diff options
| author | Debian Go Packaging Team <team+pkg-go@tracker.debian.org> | 2023-11-21 15:03:25 +0000 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2023-11-21 15:03:25 +0000 |
| commit | 760dc442d7aebc757a799e75777fe511d0935a7c (patch) | |
| tree | 605dd0bcebba37b228b2a08af4da34a3ad2905a4 | |
| parent | 09d1933f7c1b730c1b2db34084b379363c264794 (diff) | |
avoid-boulder
commit 548f37171bb96d28553f37dc2e03c4975db697f3 (HEAD -> release-1.6)
Author: Reinhard Tartler <siretart@tauware.de>
Date: Thu Apr 6 20:24:46 2023 -0400
Drop dependency on boulder, disable RSA checks
Gbp-Pq: Name avoid-boulder.patch
| -rw-r--r-- | pkg/cryptoutils/publickey.go | 19 | ||||
| -rw-r--r-- | pkg/cryptoutils/publickey_test.go | 2 |
2 files changed, 4 insertions, 17 deletions
diff --git a/pkg/cryptoutils/publickey.go b/pkg/cryptoutils/publickey.go index a8b2805..b0a884e 100644 --- a/pkg/cryptoutils/publickey.go +++ b/pkg/cryptoutils/publickey.go @@ -16,7 +16,6 @@ package cryptoutils import ( - "context" "crypto" "crypto/ecdsa" "crypto/ed25519" @@ -30,8 +29,6 @@ import ( "encoding/pem" "errors" "fmt" - - "github.com/letsencrypt/boulder/goodkey" ) const ( @@ -139,20 +136,8 @@ func genErrMsg(first, second crypto.PublicKey, keyType string) string { func ValidatePubKey(pub crypto.PublicKey) error { switch pk := pub.(type) { case *rsa.PublicKey: - // goodkey policy enforces: - // * Size of key: 2048 <= size <= 4096, size % 8 = 0 - // * Exponent E = 65537 (Default exponent for OpenSSL and Golang) - // * Small primes check for modulus - // * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17) - // * Key is easily factored with Fermat's factorization method - p, err := goodkey.NewKeyPolicy(&goodkey.Config{FermatRounds: 100}, nil) - if err != nil { - // Should not occur, only chances to return errors are if fermat rounds - // are <0 or when loading blocked/weak keys from disk (not used here) - return errors.New("unable to initialize key policy") - } - // ctx is unused - return p.GoodKey(context.Background(), pub) + // Avoid dependency on Goodkey for debian + return nil; case *ecdsa.PublicKey: // Unable to use goodkey policy because P-521 curve is not supported return validateEcdsaKey(pk) diff --git a/pkg/cryptoutils/publickey_test.go b/pkg/cryptoutils/publickey_test.go index e9b6cb2..ac07c8f 100644 --- a/pkg/cryptoutils/publickey_test.go +++ b/pkg/cryptoutils/publickey_test.go @@ -183,6 +183,8 @@ func TestValidatePubKeyUnsupported(t *testing.T) { } func TestValidatePubKeyRsa(t *testing.T) { + t.Skip("Validations disabled for Debian") + // Validate common RSA key sizes for _, bits := range []int{2048, 3072, 4096} { priv, err := rsa.GenerateKey(rand.Reader, bits) |