I think this patch should do it:
modified pkg/cryptoutils/publickey.go
@@ -16,7 +16,6 @@
package cryptoutils
import (
- "context"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
@@ -30,8 +29,6 @@ import (
"encoding/pem"
"errors"
"fmt"
-
- "
github.com/letsencrypt/boulder/goodkey"
)
const (
@@ -139,20 +136,8 @@ func genErrMsg(first, second crypto.PublicKey, keyType string) string {
func ValidatePubKey(pub crypto.PublicKey) error {
switch pk := pub.(type) {
case *rsa.PublicKey:
- // goodkey policy enforces:
- // * Size of key: 2048 <= size <= 4096, size % 8 = 0
- // * Exponent E = 65537 (Default exponent for OpenSSL and Golang)
- // * Small primes check for modulus
- // * Weak keys generated by Infineon hardware (see
https://crocs.fi.muni.cz/public/papers/rsa_ccs17)
- // * Key is easily factored with Fermat's factorization method
- p, err := goodkey.NewKeyPolicy(&goodkey.Config{FermatRounds: 100}, nil)
- if err != nil {
- // Should not occur, only chances to return errors are if fermat rounds
- // are <0 or when loading blocked/weak keys from disk (not used here)
- return errors.New("unable to initialize key policy")
- }
- // ctx is unused
- return p.GoodKey(context.Background(), pub)
+ // Avoid dependency on Goodkey for debian
+ return nil;
case *ecdsa.PublicKey:
// Unable to use goodkey policy because P-521 curve is not supported
return validateEcdsaKey(pk)
modified pkg/cryptoutils/publickey_test.go
@@ -183,6 +183,8 @@ func TestValidatePubKeyUnsupported(t *testing.T) {
}
func TestValidatePubKeyRsa(t *testing.T) {
+ t.Skip("Validations disabled for Debian")
+
// Validate common RSA key sizes
for _, bits := range []int{2048, 3072, 4096} {
priv, err := rsa.GenerateKey(rand.Reader, bits)