letsencrypt / boulder / 13347
66%
master: 66%

LAST BUILD BRANCH: ocsp-fail-stops-issuances
DEFAULT BRANCH: master
Ran
Jobs 1
Files 110
Run time 31s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.283% (+0.02%) from 65.264%
13347

push

travis-pro

web-flow 
CA: Create ECDSA issuance allowlist (#5258)

Currently, the CA is configured with a set of `internalIssuer`s,
and a mapping of public key algorithms (e.g. `x509.RSA`) to which
internalIssuer to use. In operation today, we use the same issuer
for all kinds of public key algorithms. In the future, we will use
different issuers for different algorithms (in particular, we will
use R3 to issue for RSA keys, and E1 to issue for ECDSA keys). But
we want to roll that out slowly, continuing to use our RSA issuer
to issue for all types of public keys, except for ECDSA keys which
are presented by a specific set of allowed accounts.

This change adds a new config field to the CA, which lets us specify
a small list of registration IDs which are allowed to have issuance
from our ECDSA issuer. If the config list is empty, then all accounts
are allowed. The CA checks to see if the key being issued for is
ECDSA: if it is, it then checks to make sure that the associated
registration ID is in the allowlist. If the account is not allowed,
it then overrides the issuance algorithm to use RSA instead,
mimicking our old behavior. It also adds a new feature flag, which
can be enabled to skip the allowlist entirely (effectively allowing
all registered accounts). This feature flag will be enabled when
we're done with our testing and confident in our ECDSA issuance.

Fixes #5259

13364 of 20471 relevant lines covered (65.28%)

0.73 hits per line

Jobs
ID Job ID Ran Files Coverage
7 13347.7 (TESTFLAGS="--coverage" CONTAINER="netaccess") 0
65.28
 Travis Job 13347.7
Source Files on build 13347
Detailed source file information is not available for this build.