diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5e4947687..ab7020859 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,12 +5,6 @@ updates: schedule: interval: "weekly" time: "10:00" # UTC - groups: - aws-sdk-go-v2: - applies-to: version-updates - patterns: - - "github.com/aws/aws-sdk-go-v2/*" - - "github.com/aws/aws-sdk-go-v2" - package-ecosystem: "docker" directories: - "/" diff --git a/Makefile b/Makefile index c6d6ccc64..20cc53e1a 100644 --- a/Makefile +++ b/Makefile @@ -59,14 +59,6 @@ showbenchmarkxpi: test: go test -v -race -coverprofile coverage.out -covermode=atomic -count=1 ./... -test-in-docker: - $(SHELL) -c " \ - docker compose up 2>&1 | tee test-in-docker.log \ - | (grep --silent 'autograph-unit-test exited with code' && docker compose down; \ - grep 'autograph-unit-test' test-in-docker.log >unit-test.log ; \ - tail -2 unit-test.log)" - - showcoverage: test go tool cover -html=coverage.out @@ -88,6 +80,13 @@ build: generate DOCKER_BUILDKIT=0 COMPOSE_DOCKER_CLI_BUILD=0 docker compose build --parallel app-hsm monitor DOCKER_BUILDKIT=0 COMPOSE_DOCKER_CLI_BUILD=0 docker compose build --parallel monitor monitor-hsm +test-in-docker: build + $(SHELL) -c " \ + docker compose up 2>&1 | tee test-in-docker.log \ + | (grep --silent 'autograph-unit-test exited with code' && docker compose down; \ + grep 'autograph-unit-test' test-in-docker.log >unit-test.log ; \ + tail -2 unit-test.log)" + # TODO(AUT-287): port this to the Docker compose integration tests integration-test: ./bin/run_integration_tests.sh diff --git a/autograph.yaml b/autograph.yaml index fb3878d25..3c5a46035 100644 --- a/autograph.yaml +++ b/autograph.yaml @@ -82,7 +82,7 @@ signers: type: contentsignaturepki validity: 708h clockskewtolerance: 1h - chainuploadlocation: file:///tmp/autograph/chains/normandydev/ + chainlocation: /tmp/autograph/chains/normandydev/ x5u: file:///tmp/autograph/chains/normandydev/ issuerprivkey: | -----BEGIN EC PRIVATE KEY----- @@ -134,7 +134,7 @@ signers: type: contentsignaturepki validity: 708h clockskewtolerance: 1h - chainuploadlocation: file:///tmp/autograph/chains/remotesettingsdev/ + chainlocation: /tmp/autograph/chains/remotesettingsdev/ x5u: file:///tmp/autograph/chains/remotesettingsdev/ issuerprivkey: | -----BEGIN EC PRIVATE KEY----- diff --git a/signer/contentsignaturepki/README.md b/signer/contentsignaturepki/README.md index eb9dfdf7d..6b056a5c1 100644 --- a/signer/contentsignaturepki/README.md +++ b/signer/contentsignaturepki/README.md @@ -115,10 +115,10 @@ are valid for 90 days (30d of clock skew in the past, 30 days of validity, 30 days of clock skew in the future). Once the end-entity created, it is concatenated to the public -certificate of the intermediate and root of the PKI, then uploaded to -*chainuploadlocation*, and retrieved from *x5u* (these two locations may -actually be different when we upload to an S3 bucket but download from a -CDN). +certificate of the intermediate and root of the PKI, then stored at +*chainlocation*, and retrieved from *x5u* (these two locations may +actually be different when we upload to a mounted volume but download +from a CDN or the volume's bucket address). If this entire procedure succeeds, the signer is initialized with the end-entity and starts processing requests. @@ -134,11 +134,8 @@ signers: # give +/- 30d of validity room for clients with bad clocks clockskewtolerance: 10m - # upload cert chains to this