Clean up goodkey configs (letsencrypt#5993)

aarongable · web-flow · commit 910dde95f64a · 2022-03-15T15:26:19.000-07:00
Fixes letsencrypt#5851
diff --git a/cmd/boulder-ca/main.go b/cmd/boulder-ca/main.go
@@ -62,14 +62,6 @@ type Config struct {
 		// GoodKey is an embedded config stanza for the goodkey library.
 		GoodKey goodkey.Config
 
-		// WeakKeyFile is DEPRECATED. Populate GoodKey.WeakKeyFile instead.
-		// TODO(#5851): Remove this.
-		WeakKeyFile string
-
-		// WeakKeyFile is DEPRECATED. Populate GoodKey.BlockedKeyFile instead.
-		// TODO(#5851): Remove this.
-		BlockedKeyFile string
-
 		// Path to directory holding orphan queue files, if not provided an orphan queue
 		// is not used.
 		OrphanQueueDir string
@@ -211,13 +203,6 @@ func main() {
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
 	sa := sapb.NewStorageAuthorityClient(conn)
 
-	// TODO(#5851): Remove these fallbacks when the old config keys are gone.
-	if c.CA.GoodKey.WeakKeyFile == "" && c.CA.WeakKeyFile != "" {
-		c.CA.GoodKey.WeakKeyFile = c.CA.WeakKeyFile
-	}
-	if c.CA.GoodKey.BlockedKeyFile == "" && c.CA.BlockedKeyFile != "" {
-		c.CA.GoodKey.BlockedKeyFile = c.CA.BlockedKeyFile
-	}
 	kp, err := goodkey.NewKeyPolicy(&c.CA.GoodKey, sa.KeyBlocked)
 	cmd.FailOnError(err, "Unable to create key policy")
 
diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
@@ -65,14 +65,6 @@ type Config struct {
 		// GoodKey is an embedded config stanza for the goodkey library.
 		GoodKey goodkey.Config
 
-		// WeakKeyFile is DEPRECATED. Populate GoodKey.WeakKeyFile instead.
-		// TODO(#5851): Remove this.
-		WeakKeyFile string
-
-		// WeakKeyFile is DEPRECATED. Populate GoodKey.BlockedKeyFile instead.
-		// TODO(#5851): Remove this.
-		BlockedKeyFile string
-
 		OrderLifetime cmd.ConfigDuration
 
 		// CTLogGroups contains groupings of CT logs which we want SCTs from.
@@ -229,13 +221,6 @@ func main() {
 	}
 	pendingAuthorizationLifetime := time.Duration(c.RA.PendingAuthorizationLifetimeDays) * 24 * time.Hour
 
-	// TODO(#5851): Remove these fallbacks when the old config keys are gone.
-	if c.RA.GoodKey.WeakKeyFile == "" && c.RA.WeakKeyFile != "" {
-		c.RA.GoodKey.WeakKeyFile = c.RA.WeakKeyFile
-	}
-	if c.RA.GoodKey.BlockedKeyFile == "" && c.RA.BlockedKeyFile != "" {
-		c.RA.GoodKey.BlockedKeyFile = c.RA.BlockedKeyFile
-	}
 	kp, err := goodkey.NewKeyPolicy(&c.RA.GoodKey, sac.KeyBlocked)
 	cmd.FailOnError(err, "Unable to create key policy")
 
diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
@@ -105,10 +105,6 @@ type Config struct {
 		// GoodKey is an embedded config stanza for the goodkey library.
 		GoodKey goodkey.Config
 
-		// WeakKeyFile is DEPRECATED. Populate GoodKey.BlockedKeyFile instead.
-		// TODO(#5851): Remove this.
-		BlockedKeyFile string
-
 		// StaleTimeout determines how old should data be to be accessed via Boulder-specific GET-able APIs
 		StaleTimeout cmd.ConfigDuration
 
@@ -394,11 +390,6 @@ func main() {
 
 	rac, sac, rns, npm := setupWFE(c, logger, stats, clk)
 
