https-github-com-bit
diff --git a/‎cmd/ceremony/README.md‎
Lines changed: 51 additions & 0 deletions b/‎cmd/ceremony/README.md‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎cmd/ceremony/cert.go‎
Lines changed: 48 additions & 12 deletions b/‎cmd/ceremony/cert.go‎
Lines changed: 48 additions & 12 deletions
@@ -9,6 +9,7 @@ ceremony --config path/to/config.yml
 `ceremony` operates in one of three modes
 * `root` - generates a signing key on HSM and creates a self-signed root certificate that uses the generated key, outputting a PEM public key, and a PEM certificate
 * `intermediate` - creates a intermediate certificate and signs it using a signing key already on a HSM, outputting a PEM certificate
+* `ocsp-signer` - creates a delegated OCSP signing certificate and signs it using a signing key already on a HSM, outputting a PEM certificate
 * `key` - generates a signing key on HSM, outputting a PEM public key
 
 These modes are set in the `ceremony-type` field of the configuration file.
@@ -126,6 +127,56 @@ certificate-profile:
 
 This config generates an intermediate certificate signed by a key in the HSM, identified by the object label `root signing key` and the object ID `ffff`. The subject key used is taken from `/home/user/intermediate-signing-pub.pem` and the issuer is `/home/user/root-cert.pem`, the resulting certificate is written to `/home/user/intermediate-cert.pem`.
 
+### OCSP Signing Certificate ceremony
+
+- `ceremony-type`: string describing the ceremony type, `ocsp-signer`.
+- `pkcs11`: object containing PKCS#11 related fields.
+    | Field | Description |
+    | --- | --- |
+    | `module` | Path to the PKCS#11 module to use to communicate with a HSM. |
+    | `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. |
+    | `signing-key-slot` | Specifies which HSM object slot the signing key is in. |
+    | `signing-key-label` | Specifies the HSM object label for the signing key. |
+    | `signing-key-id` | Specifies the HSM object ID for the signing key. |
+- `inputs`: object containing paths for inputs
+    | Field | Description |
+    | --- | --- |
+    | `public-key-path` | Path to PEM subject public key for certificate. |
+    | `issuer-path` | Path to PEM issuer certificate. |
+- `outputs`: object containing paths to write outputs.
+    | Field | Description |
+    | --- | --- |
+    | `certificate-path` | Path to store signed PEM certificate. |
+- `certificate-profile`: object containing profile for certificate to generate. Fields are documented [below](#Certificate-profile-format). The key-usages, ocsp-url, and crl-url fields must not be set.
+
+When generating an OCSP signing certificate the key usages field will be set to just Digital Signature and an EKU extension will be included with the id-kp-OCSPSigning usage. Additionally an id-pkix-ocsp-nocheck extension will be included in the certificate.
+
+Example:
+
+```yaml
+ceremony-type: ocsp-signer
+pkcs11:
+    module: /usr/lib/opensc-pkcs11.so
+    signing-key-slot: 0
+    signing-key-label: intermediate signing key
+    signing-key-id: ffff
+inputs:
+    public-key-path: /home/user/ocsp-signer-signing-pub.pem
+    issuer-path: /home/user/intermediate-cert.pem
+outputs:
+    certificate-path: /home/user/ocsp-signer-cert.pem
+certificate-profile:
+    signature-algorithm: ECDSAWithSHA384
+    common-name: CA OCSP signer
+    organization: good guys
+    country: US
+    not-before: 2020-01-01 12:00:00
+    not-after: 2040-01-01 12:00:00
+    issuer-url:  http://good-guys.com/root
+```
+
+This config generates a delegated OCSP signing certificate signed by a key in the HSM, identified by the object label `intermediate signing key` and the object ID `ffff`. The subject key used is taken from `/home/user/ocsp-signer-signing-pub.pem` and the issuer is `/home/user/intermdiate-cert.pem`, the resulting certificate is written to `/home/user/ocsp-signer-cert.pem`.
+
 ### Key ceremony
 
 - `ceremony-type`: string describing the ceremony type, `key`.
 
