Deprecate AllowCTPoison and AllowSCTList profile settings

letsencrypt · Jul 18, 2024 · 7a7f970 · 7a7f970
1 parent a3e9943
commit 7a7f970
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 47 deletions.
diff --git a/issuance/cert.go b/issuance/cert.go
@@ -27,9 +27,21 @@ import (
 
 // ProfileConfig describes the certificate issuance constraints for all issuers.
 type ProfileConfig struct {
+	// AllowMustStaple, when false, causes all IssuanceRequests which specify the
+	// OCSP Must Staple extension to be rejected.
 	AllowMustStaple bool
-	AllowCTPoison   bool
-	AllowSCTList    bool
+	// AllowCTPoison, when false, causes all IssuanceRequests which want the
+	// CT Poison extension to be rejected.
+	// Deprecated: We will always allow the CT Poison extension because it is
+	// mandated for Precertificates. This boolean has no effect.
+	AllowCTPoison bool
+	// AllowSCTList, when false, causes all IssuanceRequests which include SCTs
+	// to be rejected.
+	// Deprecated: We intend to include SCTs in all final Certificates for the
+	// foreseeable future. This boolean has no effect.
+	AllowSCTList bool
+	// AllowCommonName, when false, causes all IssuanceRequests which specify a CN
+	// to be rejected.
 	AllowCommonName bool
 
 	MaxValidityPeriod   config.Duration
@@ -47,8 +59,6 @@ type PolicyConfig struct {
 // Profile is the validated structure created by reading in ProfileConfigs and IssuerConfigs
 type Profile struct {
 	allowMustStaple bool
-	allowCTPoison   bool
-	allowSCTList    bool
 	allowCommonName bool
 
 	maxBackdate time.Duration
@@ -61,8 +71,6 @@ type Profile struct {
 func NewProfile(profileConfig ProfileConfig, lints lint.Registry) (*Profile, error) {
 	sp := &Profile{
 		allowMustStaple: profileConfig.AllowMustStaple,
-		allowCTPoison:   profileConfig.AllowCTPoison,
-		allowSCTList:    profileConfig.AllowSCTList,
 		allowCommonName: profileConfig.AllowCommonName,
 		maxBackdate:     profileConfig.MaxValidityBackdate.Duration,
 		maxValidity:     profileConfig.MaxValidityPeriod.Duration,
@@ -93,14 +101,6 @@ func (i *Issuer) requestValid(clk clock.Clock, prof *Profile, req *IssuanceReque
 		return errors.New("must-staple extension cannot be included")
 	}
 
-	if !prof.allowCTPoison && req.IncludeCTPoison {
-		return errors.New("ct poison extension cannot be included")
-	}
-
-	if !prof.allowSCTList && req.sctList != nil {
-		return errors.New("sct list extension cannot be included")
-	}
-
 	if req.IncludeCTPoison && req.sctList != nil {
 		return errors.New("cannot include both ct poison and sct list extensions")
 	}

diff --git a/issuance/cert_test.go b/issuance/cert_test.go
@@ -93,40 +93,11 @@ func TestRequestValid(t *testing.T) {
 			expectedError: "must-staple extension cannot be included",
 		},
 		{
-			name: "ct poison not allowed",
+			name: "both sct list and ct poison provided",
 			issuer: &Issuer{
 				active: true,
 			},
 			profile: &Profile{},
-			request: &IssuanceRequest{
-				PublicKey:       &ecdsa.PublicKey{},
-				SubjectKeyId:    goodSKID,
-				IncludeCTPoison: true,
-			},
-			expectedError: "ct poison extension cannot be included",
-		},
-		{
-			name: "sct list not allowed",
-			issuer: &Issuer{
-				active: true,
-			},
-			profile: &Profile{},
-			request: &IssuanceRequest{
-				PublicKey:    &ecdsa.PublicKey{},
-				SubjectKeyId: goodSKID,
-				sctList:      []ct.SignedCertificateTimestamp{},
-			},
-			expectedError: "sct list extension cannot be included",
-		},
-		{
-			name: "sct list and ct poison not allowed",
-			issuer: &Issuer{
-				active: true,
-			},
-			profile: &Profile{
-				allowCTPoison: true,
-				allowSCTList:  true,
-			},
 			request: &IssuanceRequest{
 				PublicKey:       &ecdsa.PublicKey{},
 				SubjectKeyId:    goodSKID,
@@ -263,7 +234,24 @@ func TestRequestValid(t *testing.T) {
 			expectedError: "serial must be between 9 and 19 bytes",
 		},
 		{
-			name: "good",
+			name: "good with poison",
+			issuer: &Issuer{
+				active: true,
+			},
+			profile: &Profile{
+				maxValidity: time.Hour * 2,
+			},
+			request: &IssuanceRequest{
+				PublicKey:       &ecdsa.PublicKey{},
+				SubjectKeyId:    goodSKID,
+				NotBefore:       fc.Now(),
+				NotAfter:        fc.Now().Add(time.Hour),
+				Serial:          []byte{1, 2, 3, 4, 5, 6, 7, 8, 9},
+				IncludeCTPoison: true,
+			},
+		},
+		{
+			name: "good with scts",
 			issuer: &Issuer{
 				active: true,
 			},
@@ -276,6 +264,7 @@ func TestRequestValid(t *testing.T) {
 				NotBefore:    fc.Now(),
 				NotAfter:     fc.Now().Add(time.Hour),
 				Serial:       []byte{1, 2, 3, 4, 5, 6, 7, 8, 9},
+				sctList:      []ct.SignedCertificateTimestamp{},
 			},
 		},
 	}

diff --git a/test/config-next/ca.json b/test/config-next/ca.json
@@ -46,8 +46,6 @@
 			"certProfiles": {
 				"defaultBoulderCertificateProfile": {
 					"allowMustStaple": true,
-					"allowCTPoison": true,
-					"allowSCTList": true,
 					"allowCommonName": true,
 					"policies": [
 						{