letsencrypt · pgporada · Jun 26, 2024 · Jun 11, 2024 · Jun 24, 2024 · Jun 24, 2024
@@ -34,7 +34,6 @@ import (
 	corepb "github.com/letsencrypt/boulder/core/proto"
 	csrlib "github.com/letsencrypt/boulder/csr"
 	berrors "github.com/letsencrypt/boulder/errors"
-	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
 	"github.com/letsencrypt/boulder/issuance"
 	"github.com/letsencrypt/boulder/linter"
@@ -128,9 +127,6 @@ type certificateAuthorityImpl struct {
 	issuers      issuerMaps
 	certProfiles certProfilesMaps
 
-	// This is temporary, and will be used for testing and slow roll-out
-	// of ECDSA issuance, but will then be removed.
-	ecdsaAllowList *ECDSAAllowList
 	prefix         int // Prepended to the serial number
 	validityPeriod time.Duration
 	backdate       time.Duration
@@ -250,7 +246,6 @@ func NewCertificateAuthorityImpl(
 	defaultCertProfileName string,
 	certificateProfiles map[string]issuance.ProfileConfig,
 	lints lint.Registry,
-	ecdsaAllowList *ECDSAAllowList,
 	certExpiry time.Duration,
 	certBackdate time.Duration,
 	serialPrefix int,
@@ -302,7 +297,6 @@ func NewCertificateAuthorityImpl(
 		log:            logger,
 		metrics:        metrics,
 		clk:            clk,
-		ecdsaAllowList: ecdsaAllowList,
 	}
 
 	return ca, nil
@@ -566,11 +560,8 @@ func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context
 	}
 
 	// Select which pool of issuers to use, based on the to-be-issued cert's key
-	// type and whether we're using the ECDSA Allow List.
+	// type.
 	alg := csr.PublicKeyAlgorithm
-	if alg == x509.ECDSA && !features.Get().ECDSAForAll && ca.ecdsaAllowList != nil && !ca.ecdsaAllowList.permitted(issueReq.RegistrationID) {
-		alg = x509.RSA
-	}
 
 	// Select a random issuer from among the active issuers of this key type.
 	issuerPool, ok := ca.issuers.byAlg[alg]

@@ -275,7 +275,6 @@ func TestSerialPrefix(t *testing.T) {
 		"",
 		nil,
 		nil,
-		nil,
 		testCtx.certExpiry,
 		testCtx.certBackdate,
 		0,
@@ -293,7 +292,6 @@ func TestSerialPrefix(t *testing.T) {
 		"",
 		nil,
 		nil,
-		nil,
 		testCtx.certExpiry,
 		testCtx.certBackdate,
 		128,
@@ -352,7 +350,7 @@ func TestIssuePrecertificate(t *testing.T) {
 		// the precertificates previously generated from the preceding
 		// "precertificate" test.
 		for _, mode := range []string{"precertificate", "certificate-for-precertificate"} {
-			ca, sa := issueCertificateSubTestSetup(t, nil)
+			ca, sa := issueCertificateSubTestSetup(t)
 			t.Run(fmt.Sprintf("%s - %s", mode, testCase.name), func(t *testing.T) {
 				t.Parallel()
 				req, err := x509.ParseCertificateRequest(testCase.csr)
@@ -388,12 +386,8 @@ func TestIssuePrecertificate(t *testing.T) {
 	}
 }
 
