Remove OCSP and CRL methods from CA gRPC service (#6474)
Remove the GenerateOCSP and GenerateCRL methods from the CertificateAuthority gRPC service. These methods are no longer called by any clients; all clients use their respective OCSPGenerator and CRLGenerator gRPC services instead. In addition, remove the CRLGeneratorServer field from the caImpl, as it no longer needs it to serve as a backing implementation for the GenerateCRL pass-through method. Unfortunately, we can't remove the OCSPGeneratorServer field until after ROCSPStage7 is complete, and the CA is no longer generating an OCSP response during initial certificate issuance. Part of #6448
This commit is contained in:
Aaron Gable
GitHub
parent
79250756bf
commit
427bced0cd
21
ca/ca.go
21
ca/ca.go
|
|
@ -55,9 +55,8 @@ type certificateAuthorityImpl struct {
|
|||
sa sapb.StorageAuthorityCertificateClient
|
||||
pa core.PolicyAuthority
|
||||
issuers issuerMaps
|
||||
// TODO(#6448): Remove these.
|
||||
// TODO(#6448): Remove this.
|
||||
ocsp capb.OCSPGeneratorServer
|
||||
crl capb.CRLGeneratorServer
|
||||
|
||||
// This is temporary, and will be used for testing and slow roll-out
|
||||
// of ECDSA issuance, but will then be removed.
|
||||
|
|
@ -103,7 +102,6 @@ func NewCertificateAuthorityImpl(
|
|||
sa sapb.StorageAuthorityCertificateClient,
|
||||
pa core.PolicyAuthority,
|
||||
ocsp capb.OCSPGeneratorServer,
|
||||
crl capb.CRLGeneratorServer,
|
||||
boulderIssuers []*issuance.Issuer,
|
||||
ecdsaAllowList *ECDSAAllowList,
|
||||
certExpiry time.Duration,
|
||||
|
|
@ -155,7 +153,6 @@ func NewCertificateAuthorityImpl(
|
|||
sa: sa,
|
||||
pa: pa,
|
||||
ocsp: ocsp,
|
||||
crl: crl,
|
||||
issuers: issuers,
|
||||
validityPeriod: certExpiry,
|
||||
backdate: certBackdate,
|
||||
|
|
@ -581,19 +578,3 @@ func (ca *certificateAuthorityImpl) integrateOrphan() error {
|
|||
ca.adoptedOrphanCount.With(prometheus.Labels{"type": typ}).Inc()
|
||||
return nil
|
||||
}
|
||||
|
||||
// GenerateOCSP is simply a passthrough to ocspImpl.GenerateOCSP so that other
|
||||
// services which need to talk to the CA anyway can do so without configuring
|
||||
// two separate gRPC service backends.
|
||||
// TODO(#6448): Remove this passthrough to fully separate the services.
|
||||
func (ca *certificateAuthorityImpl) GenerateOCSP(ctx context.Context, req *capb.GenerateOCSPRequest) (*capb.OCSPResponse, error) {
|
||||
return ca.ocsp.GenerateOCSP(ctx, req)
|
||||
}
|
||||
|
||||
// GenerateCRL is simply a passthrough to crlImpl.GenerateCRL so that other
|
||||
// services which need to talk to the CA anyway can do so without configuring
|
||||
// two separate gRPC service backends.
|
||||
// TODO(#6448): Remove this passthrough to fully separate the services.
|
||||
func (ca *certificateAuthorityImpl) GenerateCRL(stream capb.CertificateAuthority_GenerateCRLServer) error {
|
||||
return ca.crl.GenerateCRL(stream)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -290,7 +290,6 @@ func TestFailNoSerialPrefix(t *testing.T) {
|
|||
nil,
|
||||
nil,
|
||||
nil,
|
||||
nil,
|
||||
testCtx.certExpiry,
|
||||
testCtx.certBackdate,
|
||||
0,
|
||||
|
|
@ -387,7 +386,6 @@ func issueCertificateSubTestSetup(t *testing.T) (*certificateAuthorityImpl, *moc
|
|||
sa,
|
||||
testCtx.pa,
|
||||
testCtx.ocsp,
|
||||
testCtx.crl,
|
||||
testCtx.boulderIssuers,
|
||||
&ECDSAAllowList{},
|
||||
testCtx.certExpiry,
|
||||
|
|
@ -435,7 +433,6 @@ func TestMultipleIssuers(t *testing.T) {
|
|||
sa,
|
||||
testCtx.pa,
|
||||
testCtx.ocsp,
|
||||
testCtx.crl,
|
||||
testCtx.boulderIssuers,
|
||||
nil,
|
||||
testCtx.certExpiry,
|
||||
|
|
@ -581,7 +578,6 @@ func TestInvalidCSRs(t *testing.T) {
|
|||
sa,
|
||||
testCtx.pa,
|
||||
testCtx.ocsp,
|
||||
testCtx.crl,
|
||||
testCtx.boulderIssuers,
|
||||
nil,
|
||||
testCtx.certExpiry,
|
||||
|
|
@ -620,7 +616,6 @@ func TestRejectValidityTooLong(t *testing.T) {
|
|||
sa,
|
||||
testCtx.pa,
|
||||
testCtx.ocsp,
|
||||
testCtx.crl,
|
||||
testCtx.boulderIssuers,
|
||||
nil,
|
||||
testCtx.certExpiry,
|
||||
|
|
@ -723,7 +718,6 @@ func TestIssueCertificateForPrecertificate(t *testing.T) {
|
|||
sa,
|
||||
testCtx.pa,
|
||||
testCtx.ocsp,
|
||||
testCtx.crl,
|
||||
testCtx.boulderIssuers,
|
||||
nil,
|
||||
