-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement 'replaces' field in newOrder and draft-ietf-acme-ari-03 CertID changes #2114
Implement 'replaces' field in newOrder and draft-ietf-acme-ari-03 CertID changes #2114
Conversation
4618bf5
to
a22d17e
Compare
This is expected and has occurred in the two previous ARI PRs that touch renewForDomains.
|
The current failure of the CI is related to a Pebble bug, I fixed the problem inside #2119. |
e371021
to
79e475e
Compare
@ldez the changes necessary to support this contribution have been deployed at Let's Encrypt. Let me know if you need anything else. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
I missed the conflict 😢 |
373bb82
to
0c6f225
Compare
der, err := asn1.Marshal(leaf.SerialNumber) | ||
if err != nil { | ||
return err | ||
return "", err | ||
} | ||
|
||
return nil | ||
} | ||
|
||
// makeARICertID constructs a certificate identifier as described in draft-ietf-acme-ari-02, section 4.1. | ||
func makeARICertID(leaf *x509.Certificate) (string, error) { | ||
if leaf == nil { | ||
return "", errors.New("leaf certificate is nil") | ||
// Check if the DER encoded bytes are sufficient (at least 3 bytes: tag, | ||
// length, and value). | ||
if len(der) < 3 { | ||
return "", errors.New("invalid DER encoding of serial number") | ||
} | ||
|
||
return fmt.Sprintf("%s.%s", | ||
strings.TrimRight(base64.URLEncoding.EncodeToString(leaf.AuthorityKeyId), "="), | ||
strings.TrimRight(base64.URLEncoding.EncodeToString(leaf.SerialNumber.Bytes()), "="), | ||
), nil | ||
// Extract only the integer bytes from the DER encoded Serial Number | ||
// Skipping the first 2 bytes (tag and length). | ||
serial := base64.RawURLEncoding.EncodeToString(der[2:]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@beautifulentropy Just curious, why the ASN.1 marshaling and byte stripping? In my testing, leaf.SerialNumber.Bytes()
yields the same output as the more complex ASN.1 algorithm.
https://datatracker.ietf.org/doc/draft-ietf-acme-ari/
PLEASE NOTE: this MUST NOT be merged until letsencrypt/boulder#7298 is deployed to Production. I'll keep this issue up-to-date.