From: Reinhard Tartler Date: Thu, 6 Apr 2023 20:24:46 -0400 Subject: avoid-boulder Forwarded: not-needed Drop dependency on boulder, disable RSA checks --- pkg/cryptoutils/publickey.go | 41 +-------------------------------------- pkg/cryptoutils/publickey_test.go | 13 ++++--------- 2 files changed, 5 insertions(+), 49 deletions(-) diff --git a/pkg/cryptoutils/publickey.go b/pkg/cryptoutils/publickey.go index 5296036..64c3539 100644 --- a/pkg/cryptoutils/publickey.go +++ b/pkg/cryptoutils/publickey.go @@ -16,7 +16,6 @@ package cryptoutils import ( - "context" "crypto" "crypto/ecdsa" "crypto/ed25519" @@ -29,8 +28,6 @@ import ( "encoding/pem" "errors" "fmt" - - "github.com/letsencrypt/boulder/goodkey" ) const ( @@ -136,44 +133,8 @@ func genErrMsg(first, second crypto.PublicKey, keyType string) string { // ValidatePubKey validates the parameters of an RSA, ECDSA, or ED25519 public key. func ValidatePubKey(pub crypto.PublicKey) error { - // goodkey policy enforces: - // * RSA - // * Size of key: 2048 <= size <= 4096, size % 8 = 0 - // * Exponent E = 65537 (Default exponent for OpenSSL and Golang) - // * Small primes check for modulus - // * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17) - // * Key is easily factored with Fermat's factorization method - // * EC - // * Public key Q is not the identity element (Ø) - // * Public key Q's x and y are within [0, p-1] - // * Public key Q is on the curve - // * Public key Q's order matches the subgroups (nQ = Ø) - allowedKeys := &goodkey.AllowedKeys{ - RSA2048: true, - RSA3072: true, - RSA4096: true, - ECDSAP256: true, - ECDSAP384: true, - ECDSAP521: true, - } - cfg := &goodkey.Config{ - FermatRounds: 100, - AllowedKeys: allowedKeys, - } - p, err := goodkey.NewPolicy(cfg, nil) - if err != nil { - // Should not occur, only chances to return errors are if fermat rounds - // are <0 or when loading blocked/weak keys from disk (not used here) - return errors.New("unable to initialize key policy") - } - + // Avoid dependency on Goodkey for Debian switch pk := pub.(type) { - case *rsa.PublicKey: - // ctx is unused - return p.GoodKey(context.Background(), pub) - case *ecdsa.PublicKey: - // ctx is unused - return p.GoodKey(context.Background(), pub) case ed25519.PublicKey: return validateEd25519Key(pk) } diff --git a/pkg/cryptoutils/publickey_test.go b/pkg/cryptoutils/publickey_test.go index ea44dc7..4dcd27a 100644 --- a/pkg/cryptoutils/publickey_test.go +++ b/pkg/cryptoutils/publickey_test.go @@ -23,12 +23,10 @@ import ( "crypto/rsa" "crypto/x509" "encoding/pem" - "errors" "strings" "testing" "github.com/google/go-cmp/cmp" - "github.com/letsencrypt/boulder/goodkey" ) func verifyPublicKeyPEMRoundtrip(t *testing.T, pub crypto.PublicKey) { @@ -185,6 +183,8 @@ func TestValidatePubKeyUnsupported(t *testing.T) { } func TestValidatePubKeyRsa(t *testing.T) { + t.Skip("Validations disabled for Debian") + // Validate common RSA key sizes for _, bits := range []int{2048, 3072, 4096} { priv, err := rsa.GenerateKey(rand.Reader, bits) @@ -230,6 +230,7 @@ func (t testCurve) Params() *elliptic.CurveParams { } func TestValidatePubKeyEcdsa(t *testing.T) { + t.Skip("Validations disabled for Debian") for _, curve := range []elliptic.Curve{elliptic.P256(), elliptic.P384(), elliptic.P521()} { priv, err := ecdsa.GenerateKey(curve, rand.Reader) if err != nil { @@ -245,20 +246,14 @@ func TestValidatePubKeyEcdsa(t *testing.T) { } } // Fails with smalller curve - priv, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + _, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) if err != nil { t.Fatalf("ecdsa.GenerateKey failed: %v", err) } - if err := ValidatePubKey(priv.Public()); err == nil || !errors.Is(err, goodkey.ErrBadKey) { - t.Errorf("expected unsupported curve, got %v", err) - } // Fails with unknown curve err = ValidatePubKey(&ecdsa.PublicKey{ Curve: testCurve{}, }) - if err == nil || !errors.Is(err, goodkey.ErrBadKey) { - t.Errorf("expected unexpected curve, got %v", err) - } } func TestValidatePubKeyEd25519(t *testing.T) {