-func issueCertificateSubTestSetup(t *testing.T, e *ECDSAAllowList) (*certificateAuthorityImpl, *mockSA) {
+func issueCertificateSubTestSetup(t *testing.T) (*certificateAuthorityImpl, *mockSA) {
 	testCtx := setup(t)
-	ecdsaAllowList := &ECDSAAllowList{}
-	if e == nil {
-		e = ecdsaAllowList
-	}
 	sa := &mockSA{}
 	ca, err := NewCertificateAuthorityImpl(
 		sa,
@@ -402,7 +396,6 @@ func issueCertificateSubTestSetup(t *testing.T, e *ECDSAAllowList) (*certificate
 		testCtx.defaultCertProfileName,
 		testCtx.certProfiles,
 		testCtx.lints,
-		e,
 		testCtx.certExpiry,
 		testCtx.certBackdate,
 		testCtx.serialPrefix,
@@ -450,7 +443,6 @@ func TestNoIssuers(t *testing.T) {
 		testCtx.defaultCertProfileName,
 		testCtx.certProfiles,
 		testCtx.lints,
-		nil,
 		testCtx.certExpiry,
 		testCtx.certBackdate,
 		testCtx.serialPrefix,
@@ -475,7 +467,6 @@ func TestMultipleIssuers(t *testing.T) {
 		testCtx.defaultCertProfileName,
 		testCtx.certProfiles,
 		testCtx.lints,
-		nil,
 		testCtx.certExpiry,
 		testCtx.certBackdate,
 		testCtx.serialPrefix,
@@ -553,7 +544,6 @@ func TestUnpredictableIssuance(t *testing.T) {
 		testCtx.defaultCertProfileName,
 		testCtx.certProfiles,
 		testCtx.lints,
-		nil,
 		testCtx.certExpiry,
 		testCtx.certBackdate,
 		testCtx.serialPrefix,
@@ -722,7 +712,6 @@ func TestProfiles(t *testing.T) {
 				tc.defaultName,
 				tc.profileConfigs,
 				testCtx.lints,
-				nil,
 				testCtx.certExpiry,
 				testCtx.certBackdate,
 				testCtx.serialPrefix,
@@ -766,39 +755,6 @@ func TestProfiles(t *testing.T) {
 	}
 }
 
-func TestECDSAAllowList(t *testing.T) {
-	t.Parallel()
-	req := &capb.IssueCertificateRequest{Csr: ECDSACSR, RegistrationID: arbitraryRegID}
-
-	// With allowlist containing arbitraryRegID, issuance should come from ECDSA issuer.
-	regIDMap := makeRegIDsMap([]int64{arbitraryRegID})
-	ca, _ := issueCertificateSubTestSetup(t, &ECDSAAllowList{regIDMap})
-	result, err := ca.IssuePrecertificate(ctx, req)
-	test.AssertNotError(t, err, "Failed to issue certificate")
-	cert, err := x509.ParseCertificate(result.DER)
-	test.AssertNotError(t, err, "Certificate failed to parse")
-	test.AssertEquals(t, cert.SignatureAlgorithm, x509.ECDSAWithSHA384)
-
-	// With allowlist not containing arbitraryRegID, issuance should fall back to RSA issuer.
-	regIDMap = makeRegIDsMap([]int64{2002})
-	ca, _ = issueCertificateSubTestSetup(t, &ECDSAAllowList{regIDMap})
-	result, err = ca.IssuePrecertificate(ctx, req)
-	test.AssertNotError(t, err, "Failed to issue certificate")
-	cert, err = x509.ParseCertificate(result.DER)
-	test.AssertNotError(t, err, "Certificate failed to parse")
-	test.AssertEquals(t, cert.SignatureAlgorithm, x509.SHA256WithRSA)
-
-	// With empty allowlist but ECDSAForAll enabled, issuance should come from ECDSA issuer.
-	ca, _ = issueCertificateSubTestSetup(t, nil)
-	features.Set(features.Config{ECDSAForAll: true})
-	defer features.Reset()
-	result, err = ca.IssuePrecertificate(ctx, req)
-	test.AssertNotError(t, err, "Failed to issue certificate")
-	cert, err = x509.ParseCertificate(result.DER)
-	test.AssertNotError(t, err, "Certificate failed to parse")
-	test.AssertEquals(t, cert.SignatureAlgorithm, x509.ECDSAWithSHA384)
-}
-
 func TestInvalidCSRs(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
@@ -864,7 +820,6 @@ func TestInvalidCSRs(t *testing.T) {
 			testCtx.defaultCertProfileName,
 			testCtx.certProfiles,
 			testCtx.lints,
-			nil,
 			testCtx.certExpiry,
 			testCtx.certBackdate,
 			testCtx.serialPrefix,
@@ -903,7 +858,6 @@ func TestRejectValidityTooLong(t *testing.T) {
 		testCtx.defaultCertProfileName,
 		testCtx.certProfiles,
 		testCtx.lints,
-		nil,
 		testCtx.certExpiry,
 		testCtx.certBackdate,
 		testCtx.serialPrefix,
@@ -1004,7 +958,6 @@ func TestIssueCertificateForPrecertificate(t *testing.T) {
 		testCtx.defaultCertProfileName,
 		testCtx.certProfiles,
 		testCtx.lints,
-		nil,
 		testCtx.certExpiry,
 		testCtx.certBackdate,
 		testCtx.serialPrefix,
@@ -1073,7 +1026,6 @@ func TestIssueCertificateForPrecertificateWithSpecificCertificateProfile(t *test
 		testCtx.defaultCertProfileName,
 		testCtx.certProfiles,
 		testCtx.lints,
-		nil,
 		testCtx.certExpiry,
 		testCtx.certBackdate,
 		testCtx.serialPrefix,
@@ -1193,7 +1145,6 @@ func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {
 		testCtx.defaultCertProfileName,
 		testCtx.certProfiles,
 		testCtx.lints,
-		nil,
 		testCtx.certExpiry,
 		testCtx.certBackdate,
 		testCtx.serialPrefix,
@@ -1244,7 +1195,6 @@ func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {
 		testCtx.defaultCertProfileName,
 		testCtx.certProfiles,
 		testCtx.lints,
-		nil,
 		testCtx.certExpiry,
 		testCtx.certBackdate,
 		testCtx.serialPrefix,

