Allow admin command to block key from a CSR file #7770
Conversation
mcpherrinm
changed the title
aarongable
requested review from
a team and
jprenken
and removed request for
a team
|
I worry a bit that it could be a foot gun. A CSR isn't always proof of control of a private key and this could trigger bad-key-revoker to revoke certificates without proof of key compromise. Perhaps we should check the subject for a particular set of phrases and require the CSR to have a subject that matches. Even better would be if the requestor used acme to revoke the certificate with proof of key compromise which already supports blocking of the key. EDIT: In a side discussion I was reminded that an operator has to use |
This case is tested already, I could add a "Signature is good" test too, and I can see value in that. |
It's important to have this sort of manual override, but I think it's also important to support human operators with as much automation as possible. I think this mode should have a second flag, Basically I agree with @andygabby's original take: this should have an additional guardrail on by default. Also, what do you think of audit-logging the CSR we relied on? And perhaps its parsed Subject for convenience? |
|
(I believe we're waiting for this PR to grow a "check the subject is an expected value" flag, which @jsha indicated he would contribute.) |
|
Also audit logging of the CSR too. I have other things to do today but could get to this tomorrow. |
One format we receive key compromise reports is as a CSR file. For example, from https://pwnedkeys.com/revokinator
This allows the admin command to block a key from a CSR directly, instead of needing to validate it manually and get the SPKI or key from it.
I've added a flag (default true) to check the signature on the CSR, in case we ever decide we want to block a key from a CSR with a bad signature for whatever reason.