location (file:// is really just for local dev) - chainuploadlocation: file:///tmp/chains/ - # when using S3, make sure the relevant AWS credentials are set in the - # environment that autograph runs in - #chainuploadlocation: s3://net-mozaws-dev-content-signature/chains/ + # store cert chains to this location + chainlocation: /tmp/chains/ # x5u is the path to the public dir where chains are stored. This MUST end # with a trailing slash because filenames will be appended to it. diff --git a/signer/contentsignaturepki/contentsignature.go b/signer/contentsignaturepki/contentsignature.go index e8bfbd546..ac08fe490 100644 --- a/signer/contentsignaturepki/contentsignature.go +++ b/signer/contentsignaturepki/contentsignature.go @@ -59,7 +59,7 @@ type ContentSigner struct { rand io.Reader validity time.Duration clockSkewTolerance time.Duration - chainUploadLocation string + chainLocation string caCert string db *database.Handler subdomainOverride string @@ -80,7 +80,7 @@ func New(conf signer.Configuration) (s *ContentSigner, err error) { s.X5U = conf.X5U s.validity = conf.Validity s.clockSkewTolerance = conf.ClockSkewTolerance - s.chainUploadLocation = conf.ChainUploadLocation + s.chainLocation = conf.ChainLocation s.caCert = conf.CaCert s.db = conf.DB s.subdomainOverride = conf.SubdomainOverride @@ -161,8 +161,8 @@ func (s *ContentSigner) initEE(conf signer.Configuration) error { if err != nil { return fmt.Errorf("contentsignaturepki %q: failed to generate end entity: %w", s.ID, err) } - // make the certificate and upload the chain - err = s.makeAndUploadChain() + // make the certificate and save the chain + err = s.makeAndSaveChain() if err != nil { return fmt.Errorf("contentsignaturepki %q: failed to make chain and x5u: %w", s.ID, err) } @@ -185,28 +185,24 @@ func (s *ContentSigner) initEE(conf signer.Configuration) error { default: return fmt.Errorf("contentsignaturepki %q: failed to find suitable end-entity: %w", s.ID, err) } - _, _, err = GetX5U(buildHTTPClient(), s.X5U) - if err != nil { - return fmt.Errorf("contentsignaturepki %q: failed to verify x5u: %w", s.ID, err) - } return nil } // Config returns the configuration of the current signer func (s *ContentSigner) Config() signer.Configuration { return signer.Configuration{ - ID: s.ID, - Type: s.Type, - Mode: s.Mode, - PrivateKey: s.PrivateKey, - PublicKey: s.PublicKey, - IssuerPrivKey: s.IssuerPrivKey, - IssuerCert: s.IssuerCert, - X5U: s.X5U, - Validity: s.validity, - ClockSkewTolerance: s.clockSkewTolerance, - ChainUploadLocation: s.chainUploadLocation, - CaCert: s.caCert, + ID: s.ID, + Type: s.Type, + Mode: s.Mode, + PrivateKey: s.PrivateKey, + PublicKey: s.PublicKey, + IssuerPrivKey: s.IssuerPrivKey, + IssuerCert: s.IssuerCert, + X5U: s.X5U, + Validity: s.validity, + ClockSkewTolerance: s.clockSkewTolerance, + ChainLocation: s.chainLocation, + CaCert: s.caCert, } } diff --git a/signer/contentsignaturepki/contentsignature_test.go b/signer/contentsignaturepki/contentsignature_test.go index b196b122f..988f92a9c 100644 --- a/signer/contentsignaturepki/contentsignature_test.go +++ b/signer/contentsignaturepki/contentsignature_test.go @@ -9,6 +9,7 @@ package contentsignaturepki import ( "crypto/ecdsa" "errors" + "net/http" "strings" "testing" @@ -73,7 +74,7 @@ func TestSign(t *testing.T) { } // verify the signature using the public key of the end entity - _, certs, err := GetX5U(buildHTTPClient(), s.X5U) + _, certs, err := GetX5U(&http.Client{}, s.X5U) if err != nil { t.Fatalf("testcase %d failed to get X5U %q: %v", i, s.X5U, err) } @@ -94,11 +95,11 @@ var PASSINGTESTCASES = []struct { expectedCommonName string }{ {cfg: signer.Configuration{ - Type: Type, - ID: "testsigner0", - Mode: P384ECDSA, - X5U: "file:///tmp/autograph_unit_tests/chains/", - ChainUploadLocation: "file:///tmp/autograph_unit_tests/chains/", + Type: Type, + ID: "testsigner0", + Mode: P384ECDSA, + X5U: "file:///tmp/autograph_unit_tests/chains/", + ChainLocation: "/tmp/autograph_unit_tests/chains/", IssuerPrivKey: ` -----BEGIN EC PRIVATE KEY----- MIGkAgEBBDBcwxsHPTSHIVY1qLobCqBtnjRe0UZWOro1xtg2oV4rkypbkkgHHnSA @@ -141,11 +142,11 @@ nsbYLErV5grBhN+UxzmY9YwlOl6j6CoBiNkCMQCVBh9UBkWNkUfMUGImrCNDLvlw expectedCommonName: "testsigner0.content-signature.mozilla.org", }, {cfg: signer.Configuration{ - Type: Type, - ID: "testsigner1", - Mode: P256ECDSA, - X5U: "file:///tmp/autograph_unit_tests/chains/", - ChainUploadLocation: "file:///tmp/autograph_unit_tests/chains/", + Type: Type, + ID: "testsigner1", + Mode: P256ECDSA, + X5U: "file:///tmp/autograph_unit_tests/chains/", + ChainLocation: "/tmp/autograph_unit_tests/chains/", IssuerPrivKey: ` -----BEGIN EC PRIVATE KEY----- MHcCAQEEIEABir6WMfkbG2ZyKKDCij1PlSBldaaJqPQ/9ioWvCM5oAoGCCqGSM49 @@ -185,12 +186,12 @@ mpvOMOT3falDgXh0iOgdIA== expectedCommonName: "testsigner1.content-signature.mozilla.org", }, {cfg: signer.Configuration{ - Type: Type, - ID: "testsigner1", - SubdomainOverride: "anothersigner1", - Mode: P256ECDSA, - X5U: "file:///tmp/autograph_unit_tests/chains/dedup-path-anothersigner1", - ChainUploadLocation: "file:///tmp/autograph_unit_tests/chains/dedup-path-anothersigner1", + Type: Type, + ID: "testsigner1", + SubdomainOverride: "anothersigner1", + Mode: P256ECDSA, + X5U: "file:///tmp/autograph_unit_tests/chains/dedup-path-anothersigner1", + ChainLocation: "/tmp/autograph_unit_tests/chains/dedup-path-anothersigner1", IssuerPrivKey: ` -----BEGIN EC PRIVATE KEY----- MHcCAQEEIEABir6WMfkbG2ZyKKDCij1PlSBldaaJqPQ/9ioWvCM5oAoGCCqGSM49 diff --git a/signer/contentsignaturepki/upload.go b/signer/contentsignaturepki/upload.go deleted file mode 100644 index 1e54a859e..000000000 --- a/signer/contentsignaturepki/upload.go +++ /dev/null @@ -1,139 +0,0 @@ -package contentsignaturepki - -import ( - "context" - "crypto/sha256" - "crypto/x509" - "fmt" - "io" - "net/http" - "net/url" - "os" - "path" - "strings" - "time" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/config" - "github.com/aws/aws-sdk-go-v2/feature/s3/manager" - "github.com/aws/aws-sdk-go-v2/service/s3" - "github.com/aws/aws-sdk-go-v2/service/s3/types" - csigverifier "github.com/mozilla-services/autograph/verifier/contentsignature" -) - -// S3UploadAPI is an interface to accommodate testing -// Adapted from https://aws.github.io/aws-sdk-go-v2/docs/unit-testing/ -type S3UploadAPI interface { - Upload(ctx context.Context, input *s3.PutObjectInput, opts ...func(*manager.Uploader)) (*manager.UploadOutput, error) -} - -// upload takes a string and a filename and puts it at the upload location -// defined in the signer, then returns its URL -func (s *ContentSigner) upload(data, name string) error { - parsedURL, err := url.Parse(s.chainUploadLocation) - if err != nil { - return fmt.Errorf("failed to parse chain upload location: %w", err) - } - switch parsedURL.Scheme { - case "s3": - // Context is a required