Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for revoking ecdsa keys without --key-path #8725

Merged
merged 9 commits into from
Feb 4, 2022
Merged

Add support for revoking ecdsa keys without --key-path #8725

merged 9 commits into from
Feb 4, 2022

Conversation

atombrella
Copy link
Contributor

See GitHub issue #8569 for details.

Co-Authored-By: commonism commonism@users.noreply.github.com

In my local setup, it's using josepy 1.6.0, and not 1.7.0 (or 1.8). I think some more tests could be written.

Pull Request Checklist

  • If the change being made is to a distributed component, edit the master section of certbot/CHANGELOG.md to include a description of the change being made.
  • Add or update any documentation as needed to support the changes in this PR.
  • Include your name in AUTHORS.md if you like.

atombrella
atombrella commented Mar 22, 2021
View reviewed changes
certbot/CHANGELOG.md Outdated Show resolved Hide resolved
@bmw
Copy link
Member

bmw commented Apr 9, 2021

Thanks for the PR @atombrella. Let me know when this is ready for review.

@bmw bmw self-assigned this Apr 9, 2021
@atombrella
Copy link
Contributor Author

Thanks for the PR @atombrella. Let me know when this is ready for review.

I'm trying to add more tests. Integration test is there with a template, and probably a few more should be added, e.g., cli test?

@atombrella
Copy link
Contributor Author

@bmw I believe this is ready for review. I'm not sure about what other tests could be needed, though.

I'm tempted to squash commits, so Co-Authored-By will be recognized by GitHub.

@atombrella atombrella changed the title WIP: Add support for revoking ecdsa keys without --cert-name. Add support for revoking ecdsa keys without --cert-name. Apr 24, 2021
bmw
bmw reviewed Apr 26, 2021
View reviewed changes
Copy link
Member

@bmw bmw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the ping @atombrella. This dropped off my radar somehow.

I'm personally satisfied with testing here since the modified code has 100% test coverage and you added an integration test for the problem. If there's something else you'd like to test for but you're not sure the best way to do it, let me know and I can try to help.

I think we should probably structure the fix differently though. acme.client.ClientNetwork takes an alg parameter specifying the algorithm that should be used in signing JWS. The patch from #8569 ignores this attribute and instead determines the algorithm from the key type in this specific method.

I personally think we should instead do something like one of:

  1. Fix where acme.client.ClientNetwork is created in Certbot so the right alg parameter is provided in this case.
  2. Keeping in mind that acme.client.ClientNetwork is part of our public API, we could maybe deprecate the alg parameter and always determine the algorithm based on the key type.

What do you think? Do you have any other ideas?

If you make this change, I think you can drop commonism's commit from this PR since we'd be taking a different approach and not using that commit at all.

acme/setup.py Outdated Show resolved Hide resolved
@bmw
Copy link
Member

bmw commented May 19, 2021

@atombrella, do you have the time and interest to respond to my review comments here or would you like someone else to take over this work?

@atombrella
Copy link
Contributor Author

@atombrella, do you have the time and interest to respond to my review comments here or would you like someone else to take over this work?

Yes. Sorry, I got caught up with other stuff :)

@atombrella
Copy link
Contributor Author

Thanks for the ping @atombrella. This dropped off my radar somehow.

I'm personally satisfied with testing here since the modified code has 100% test coverage and you added an integration test for the problem. If there's something else you'd like to test for but you're not sure the best way to do it, let me know and I can try to help.

I think we should probably structure the fix differently though. acme.client.ClientNetwork takes an alg parameter specifying the algorithm that should be used in signing JWS. The patch from #8569 ignores this attribute and instead determines the algorithm from the key type in this specific method.

I personally think we should instead do something like one of:

  1. Fix where acme.client.ClientNetwork is created in Certbot so the right alg parameter is provided in this case.
  2. Keeping in mind that acme.client.ClientNetwork is part of our public API, we could maybe deprecate the alg parameter and always determine the algorithm based on the key type.

I found this comment: # TODO: Allow for other alg types besides RS256 in acme_from_config_key so would make sense to work around this. I'll try to work around this.

If you make this change, I think you can drop commonism's commit from this PR since we'd be taking a different approach and not using that commit at all.

Yeah, makes sense.

@bmw
Copy link
Member

bmw commented May 20, 2021

No worries! Thanks for the update and your continued interest here.

@atombrella
Copy link
Contributor Author

atombrella commented Jan 14, 2022
edited

@bmw I think the feedback has been addressed to add the parameter into where acme_from_config_key which also had a TODO about this. This PR has been opened for a while :) The explicit alg parameter is probably a good idea, since I don't really see a way to extract the information of the signing algorithm from the key. Maybe in the future, if josepy could include this. The patch here is quite small.

bmw
bmw requested changes Feb 2, 2022
View reviewed changes
Copy link
Member

@bmw bmw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't quite do a full review here, but I wrote up some suggestions inline.

certbot/CHANGELOG.md Outdated Show resolved Hide resolved
certbot/certbot/_internal/client.py Outdated Show resolved Hide resolved
certbot/certbot/_internal/client.py Outdated Show resolved Hide resolved
bmw
bmw reviewed Feb 3, 2022
View reviewed changes
certbot/CHANGELOG.md Outdated Show resolved Hide resolved
bmw
bmw approved these changes Feb 4, 2022
View reviewed changes
Copy link
Member

@bmw bmw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@bmw bmw merged commit fe0c0dc into certbot:master Feb 4, 2022
@bmw bmw added this to the 1.23.0 milestone Feb 4, 2022
@bmw bmw mentioned this pull request Feb 4, 2022
Closed
@atombrella atombrella deleted the revoke_ec_cert_8569 branch February 4, 2022 10:31
@atombrella atombrella changed the title Add support for revoking ecdsa keys without --cert-name. Add support for revoking ecdsa keys without --key-path Feb 4, 2022
commonism added a commit to commonism/acmetk that referenced this pull request Aug 31, 2023
@commonism
tests - certbot ec skey revocation working
b2d3eda 
certbot/certbot#8725
commonism added a commit to commonism/acmetk that referenced this pull request Sep 5, 2023
@commonism
tests - certbot ec skey revocation working
fac1ef9 
certbot/certbot#8725
commonism added a commit to noahkw/acmetk that referenced this pull request Sep 19, 2023
@commonism
tests - certbot ec skey revocation working
fee912f 
certbot/certbot#8725
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bmw bmw bmw approved these changes

Assignees

@bmw bmw

Labels
None yet
Projects
None yet
Milestone
1.23.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@atombrella @bmw