From d9046ae495e2dde80de122917c6b6245b3fd647a Mon Sep 17 00:00:00 2001 From: Samantha Frank Date: Thu, 25 Jul 2024 16:16:58 -0400 Subject: [PATCH] config: Improve comment for HMACKeyConfig and add TODOs (#7633) --- cmd/boulder-wfe2/main.go | 2 ++ cmd/config.go | 4 +++- cmd/nonce-service/main.go | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go index d269f4cb5f7..61698d16cfe 100644 --- a/cmd/boulder-wfe2/main.go +++ b/cmd/boulder-wfe2/main.go @@ -76,6 +76,8 @@ type Config struct { // an HMAC-SHA256 key (e.g. the output of `openssl rand -hex 32`). In a // multi-DC deployment this value should be the same across all // boulder-wfe and nonce-service instances. + // + // TODO(#7632) Update this to use the new HMACKeyConfig. NoncePrefixKey cmd.PasswordConfig `validate:"-"` // Chains is a list of lists of certificate filenames. Each inner list is diff --git a/cmd/config.go b/cmd/config.go index 08fa36b69df..3264ea1cce2 100644 --- a/cmd/config.go +++ b/cmd/config.go @@ -554,7 +554,9 @@ type DNSProvider struct { SRVLookup ServiceDomain `validate:"required"` } -// HMACKeyConfig contains a path to a file containing an HMAC key. +// HMACKeyConfig specifies a path to a file containing an HMAC key. The key must +// consist of 256 bits of random data to be suitable for use as a 256-bit +// hashing key (e.g., the output of `openssl rand -hex 32`). type HMACKeyConfig struct { KeyFile string `validate:"required"` } diff --git a/cmd/nonce-service/main.go b/cmd/nonce-service/main.go index cdc634db77e..af90de5ac33 100644 --- a/cmd/nonce-service/main.go +++ b/cmd/nonce-service/main.go @@ -33,6 +33,8 @@ type Config struct { // suitable as an HMAC-SHA256 key (e.g. the output of `openssl rand -hex // 32`). In a multi-DC deployment this value should be the same across // all boulder-wfe and nonce-service instances. + // + // TODO(#7632) Update this to use the new HMACKeyConfig. NoncePrefixKey cmd.PasswordConfig `validate:"required"` Syslog cmd.SyslogConfig