Skip to content

proposal: x/crypto/acme: Support profiles for Let's Encrypt and new Internet Draft #73101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sigmavirus24 opened this issue Mar 29, 2025 · 5 comments
Open

proposal: x/crypto/acme: Support profiles for Let's Encrypt and new Internet Draft #73101

sigmavirus24 opened this issue Mar 29, 2025 · 5 comments
Labels
LibraryProposal Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Milestone
Proposal

Comments

@sigmavirus24
Copy link

Proposal Details

https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/ is a relatively new Internet-Draft with the ACME working group. It's already implemented in Let's Encrypt (a.k.a., Boulder) and it's test server (a.k.a., Pebble) as documented in:

This might be a bit over-eager but as someone using x/crypto/acme to talk to Let's Encrypt, I'm hoping to be able to leverage this and am willing to implement the code sa well.
@gopherbot gopherbot added this to the Proposal milestone Mar 29, 2025
@seankhliao
Copy link
Member

What does support mean for x/crypto/acme?
Do you have a proposed set of api changes?

@gabyhelp gabyhelp added the LibraryProposal Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool label Mar 29, 2025
@seankhliao seankhliao added WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. Proposal-Crypto Proposal related to crypto packages or other security issues labels Mar 29, 2025
@sigmavirus24
Copy link
Author

sigmavirus24 commented Mar 30, 2025
edited
Loading

What does support mean for x/crypto/acme?

I believe it means a few small non-intrusive and backwards compatible changes.

Do you have a proposed set of api changes?

I could do these in increments too to make it smaller/easier to review but the following is likely necessary:

  1. Update Directory to include a Profiles attribute with type map[string]string. Given this is not yet an RFC, it may be more forward-compatible with any potential alterations to the RFC to make this a distinct type like net/http.Header. That way there's more control over the API and how one might keep backwards compatibility with any post RFC-acceptance changes.
  2. Add a new OrderOption, e.g., WithProfileName(s string) OrderOption WithOrderProfile(name string) OrderOption to be used with AuthorizeOrder which implies updating the anonymous struct definition to include the profile attribute as something that's omitted if empty.

I'd want to add plenty of test coverage here as well just to make sure this doesn't interfere with existing behaviour.

I do believe this will be minimally invasive. This could also be "smarter" in that if someone provides WithProfileName WithOrderProfile but no Profiles exist from the directory endpoint or the profile name itself isn't in the map, then it returns an error without making a request to the server.

sigmavirus24 added a commit to sigmavirus24/golang-x-crypto that referenced this issue Mar 31, 2025
@sigmavirus24
WIP: acme: adds support for profiles draft

Verified

This commit was signed with the committer’s verified signature.
sigmavirus24 Ian Stapleton Cordasco
SSH Key Fingerprint: dc+BK0fzlqzC5Z6XpEQujm3aIlFH0LSSKbIdApb0DGY
Verified
Learn about vigilant mode
c622daa 
Let's Encrypt is already supporting Profiles in requests made to the
new-order endoint and returning them in the meta field of the directory.
This parses those and adds a new OrderOption to enable specifying this
when constructing the new order request via AuthorizeOrder.

When Profiles are not supported, this returns an error early. When the
specified profile name is not in the list of specified profiles, an
error is returned early.

Fixes golang/go#73101

Change-Id: I6a7cdba126d8a0bfb04c6ca6cd06fad9871239d5
@sigmavirus24
Copy link
Author

It wasn't much work to stub out what I was thinking of above, so I pushed it to a fork before submitting via Gerrit in case that helps https://github.com/sigmavirus24/golang-x-crypto/tree/proposal/73101

@seankhliao seankhliao removed the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Mar 31, 2025
@sigmavirus24
Copy link
Author

@seankhliao how can I help drive this discussion further?

@seankhliao
Copy link
Member

Given it's still a draft, I don't really see it being added anytime soon.

cc @rolandshoemaker @golang/security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
LibraryProposal Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
None yet
Milestone
Proposal
Development

No branches or pull requests
4 participants
@sigmavirus24 @gopherbot @seankhliao @gabyhelp