Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WFE/nonce: Remove deprecated NoncePrefixKey field #7825

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

WFE/nonce: Remove deprecated NoncePrefixKey field #7825

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ff6c22d
WFE/nonce: Remove deprecated NoncePrefixKey field
jprenken Nov 19, 2024
afaf04b
Address comments
jprenken Nov 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 2 additions & 22 deletions cmd/boulder-wfe2/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,17 +79,6 @@ type Config struct {
// boulder-wfe and nonce-service instances.
NonceHMACKey cmd.HMACKeyConfig `validate:"-"`

// NoncePrefixKey is a secret used for deriving the prefix of each nonce
// instance. It should contain 256 bits of random data to be suitable as
// an HMAC-SHA256 key (e.g. the output of `openssl rand -hex 32`). In a
// multi-DC deployment this value should be the same across all
// boulder-wfe and nonce-service instances.
//
// TODO(#7632): Remove this.
//
// Deprecated: Use NonceHMACKey instead.
NoncePrefixKey cmd.PasswordConfig `validate:"-"`

// Chains is a list of lists of certificate filenames. Each inner list is
// a chain (starting with the issuing intermediate, followed by one or
// more additional certificates, up to and including a root) which we are
Expand Down Expand Up @@ -304,17 +293,8 @@ func main() {
cmd.Fail("'getNonceService' must be configured")
}

var noncePrefixKey []byte
if c.WFE.NonceHMACKey.KeyFile != "" {
noncePrefixKey, err = c.WFE.NonceHMACKey.Load()
cmd.FailOnError(err, "Failed to load nonceHMACKey file")
} else if c.WFE.NoncePrefixKey.PasswordFile != "" {
keyString, err := c.WFE.NoncePrefixKey.Pass()
cmd.FailOnError(err, "Failed to load noncePrefixKey file")
noncePrefixKey = []byte(keyString)
} else {
cmd.Fail("NonceHMACKey KeyFile or NoncePrefixKey PasswordFile must be set")
}
noncePrefixKey, err := c.WFE.NonceHMACKey.Load()
cmd.FailOnError(err, "Failed to load nonceHMACKey file")

getNonceConn, err := bgrpc.ClientSetup(c.WFE.GetNonceService, tlsConfig, stats, clk)
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to get nonce service")
Expand Down
27 changes: 3 additions & 24 deletions cmd/nonce-service/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,19 +25,7 @@ type Config struct {
// HMAC-SHA256 key (e.g. the output of `openssl rand -hex 32`). In a
// multi-DC deployment this value should be the same across all
// boulder-wfe and nonce-service instances.
NonceHMACKey cmd.HMACKeyConfig `validate:"required_without_all=NoncePrefixKey,structonly"`

// NoncePrefixKey is a secret used for deriving the prefix of each nonce
// instance. It should contain 256 bits (32 bytes) of random data to be
// suitable as an HMAC-SHA256 key (e.g. the output of `openssl rand -hex
// 32`). In a multi-DC deployment this value should be the same across
// all boulder-wfe and nonce-service instances.
//
// TODO(#7632): Remove this and change `NonceHMACKey`'s validation to
// just `required.`
//
// Deprecated: Use NonceHMACKey instead.
NoncePrefixKey cmd.PasswordConfig `validate:"required_without_all=NonceHMACKey,structonly"`
NonceHMACKey cmd.HMACKeyConfig `validate:"required"`

Syslog cmd.SyslogConfig
OpenTelemetry cmd.OpenTelemetryConfig
Expand Down Expand Up @@ -86,17 +74,8 @@ func main() {
c.NonceService.DebugAddr = *debugAddr
}

var key []byte
if c.NonceService.NonceHMACKey.KeyFile != "" {
key, err = c.NonceService.NonceHMACKey.Load()
cmd.FailOnError(err, "Failed to load 'nonceHMACKey' file.")
} else if c.NonceService.NoncePrefixKey.PasswordFile != "" {
keyString, err := c.NonceService.NoncePrefixKey.Pass()
cmd.FailOnError(err, "Failed to load 'noncePrefixKey' file.")
key = []byte(keyString)
} else {
cmd.Fail("NonceHMACKey KeyFile or NoncePrefixKey PasswordFile must be set")
}
key, err := c.NonceService.NonceHMACKey.Load()
cmd.FailOnError(err, "Failed to load nonceHMACKey file.")

noncePrefix, err := derivePrefix(key, c.NonceService.GRPC.Address)
cmd.FailOnError(err, "Failed to derive nonce prefix")
Expand Down
4 changes: 2 additions & 2 deletions test/config/nonce-a.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{
"NonceService": {
"maxUsed": 131072,
"noncePrefixKey": {
"passwordFile": "test/secrets/nonce_prefix_key"
"nonceHMACKey": {
"keyFile": "test/secrets/nonce_prefix_key"
},
"syslog": {
"stdoutLevel": 6,
Expand Down
4 changes: 2 additions & 2 deletions test/config/nonce-b.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{
"NonceService": {
"maxUsed": 131072,
"noncePrefixKey": {
"passwordFile": "test/secrets/nonce_prefix_key"
"nonceHMACKey": {
"keyFile": "test/secrets/nonce_prefix_key"
},
"syslog": {
"stdoutLevel": 6,
Expand Down
4 changes: 2 additions & 2 deletions test/config/wfe2.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,8 @@
"noWaitForReady": true,
"hostOverride": "nonce.boulder"
},
"noncePrefixKey": {
"passwordFile": "test/secrets/nonce_prefix_key"
"nonceHMACKey": {
"keyFile": "test/secrets/nonce_prefix_key"
},
"chains": [
[
Expand Down
Loading