testCtx.certExpiry,
|
||||
|
|
@ -831,7 +825,6 @@ func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {
|
|||
sa,
|
||||
testCtx.pa,
|
||||
testCtx.ocsp,
|
||||
testCtx.crl,
|
||||
testCtx.boulderIssuers,
|
||||
nil,
|
||||
testCtx.certExpiry,
|
||||
|
|
@ -875,7 +868,6 @@ func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {
|
|||
errorsa,
|
||||
testCtx.pa,
|
||||
testCtx.ocsp,
|
||||
testCtx.crl,
|
||||
testCtx.boulderIssuers,
|
||||
nil,
|
||||
testCtx.certExpiry,
|
||||
|
|
@ -953,7 +945,6 @@ func TestPrecertOrphanQueue(t *testing.T) {
|
|||
qsa,
|
||||
testCtx.pa,
|
||||
testCtx.ocsp,
|
||||
testCtx.crl,
|
||||
testCtx.boulderIssuers,
|
||||
nil,
|
||||
testCtx.certExpiry,
|
||||
|
|
@ -1021,7 +1012,6 @@ func TestOrphanQueue(t *testing.T) {
|
|||
qsa,
|
||||
testCtx.pa,
|
||||
testCtx.ocsp,
|
||||
testCtx.crl,
|
||||
testCtx.boulderIssuers,
|
||||
nil,
|
||||
testCtx.certExpiry,
|
||||
|
|
|
|||
19
ca/crl.go
19
ca/crl.go
|
|
@ -281,22 +281,3 @@ func makeIDPExt(base string, issuer issuance.IssuerNameID, shardIdx int64) (*pki
|
|||
Critical: true,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// disabledCRLImpl implements the capb.CRLGeneratorServer interface, but returns
|
||||
// an error for all gRPC methods. This is only used to replace a real impl when
|
||||
// the CRLGenerator service is disabled.
|
||||
// TODO(#6448): Remove this.
|
||||
type disabledCRLImpl struct {
|
||||
capb.UnimplementedCRLGeneratorServer
|
||||
}
|
||||
|
||||
// NewDiabledCRLImpl returns an object which implements the
|
||||
// capb.CRLGeneratorServer interface but always returns errors.
|
||||
func NewDisabledCRLImpl() *disabledCRLImpl {
|
||||
return &disabledCRLImpl{}
|
||||
}
|
||||
|
||||
// GenerateCRL always returns an error because the service is disabled.
|
||||
func (ci *disabledCRLImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error {
|
||||
return errors.New("the CRLGenerator gRPC service is disabled")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,7 +30,6 @@ func TestOCSP(t *testing.T) {
|
|||
&mockSA{},
|
||||
testCtx.pa,
|
||||
testCtx.ocsp,
|
||||
testCtx.crl,
|
||||
testCtx.boulderIssuers,
|
||||
nil,
|
||||
testCtx.certExpiry,
|
||||
|
|
|
|||
|
|
@ -584,7 +584,7 @@ var file_ca_proto_rawDesc = []byte{
|
|||
0x28, 0x03, 0x52, 0x08, 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x22, 0x2b, 0x0a, 0x13,
|
||||
0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x52, 0x65, 0x73, 0x70, 0x6f,
|
||||
0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, 0x18, 0x01, 0x20, 0x01,
|
||||
0x28, 0x0c, 0x52, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, 0x32, 0xd8, 0x02, 0x0a, 0x14, 0x43, 0x65,
|
||||
0x28, 0x0c, 0x52, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, 0x32, 0xd5, 0x01, 0x0a, 0x14, 0x43, 0x65,
|
||||
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
|
||||
0x74, 0x79, 0x12, 0x55, 0x0a, 0x13, 0x49, 0x73, 0x73, 0x75, 0x65, 0x50, 0x72, 0x65, 0x63, 0x65,
|
||||
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1b, 0x2e, 0x63, 0x61, 0x2e, 0x49,
|
||||
|
|
@ -598,28 +598,20 @@ var file_ca_proto_rawDesc = []byte{
|
|||
0x63, 0x61, 0x74, 0x65, 0x46, 0x6f, 0x72, 0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
|
||||
0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x11, 0x2e, 0x63,
|
||||
0x6f, 0x72, 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x22,
|
||||
0x00, 0x12, 0x3b, 0x0a, 0x0c, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x4f, 0x43, 0x53,
|
||||
0x50, 0x12, 0x17, 0x2e, 0x63, 0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x4f,
|
||||
0x43, 0x53, 0x50, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x63, 0x61, 0x2e,
|
||||
0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x44,
|
||||
0x0a, 0x0b, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x12, 0x16, 0x2e,
|
||||
0x63, 0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x52, 0x65,
|
||||
0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x63, 0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72,
|
||||
0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
|
||||
0x28, 0x01, 0x30, 0x01, 0x32, 0x4c, 0x0a, 0x0d, 0x4f, 0x43, 0x53, 0x50, 0x47, 0x65, 0x6e, 0x65,
|
||||