@@ -36,7 +36,6 @@ func TestOCSP(t *testing.T) {
 		testCtx.defaultCertProfileName,
 		testCtx.certProfiles,
 		testCtx.lints,
-		nil,
 		testCtx.certExpiry,
 		testCtx.certBackdate,
 		testCtx.serialPrefix,

@@ -100,10 +100,6 @@ type Config struct {
 		// Recommended to be around 500ms.
 		OCSPLogPeriod config.Duration
 
-		// Path of a YAML file containing the list of int64 RegIDs
-		// allowed to request ECDSA issuance
-		ECDSAAllowListFilename string
-
 		// CTLogListFile is the path to a JSON file on disk containing the set of
 		// all logs trusted by Chrome. The file must match the v3 log list schema:
 		// https://www.gstatic.com/ct/log_list/v3/log_list_schema.json
@@ -236,15 +232,6 @@ func main() {
 	kp, err := sagoodkey.NewPolicy(&c.CA.GoodKey, sa.KeyBlocked)
 	cmd.FailOnError(err, "Unable to create key policy")
 
-	var ecdsaAllowList *ca.ECDSAAllowList
-	var entries int
-	if c.CA.ECDSAAllowListFilename != "" {
-		// Create an allow list object.
-		ecdsaAllowList, entries, err = ca.NewECDSAAllowListFromFile(c.CA.ECDSAAllowListFilename)
-		cmd.FailOnError(err, "Unable to load ECDSA allow list from YAML file")
-		logger.Infof("Loaded an ECDSA allow list with %d entries", entries)
-	}
-
 	srv := bgrpc.NewServer(c.CA.GRPCCA, logger)
 
 	if !c.CA.DisableOCSPService {
@@ -286,7 +273,6 @@ func main() {
 			c.CA.Issuance.DefaultCertificateProfileName,
 			c.CA.Issuance.CertProfiles,
 			lints,
-			ecdsaAllowList,
 			c.CA.Expiry.Duration,
 			c.CA.Backdate.Duration,
 			c.CA.SerialPrefix,

@@ -27,10 +27,7 @@ type Config struct {
 	EnforceMultiVA                    bool
 	MultiVAFullResults                bool
 	CertCheckerRequiresCorrespondence bool
-
-	// ECDSAForAll enables all accounts, regardless of their presence in the CA's
-	// ecdsaAllowedAccounts config value, to get issuance from ECDSA issuers.
-	ECDSAForAll bool
+	ECDSAForAll                       bool
 
 	// ServeRenewalInfo exposes the renewalInfo endpoint in the directory and for
 	// GET requests. WARNING: This feature is a draft and highly unstable.