argument, but in our uses, - // LoadDefaultConfig pulls the necessary configuration - // from the environment. - cfg, err := config.LoadDefaultConfig(context.Background()) - if err != nil { - return fmt.Errorf("failed to load AWS config: %w", err) - } - client := s3.NewFromConfig(cfg) - uploader := manager.NewUploader(client) - return uploadToS3(uploader, data, name, parsedURL) - case "file": - return writeLocalFile(data, name, parsedURL) - default: - return fmt.Errorf("unsupported upload scheme %#v", parsedURL.Scheme) - } -} - -func uploadToS3(client S3UploadAPI, data, name string, target *url.URL) error { - // aws-sdk-go-v2 now includes leading slashes in the key name, where v1 did - // not. So, to keep this code compatible, we have to trim it. - keyName := strings.TrimPrefix(path.Join(target.Path, name), "/") - _, err := client.Upload(context.Background(), &s3.PutObjectInput{ - Bucket: aws.String(target.Host), - Key: aws.String(keyName), - ACL: types.ObjectCannedACLPublicRead, - Body: strings.NewReader(data), - ContentType: aws.String("binary/octet-stream"), - ContentDisposition: aws.String("attachment"), - }) - return err -} - -func writeLocalFile(data, name string, target *url.URL) error { - // upload dir may not exist yet - _, err := os.Stat(target.Path) - if err != nil { - if strings.Contains(err.Error(), "no such file or directory") { - // create the target directory - err = os.MkdirAll(target.Path, 0755) - if err != nil { - return fmt.Errorf("failed to make directory: %w", err) - } - } else { - return err - } - } - // write the file into the target dir - return os.WriteFile(target.Path+name, []byte(data), 0755) -} - -// buildHTTPClient returns the default HTTP.Client for fetching X5Us -func buildHTTPClient() *http.Client { - return &http.Client{} -} - -// GetX5U retrieves a chain file of certs from upload location, parses -// and verifies it, then returns a byte slice of the response body and -// a slice of parsed certificates. -func GetX5U(client *http.Client, x5u string) (body []byte, certs []*x509.Certificate, err error) { - parsedURL, err := url.Parse(x5u) - if err != nil { - err = fmt.Errorf("failed to parse chain upload location: %w", err) - return - } - if parsedURL.Scheme == "file" { - t := &http.Transport{} - t.RegisterProtocol("file", http.NewFileTransport(http.Dir("/"))) - client.Transport = t - } - resp, err := client.Get(x5u) - if err != nil { - err = fmt.Errorf("failed to retrieve x5u: %w", err) - return - } - defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - err = fmt.Errorf("failed to retrieve x5u from %s: %s", x5u, resp.Status) - return - } - body, err = io.ReadAll(resp.Body) - if err != nil { - err = fmt.Errorf("failed to parse x5u body: %w", err) - return - } - certs, err = csigverifier.ParseChain(body) - if err != nil { - err = fmt.Errorf("failed to parse x5u : %w", err) - return - } - rootHash := sha2Fingerprint(certs[2]) - err = csigverifier.VerifyChain([]string{rootHash}, certs, time.Now()) - if err != nil { - err = fmt.Errorf("failed to verify certificate chain: %w", err) - return - } - return -} - -func sha2Fingerprint(cert *x509.Certificate) string { - return strings.ToUpper(fmt.Sprintf("%x", sha256.Sum256(cert.Raw))) -} diff --git a/signer/contentsignaturepki/upload_test.go b/signer/contentsignaturepki/upload_test.go deleted file mode 100644 index 7ef9982d4..000000000 --- a/signer/contentsignaturepki/upload_test.go +++ /dev/null @@ -1,111 +0,0 @@ -package contentsignaturepki - -import ( - "context" - "errors" - "net/url" - "testing" - - "github.com/aws/aws-sdk-go-v2/feature/s3/manager" - "github.com/aws/aws-sdk-go-v2/service/s3" -) - -// Mocks adapted from https://aws.github.io/aws-sdk-go-v2/docs/unit-testing/ -type mockUploadAPI func(ctx context.Context, input *s3.PutObjectInput, opts ...func(*manager.Uploader)) (*manager.UploadOutput, error) - -func (m mockUploadAPI) Upload(ctx context.Context, input *s3.PutObjectInput, opts ...func(*manager.Uploader)) (*manager.UploadOutput, error) { - return m(ctx, input, opts...) -} - -func TestUploadToS3(t *testing.T) { - cases := []struct { - testName string - client func(t *testing.T) S3UploadAPI - data string - name string - chainUploadLocation string - expectErr bool - }{ - { - testName: "successful_upload", - client: func(t *testing.T) S3UploadAPI { - return mockUploadAPI(func(ctx context.Context, input *s3.PutObjectInput, opts ...func(*manager.Uploader)) (*manager.UploadOutput, error) { - expectedBucket := "foo.bar" - if *input.Bucket != expectedBucket { - t.Errorf("bucket: want %#v, got %#v", expectedBucket, *input.Bucket) - } - if *input.Key != "somestuff/successful_chain" { - t.Errorf("key: want \"somestuff/successful_chain\", got %#v", *input.Key) - } - return &manager.UploadOutput{}, nil - }) - }, - data: "foo", - name: "successful_chain", - chainUploadLocation: "s3://foo.bar/somestuff/", - expectErr: false, - }, - { - testName: "successful_upload_with_missing_slash", - client: func(t *testing.T) S3UploadAPI { - return mockUploadAPI(func(ctx context.Context, input *s3.PutObjectInput, opts ...func(*manager.Uploader)) (*manager.UploadOutput, error) { - expectedBucket := "foo.bar" - if *input.Bucket != expectedBucket { - t.Errorf("bucket: want %#v, got %#v", expectedBucket, *input.Bucket) - } - expectedKey := "somestuff/successful_chain" - if *input.Key != expectedKey { - t.Errorf("key: want %#v, got %#v", expectedKey, *input.Key) - } - return &manager.UploadOutput{}, nil - }) - }, - data: "foo", - name: "successful_chain", - chainUploadLocation: "s3://foo.bar/somestuff", - expectErr: false, - }, - { - testName: "failed_upload", - client: func(t *testing.T) S3UploadAPI { - return mockUploadAPI(func(ctx context.Context, input *s3.PutObjectInput, opts ...func(*manager.Uploader)) (*manager.UploadOutput, error) { - expectedBucket := "foo.quux" - if *input.Bucket != expectedBucket { - t.Errorf("bucket: want %#v, got %#v", expectedBucket, *input.Bucket) - } - expectedKey := "something/will_fail_chain" - if *input.Key != expectedKey { - t.Errorf("key: want %#v, got %#v", expectedKey, *input.Key) - } - return nil, errors.New("upload failed") - }) - }, - data: "foo", - name: "will_fail_chain", - chainUploadLocation: "s3://foo.quux/something/", - expectErr: true, - }, - } - - for _, tt := range cases { - t.Run(tt.testName, func(t *testing.T) { - t.Parallel() - url, err := url.Parse(tt.chainUploadLocation) - if err != nil { - t.Fatalf("error parsing test url: %v", err) - } - - err = uploadToS3(tt.client(t), tt.data, tt.name, url) - - if tt.expectErr { - if err == nil { - t.Fatal("expected error from uploadToS3 but did not get one") - } - } else { - if err != nil { - t.Fatalf("got unexpected error: %v", err) - } - } - }) - } -} diff --git a/signer/contentsignaturepki/x509.go b/signer/contentsignaturepki/x509.go index 894d60f8d..cc6546f68 100644 --- a/signer/contentsignaturepki/x509.go +++ b/signer/contentsignaturepki/x509.go @@ -2,15 +2,23 @@ package contentsignaturepki import ( "bytes" + "crypto/sha256" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "fmt" + "io" "math/big" + "net/http" + "net/url" + "os" + "path" + "strings" "time" "github.com/mozilla-services/autograph/database" "github.com/mozilla-services/autograph/signer" + verifier "github.com/mozilla-services/autograph/verifier/contentsignature" ) // findAndSetEE searches the database for an end-entity key that is currently @@ -39,27 +47,73 @@ func (s *ContentSigner) findAndSetEE(conf signer.Configuration) (err error) { return } -// makeAndUploadChain makes a certificate using the end-entity public key, -// uploads the chain to its destination and creates an X5U download URL -func (s *ContentSigner) makeAndUploadChain() (err error) { +// makeAndSaveChain makes a certificate using the end-entity public key, +// save the chain to its destination and creates an X5U download URL +func (s *ContentSigner) makeAndSaveChain() (err error) { var fullChain, chainName string fullChain, chainName, err = s.makeChain() if err != nil { return fmt.Errorf("failed to make chain: %w", err) } - err = s.upload(fullChain, chainName) + err = os.MkdirAll(s.chainLocation, 0755) if err != nil { - return fmt.Errorf("failed to upload chain: %w", err) + return fmt.Errorf("failed to create chain directory: %w", err) } - newX5U := s.X5U + chainName - _, _, err = GetX5U(buildHTTPClient(), newX5U) + err = os.WriteFile(path.Join(s.chainLocation, chainName), []byte(fullChain), 0644) if err != nil { - return fmt.Errorf("failed to download new chain: %w", err) + return fmt.Errorf("failed to write chain: %w", err) + } + newX5U, err := url.JoinPath(s.X5U, chainName) + if err != nil { + return fmt.Errorf("Invalid x5u URI: %w", err) } s.X5U = newX5U return } +// GetX5U retrieves a chain file of certs from an http location, mimicking how +// a client would retrieve the chain. It then parses and verifies it, then +// returns a byte slice of the response body and a slice of parsed certificates +func GetX5U(client *http.Client, x5u string) (body []byte, certs []*x509.Certificate, err error) { + parsedURL, err := url.Parse(x5u) + if err != nil { + err = fmt.Errorf("failed to parse chain upload location: %w", err) + return + } + if parsedURL.Scheme == "file" { + t := &http.Transport{} + t.RegisterProtocol("file", http.NewFileTransport(http.Dir("/"))) + client.Transport = t + } + resp, err := client.Get(x5u) + if err != nil { + err = fmt.Errorf("failed to retrieve x5u: %w", err) + return + } + defer resp.Body.Close() + if resp.StatusCode != http.StatusOK { + err = fmt.Errorf("failed to retrieve x5u from %s: %s", x5u, resp.Status) + return + } + body, err = io.ReadAll(resp.Body) + if err != nil { + err = fmt.Errorf("failed to parse x5u body: %w", err) + return + } + certs, err = verifier.ParseChain(body) + if err != nil { + err = fmt.Errorf("failed to parse x5u : %w", err) + return + } + rootHash := strings.ToUpper(fmt.Sprintf("%x", sha256.Sum256(certs[2].Raw))) + err = verifier.VerifyChain([]string{rootHash}, certs, time.Now()) + if err != nil { + err = fmt.Errorf("failed to verify certificate chain: %w", err) + return + } + return +} + // makeChain issues an end-entity certificate using the ca private key and the first // cert of the chain (which is supposed to match the ca private key). it // returns the entire chain of certificate, its name (based on the ee cn & diff --git a/signer/signer.go b/signer/signer.go index 63453085b..22796b309 100644 --- a/signer/signer.go +++ b/signer/signer.go @@ -89,7 +89,7 @@ type Configuration struct { // created. This is mostly for contentsignaturepki. If this isn't set, the // `KeyID` is used as the subdomain, instead. When setting this value to // match another extant signer id, also be sure to set the X5U and - // ChainUploadLocations of this signer configuration to avoid uploading + // ChainLocations of this signer configuration to avoid storing // chains that share the same file name. SubdomainOverride string `json:"subdomain_override,omitempty" yaml:"subdomainoverride,omitempty"` @@ -107,9 +107,9 @@ type Configuration struct { // have a total validity of 10+30+10=50 days. ClockSkewTolerance time.Duration `json:"clock_skew_tolerance,omitempty" yaml:"clockskewtolerance,omitempty"` - // ChainUploadLocation is the target a certificate chain should be - // uploaded to in order for clients to find it at the x5u location. - ChainUploadLocation string `json:"chain_upload_location,omitempty" yaml:"chainuploadlocation,omitempty"` + // ChainLocation is the target a certificate chain should be + // saved to in order for clients to find it at the x5u location. + ChainLocation string `json:"chain_location,omitempty" yaml:"chainlocation,omitempty"` // CaCert is the certificate of the root of the pki, when used CaCert string `json:"cacert,omitempty" yaml:"cacert,omitempty"` diff --git a/tools/genpki/README.md b/tools/genpki/README.md index f84f8b138..eeb0573b4 100644 --- a/tools/genpki/README.md +++ b/tools/genpki/README.md @@ -45,7 +45,7 @@ The corresponding autograph configuration would be type: contentsignaturepki validity: 708h clockskewtolerance: 720h - chainuploadlocation: s3://net-mozaws-dev-content-signature/chains/ + chainlocation: /mnt/chains/ x5u: https://s3.amazonaws.com/net-mozaws-dev-content-signature/chains/ privatekey: csinter1550855347 publickey: CONTENT_OF_/tmp/csintercert802092792 @@ -70,7 +70,7 @@ The corresponding autograph configuration would be type: contentsignaturepki validity: 708h clockskewtolerance: 720h - chainuploadlocation: s3://net-mozaws-dev-content-signature/chains/ + chainlocation: /mnt/chains/ x5u: https://s3.amazonaws.com/net-mozaws-dev-content-signature/chains/ privatekey: CONTENT_OF_/tmp/csinterkey276780723 publickey: CONTENT_OF_/tmp/csintercert802092792 diff --git a/tools/softhsm/autograph.softhsm.yaml b/tools/softhsm/autograph.softhsm.yaml index 11faa944b..d7b0a7a52 100644 --- a/tools/softhsm/autograph.softhsm.yaml +++ b/tools/softhsm/autograph.softhsm.yaml @@ -158,8 +158,7 @@ signers: # give +/- 30d of validity room for clients with bad clocks clockskewtolerance: 10m # upload cert chains to this location - #chainuploadlocation: s3://net-mozaws-dev-content-signature/chains/ - chainuploadlocation: file:///tmp/chains/ + chainlocation: /tmp/chains/ # x5u is the path to the public dir where chains are stored. This MUST end # with a trailing slash because filenames will be appended to it. # x5u: https://s3.amazonaws.com/net-mozaws-dev-content-signature/chains/ @@ -204,7 +203,7 @@ signers: type: contentsignaturepki validity: 708h clockskewtolerance: 10m - chainuploadlocation: file:///tmp/chains/ + chainlocation: /tmp/chains/ x5u: file:///tmp/chains/ issuerprivkey: csinter1550858489 issuercert: |