Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: fix update_valid_ee_certs.rs script, update vendored test data #111

Merged
merged 4 commits into from
Jul 13, 2024
Merged

tests: fix update_valid_ee_certs.rs script, update vendored test data #111

merged 4 commits into from
Jul 13, 2024

Conversation

cpu
Copy link
Member

@cpu cpu commented Jul 13, 2024

The syntax for the Cargo script unstable cargo feature changed out from under us, producing syntax errors running update_valid_ee_certs.rs with recent nightly tooling. This branch updates the syntax to match the documented example script. Along the way I also updated the reqwest version used by the script to the latest. Notably this synchronizes on rustls versions and saves some build time.

With the tooling fixed we can update the stale vendored end-entity cert. test data & static verification timestamp. The LE issuance chain has changed and so the intermediate & root also need updating. It would be nice if the tooling supported this too, but for now I've done it manually using the .der provided in Let's Encrypt docs.

cpu added 4 commits July 13, 2024 15:21
@cpu
tests: fix update_valid_ee_certs Rust script syntax
81e2b9b 
The syntax for this unstable cargo feature changed out from under us,
producing syntax errors with recent nightly tooling. This commit updates
the syntax to match the documented[0] example script.

[0]: https://github.com/rust-lang/cargo/blob/master/src/doc/src/reference/unstable.md#script
@cpu
tests: use reqwest 0.12 for update_valid_ee_certs
589641c 
This is an in-place update and avoids a separate older version of
Rustls.
@cpu
tests: update vendored end-entity cert test data
03fb3a9 
* Runs `update_valid_ee_certs.rs`, committing the two updated `.crt`
  files that result.
* Updates the `verification_time()` to the current time to avoid not
  before errors.
@cpu
tests: manually update LE intermediate & root
de18acc 
See https://letsencrypt.org/2024/04/12/changes-to-issuance-chains
@cpu cpu self-assigned this Jul 13, 2024
complexspaces
complexspaces approved these changes Jul 13, 2024
View reviewed changes
Copy link
Collaborator

@complexspaces complexspaces left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! This looks good to me. We've switched the LE chains from RSA to EC IIUC?

@cpu
Copy link
Member Author

cpu commented Jul 13, 2024
edited
Loading

We've switched the LE chains from RSA to EC IIUC?

The old end entity cert was also P-256 ECDSA, but it was issued ee -> R3 (retired) -> ISRG Root X1 (cross-signed by DST Root X3).

This branch has ee -> E6 -> ISRG Root X2 (cross-signed by ISRG Root X1).

All of the above is a long way of saying, yes 😆

Notably LE plans to switch between using E6 and E5 per-issuance for ECDSA subjects, so that's why it would be nice to have our tooling update the intermediate in addition to the leaf; we can expect to need to refresh the intermediate ~50% of the time we refresh the end entity cert going forward.

@cpu cpu merged commit a1adf79 into rustls:main Jul 13, 2024
18 checks passed
@cpu cpu deleted the cpu-testdata-update_dev branch July 13, 2024 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@complexspaces complexspaces complexspaces approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cpu @complexspaces