-	// TODO(#5851): Remove these fallbacks when the old config keys are gone.
-	// The WFE does not do weak key checking, just blocked key checking.
-	if c.WFE.GoodKey.BlockedKeyFile == "" && c.WFE.BlockedKeyFile != "" {
-		c.WFE.GoodKey.BlockedKeyFile = c.WFE.BlockedKeyFile
-	}
 	kp, err := goodkey.NewKeyPolicy(&c.WFE.GoodKey, sac.KeyBlocked)
 	cmd.FailOnError(err, "Unable to create key policy")
 
diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
@@ -389,7 +389,6 @@ func main() {
 	// Validate PA config and set defaults if needed.
 	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
 
-	// TODO(#5851): Remove these fallbacks when the old config keys are gone.
 	if config.CertChecker.GoodKey.WeakKeyFile != "" {
 		cmd.Fail("cert-checker does not support checking against weak key files")
 	}
diff --git a/test/config/ca-a.json b/test/config/ca-a.json
@@ -84,8 +84,11 @@
     "serialPrefix": 255,
     "maxNames": 100,
     "lifespanOCSP": "96h",
-    "weakKeyFile": "test/example-weak-keys.json",
-    "blockedKeyFile": "test/example-blocked-keys.yaml",
+    "goodkey": {
+      "weakKeyFile": "test/example-weak-keys.json",
+      "blockedKeyFile": "test/example-blocked-keys.yaml",
+      "fermatRounds": 100
+    },
     "orphanQueueDir": "/tmp/orphaned-certificates-a",
     "ocspLogMaxLength": 4000,
     "ocspLogPeriod": "500ms",
diff --git a/test/config/ca-b.json b/test/config/ca-b.json
@@ -84,8 +84,11 @@
     "serialPrefix": 255,
     "maxNames": 100,
     "lifespanOCSP": "96h",
-    "weakKeyFile": "test/example-weak-keys.json",
-    "blockedKeyFile": "test/example-blocked-keys.yaml",
+    "goodkey": {
+      "weakKeyFile": "test/example-weak-keys.json",
+      "blockedKeyFile": "test/example-blocked-keys.yaml",
+      "fermatRounds": 100
+    },
     "orphanQueueDir": "/tmp/orphaned-certificates-b",
     "ocspLogMaxLength": 4000,
     "ocspLogPeriod": "500ms",
diff --git a/test/config/ra.json b/test/config/ra.json
@@ -8,8 +8,11 @@
     "reuseValidAuthz": true,
     "authorizationLifetimeDays": 30,
     "pendingAuthorizationLifetimeDays": 7,
-    "weakKeyFile": "test/example-weak-keys.json",
-    "blockedKeyFile": "test/example-blocked-keys.yaml",
+    "goodkey": {
+      "weakKeyFile": "test/example-weak-keys.json",
+      "blockedKeyFile": "test/example-blocked-keys.yaml",
+      "fermatRounds": 100
+    },
     "orderLifetime": "168h",
     "issuerCertPath":  "/hierarchy/intermediate-cert-rsa-a.pem",
     "tls": {
diff --git a/test/config/wfe2.json b/test/config/wfe2.json
@@ -11,7 +11,9 @@
     "directoryCAAIdentity": "happy-hacker-ca.invalid",
     "directoryWebsite": "https://github.com/letsencrypt/boulder",
     "legacyKeyIDPrefix": "http://boulder:4000/reg/",
-    "blockedKeyFile": "test/example-blocked-keys.yaml",
+    "goodkey": {
+      "blockedKeyFile": "test/example-blocked-keys.yaml"
+    },
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",
       "certFile": "test/grpc-creds/wfe.boulder/cert.pem",

Original file line number	Diff line number	Diff line change
`@@ -389,7 +389,6 @@ func main() {`
`389`	`389`	`// Validate PA config and set defaults if needed.`
`390`	`390`	`cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")`
`391`	`391`
`392`		`- // TODO(#5851): Remove these fallbacks when the old config keys are gone.`
`393`	`392`	`if config.CertChecker.GoodKey.WeakKeyFile != "" {`
`394`	`393`	`cmd.Fail("cert-checker does not support checking against weak key files")`
`395`	`394`	`}`