @@ func NewKeyPolicy(weakKeyFile, blockedKeyFile string, bkc BlockedKeyCheckFunc) (
 // and *ecdsa.PublicKey. It will reject non-pointer types.
 // TODO: Support JSONWebKeys once go-jose migration is done.
 func (policy *KeyPolicy) GoodKey(ctx context.Context, key crypto.PublicKey) error {
+	// Early rejection of unacceptable key types to guard subsequent checks.
+	switch t := key.(type) {
+	case *rsa.PublicKey, *ecdsa.PublicKey:
+		break
+	default:
+		return berrors.MalformedError("unsupported key type %T", t)
+	}
 	// If there is a blocked list configured then check if the public key is one
 	// that has been administratively blocked.
 	if policy.blockedList != nil {
@@ -118,10 +125,8 @@ func (policy *KeyPolicy) GoodKey(ctx context.Context, key crypto.PublicKey) erro
 		return policy.goodKeyRSA(t)
 	case *ecdsa.PublicKey:
 		return policy.goodKeyECDSA(t)
-	case ecdsa.PublicKey, rsa.PublicKey:
-		return berrors.MalformedError("non-reference keys not supported")
 	default:
-		return berrors.MalformedError("unknown key type %T", key)
+		return berrors.MalformedError("unsupported key type %T", key)
 	}
 }
 

diff --git a/goodkey/good_key_test.go b/goodkey/good_key_test.go
@@ -25,13 +25,20 @@ func TestUnknownKeyType(t *testing.T) {
 	notAKey := struct{}{}
 	err := testingPolicy.GoodKey(context.Background(), notAKey)
 	test.AssertError(t, err, "Should have rejected a key of unknown type")
-	test.AssertEquals(t, err.Error(), "unknown key type struct {}")
+	test.AssertEquals(t, err.Error(), "unsupported key type struct {}")
+
+	// Check for early rejection and that no error is seen from blockedKeys.blocked.
+	testingPolicyWithBlockedKeys := *testingPolicy
+	testingPolicyWithBlockedKeys.blockedList = &blockedKeys{}
+	err = testingPolicyWithBlockedKeys.GoodKey(context.Background(), notAKey)
+	test.AssertError(t, err, "Should have rejected a key of unknown type")
+	test.AssertEquals(t, err.Error(), "unsupported key type struct {}")
 }
 
 func TestNilKey(t *testing.T) {
 	err := testingPolicy.GoodKey(context.Background(), nil)
 	test.AssertError(t, err, "Should have rejected a nil key")
-	test.AssertEquals(t, err.Error(), "unknown key type <nil>")
+	test.AssertEquals(t, err.Error(), "unsupported key type <nil>")
 }
 
 func TestSmallModulus(t *testing.T) {