Skip to content

Add support for revoking ecdsa keys without --key-path#8725

Merged
bmw merged 9 commits intocertbot:masterfrom
atombrella:revoke_ec_cert_8569
Feb 4, 2022
Merged

Add support for revoking ecdsa keys without --key-path#8725
bmw merged 9 commits intocertbot:masterfrom
atombrella:revoke_ec_cert_8569

Conversation

@atombrella
Copy link
Contributor

@atombrella atombrella commented Mar 22, 2021

See GitHub issue #8569 for details.

Co-Authored-By: commonism commonism@users.noreply.github.com

In my local setup, it's using josepy 1.6.0, and not 1.7.0 (or 1.8). I think some more tests could be written.

Pull Request Checklist

  • If the change being made is to a distributed component, edit the master section of certbot/CHANGELOG.md to include a description of the change being made.
  • Add or update any documentation as needed to support the changes in this PR.
  • Include your name in AUTHORS.md if you like.

atombrella
atombrella commented Mar 22, 2021
View reviewed changes
@bmw
Copy link
Member

bmw commented Apr 9, 2021

Thanks for the PR @atombrella. Let me know when this is ready for review.

@bmw bmw self-assigned this Apr 9, 2021
@atombrella atombrella force-pushed the revoke_ec_cert_8569 branch from 39a4dfe to 539e640 Compare April 12, 2021 08:53
@atombrella
Copy link
Contributor Author

atombrella commented Apr 12, 2021

Thanks for the PR @atombrella. Let me know when this is ready for review.

I'm trying to add more tests. Integration test is there with a template, and probably a few more should be added, e.g., cli test?

@atombrella atombrella force-pushed the revoke_ec_cert_8569 branch from 46e6f5c to 2ba77f3 Compare April 23, 2021 22:04
@atombrella
Copy link
Contributor Author

atombrella commented Apr 24, 2021

@bmw I believe this is ready for review. I'm not sure about what other tests could be needed, though.

I'm tempted to squash commits, so Co-Authored-By will be recognized by GitHub.

@atombrella atombrella changed the title WIP: Add support for revoking ecdsa keys without --cert-name. Add support for revoking ecdsa keys without --cert-name. Apr 24, 2021
bmw
bmw reviewed Apr 26, 2021
View reviewed changes
Copy link
Member

@bmw bmw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the ping @atombrella. This dropped off my radar somehow.

I'm personally satisfied with testing here since the modified code has 100% test coverage and you added an integration test for the problem. If there's something else you'd like to test for but you're not sure the best way to do it, let me know and I can try to help.

I think we should probably structure the fix differently though. acme.client.ClientNetwork takes an alg parameter specifying the algorithm that should be used in signing JWS. The patch from #8569 ignores this attribute and instead determines the algorithm from the key type in this specific method.

I personally think we should instead do something like one of:

  1. Fix where acme.client.ClientNetwork is created in Certbot so the right alg parameter is provided in this case.
  2. Keeping in mind that acme.client.ClientNetwork is part of our public API, we could maybe deprecate the alg parameter and always determine the algorithm based on the key type.

What do you think? Do you have any other ideas?

If you make this change, I think you can drop commonism's commit from this PR since we'd be taking a different approach and not using that commit at all.

@bmw
Copy link
Member

bmw commented May 19, 2021

@atombrella, do you have the time and interest to respond to my review comments here or would you like someone else to take over this work?

@atombrella
Copy link
Contributor Author

atombrella commented May 20, 2021

@atombrella, do you have the time and interest to respond to my review comments here or would you like someone else to take over this work?

Yes. Sorry, I got caught up with other stuff :)

@atombrella
Copy link
Contributor Author

atombrella commented May 20, 2021

Thanks for the ping @atombrella. This dropped off my radar somehow.

I'm personally satisfied with testing here since the modified code has 100% test coverage and you added an integration test for the problem. If there's something else you'd like to test for but you're not sure the best way to do it, let me know and I can try to help.

I think we should probably structure the fix differently though. acme.client.ClientNetwork takes an alg parameter specifying the algorithm that should be used in signing JWS. The patch from #8569 ignores this attribute and instead determines the algorithm from the key type in this specific method.

I personally think we should instead do something like one of:

  1. Fix where acme.client.ClientNetwork is created in Certbot so the right alg parameter is provided in this case.
  2. Keeping in mind that acme.client.ClientNetwork is part of our public API, we could maybe deprecate the alg parameter and always determine the algorithm based on the key type.

I found this comment: # TODO: Allow for other alg types besides RS256 in acme_from_config_key so would make sense to work around this. I'll try to work around this.

If you make this change, I think you can drop commonism's commit from this PR since we'd be taking a different approach and not using that commit at all.

Yeah, makes sense.

@bmw
Copy link
Member

bmw commented May 20, 2021

No worries! Thanks for the update and your continued interest here.

@atombrella atombrella force-pushed the revoke_ec_cert_8569 branch from d6a172c to 3ae4419 Compare May 22, 2021 20:17
@atombrella
Copy link
Contributor Author

atombrella commented Jan 14, 2022
edited
Loading

@bmw I think the feedback has been addressed to add the parameter into where acme_from_config_key which also had a TODO about this. This PR has been opened for a while :) The explicit alg parameter is probably a good idea, since I don't really see a way to extract the information of the signing algorithm from the key. Maybe in the future, if josepy could include this. The patch here is quite small.

bmw
bmw requested changes Feb 2, 2022
View reviewed changes
Copy link
Member

@bmw bmw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't quite do a full review here, but I wrote up some suggestions inline.

bmw
bmw reviewed Feb 3, 2022
View reviewed changes
bmw
bmw approved these changes Feb 4, 2022
View reviewed changes
Copy link
Member

@bmw bmw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@bmw bmw merged commit fe0c0dc into certbot:master Feb 4, 2022
@bmw bmw added this to the 1.23.0 milestone Feb 4, 2022
@bmw bmw mentioned this pull request Feb 4, 2022
Closed
@atombrella atombrella deleted the revoke_ec_cert_8569 branch February 4, 2022 10:31
@atombrella atombrella changed the title Add support for revoking ecdsa keys without --cert-name. Add support for revoking ecdsa keys without --key-path Feb 4, 2022
commonism added a commit to commonism/acmetk that referenced this pull request Aug 31, 2023
@commonism
tests - certbot ec skey revocation working
b2d3eda 
certbot/certbot#8725
commonism added a commit to commonism/acmetk that referenced this pull request Sep 5, 2023
@commonism
tests - certbot ec skey revocation working
fac1ef9 
certbot/certbot#8725
commonism added a commit to noahkw/acmetk that referenced this pull request Sep 19, 2023
@commonism
tests - certbot ec skey revocation working
fee912f 
certbot/certbot#8725
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bmw bmw bmw approved these changes

Assignees

@bmw bmw

Labels

None yet

Projects

None yet

Milestone

1.23.0

Development

Successfully merging this pull request may close these issues.

2 participants

@atombrella @bmw