@@ -77,7 +77,15 @@ var AllowedSigAlgs = map[string]x509.SignatureAlgorithm{
 	"ECDSAWithSHA512": x509.ECDSAWithSHA512,
 }
 
-func (profile *certProfile) verifyProfile(root bool) error {
+type certType int
+
+const (
+	rootCert certType = iota
+	intermediateCert
+	ocspCert
+)
+
+func (profile *certProfile) verifyProfile(ct certType) error {
 	if profile.NotBefore == "" {
 		return errors.New("not-before is required")
 	}
@@ -96,14 +104,29 @@ func (profile *certProfile) verifyProfile(root bool) error {
 	if profile.Country == "" {
 		return errors.New("country is required")
 	}
-	if !root && profile.OCSPURL == "" {
-		return errors.New("ocsp-url is required for intermediates")
-	}
-	if !root && profile.CRLURL == "" {
-		return errors.New("crl-url is required for intermediates")
+
+	if ct == intermediateCert {
+		if profile.OCSPURL == "" {
+			return errors.New("ocsp-url is required for intermediates")
+		}
+		if profile.CRLURL == "" {
+			return errors.New("crl-url is required for intermediates")
+		}
+		if profile.IssuerURL == "" {
+			return errors.New("issuer-url is required for intermediates")
+		}
 	}
-	if !root && profile.IssuerURL == "" {
-		return errors.New("issuer-url is required for intermediates")
+
+	if ct == ocspCert {
+		if len(profile.KeyUsages) != 0 {
+			return errors.New("key-usages cannot be set for a OCSP signer")
+		}
+		if profile.CRLURL != "" {
+			return errors.New("crl-url cannot be set for a OCSP signer")
+		}
+		if profile.OCSPURL != "" {
+			return errors.New("ocsp-url cannot be set for a OCSP signer")
+		}
 	}
 	return nil
 }
@@ -139,6 +162,8 @@ type policyInformation struct {
 var (
 	oidExtensionCertificatePolicies = asn1.ObjectIdentifier{2, 5, 29, 32}
 	oidCPSQualifier                 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 1}
+
+	oidOCSPNoCheck = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5}
 )
 
 func buildPolicies(policies []policyInfoConfig) (pkix.Extension, error) {
@@ -164,7 +189,7 @@ func buildPolicies(policies []policyInfoConfig) (pkix.Extension, error) {
 }
 
 // makeTemplate generates the certificate template for use in x509.CreateCertificate
-func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte) (*x509.Certificate, error) {
+func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, ct certType) (*x509.Certificate, error) {
 	dateLayout := "2006-01-02 15:04:05"
 	notBefore, err := time.Parse(dateLayout, profile.NotBefore)
 	if err != nil {
@@ -202,16 +227,19 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte) (*x
 	}
 
 	var ku x509.KeyUsage
-	if len(profile.KeyUsages) == 0 {
-		return nil, errors.New("key usages must be set")
-	}
 	for _, kuStr := range profile.KeyUsages {
 		kuBit, ok := stringToKeyUsage[kuStr]
 		if !ok {
 			return nil, fmt.Errorf("unknown key usage %q", kuStr)
 		}
 		ku |= kuBit
 	}
+	if ct == ocspCert {
+		ku = x509.KeyUsageDigitalSignature
+	}
+	if ku == 0 {
+		return nil, errors.New("at least one key usage must be set")
+	}
 
 	cert := &x509.Certificate{
 		SignatureAlgorithm:    sigAlg,
@@ -232,6 +260,14 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte) (*x
 		SubjectKeyId:          subjectKeyID[:],
 	}
 
+	if ct == ocspCert {
+		cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageOCSPSigning}
+		// ASN.1 NULL is 0x05, 0x00
+		ocspNoCheckExt := pkix.Extension{Id: oidOCSPNoCheck, Value: []byte{5, 0}}
+		cert.ExtraExtensions = append(cert.ExtraExtensions, ocspNoCheckExt)
+		cert.IsCA = false
+	}
+
 	if len(profile.Policies) > 0 {
 		policyExt, err := buildPolicies(profile.Policies)
 		if err != nil {