0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x3b, 0x0a, 0x0c, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
|
||||
0x65, 0x4f, 0x43, 0x53, 0x50, 0x12, 0x17, 0x2e, 0x63, 0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72,
|
||||
0x61, 0x74, 0x65, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10,
|
||||
0x2e, 0x63, 0x61, 0x2e, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
|
||||
0x22, 0x00, 0x32, 0x54, 0x0a, 0x0c, 0x43, 0x52, 0x4c, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
|
||||
0x6f, 0x72, 0x12, 0x44, 0x0a, 0x0b, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52,
|
||||
0x4c, 0x12, 0x16, 0x2e, 0x63, 0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43,
|
||||
0x52, 0x4c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x63, 0x61, 0x2e, 0x47,
|
||||
0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
|
||||
0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68,
|
||||
0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79,
|
||||
0x70, 0x74, 0x2f, 0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x63, 0x61, 0x2f, 0x70, 0x72,
|
||||
0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||
0x00, 0x32, 0x4c, 0x0a, 0x0d, 0x4f, 0x43, 0x53, 0x50, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
|
||||
0x6f, 0x72, 0x12, 0x3b, 0x0a, 0x0c, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x4f, 0x43,
|
||||
0x53, 0x50, 0x12, 0x17, 0x2e, 0x63, 0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65,
|
||||
0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x63, 0x61,
|
||||
0x2e, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x32,
|
||||
0x54, 0x0a, 0x0c, 0x43, 0x52, 0x4c, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12,
|
||||
0x44, 0x0a, 0x0b, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x12, 0x16,
|
||||
0x2e, 0x63, 0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x52,
|
||||
0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x63, 0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65,
|
||||
0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
|
||||
0x00, 0x28, 0x01, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
|
||||
0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f,
|
||||
0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x63, 0x61, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
|
||||
0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||
}
|
||||
|
||||
var (
|
||||
|
|
@ -652,18 +644,14 @@ var file_ca_proto_depIdxs = []int32{
|
|||
8, // 1: ca.GenerateCRLRequest.entry:type_name -> core.CRLEntry
|
||||
0, // 2: ca.CertificateAuthority.IssuePrecertificate:input_type -> ca.IssueCertificateRequest
|
||||
2, // 3: ca.CertificateAuthority.IssueCertificateForPrecertificate:input_type -> ca.IssueCertificateForPrecertificateRequest
|
||||
3, // 4: ca.CertificateAuthority.GenerateOCSP:input_type -> ca.GenerateOCSPRequest
|
||||
5, // 5: ca.CertificateAuthority.GenerateCRL:input_type -> ca.GenerateCRLRequest
|
||||
3, // 6: ca.OCSPGenerator.GenerateOCSP:input_type -> ca.GenerateOCSPRequest
|
||||
5, // 7: ca.CRLGenerator.GenerateCRL:input_type -> ca.GenerateCRLRequest
|
||||
1, // 8: ca.CertificateAuthority.IssuePrecertificate:output_type -> ca.IssuePrecertificateResponse
|
||||
9, // 9: ca.CertificateAuthority.IssueCertificateForPrecertificate:output_type -> core.Certificate
|
||||
4, // 10: ca.CertificateAuthority.GenerateOCSP:output_type -> ca.OCSPResponse
|
||||
7, // 11: ca.CertificateAuthority.GenerateCRL:output_type -> ca.GenerateCRLResponse
|
||||
4, // 12: ca.OCSPGenerator.GenerateOCSP:output_type -> ca.OCSPResponse
|
||||
7, // 13: ca.CRLGenerator.GenerateCRL:output_type -> ca.GenerateCRLResponse
|
||||
8, // [8:14] is the sub-list for method output_type
|
||||
2, // [2:8] is the sub-list for method input_type
|
||||
3, // 4: ca.OCSPGenerator.GenerateOCSP:input_type -> ca.GenerateOCSPRequest
|
||||
5, // 5: ca.CRLGenerator.GenerateCRL:input_type -> ca.GenerateCRLRequest
|
||||
1, // 6: ca.CertificateAuthority.IssuePrecertificate:output_type -> ca.IssuePrecertificateResponse
|
||||
9, // 7: ca.CertificateAuthority.IssueCertificateForPrecertificate:output_type -> core.Certificate
|
||||
4, // 8: ca.OCSPGenerator.GenerateOCSP:output_type -> ca.OCSPResponse
|
||||
7, // 9: ca.CRLGenerator.GenerateCRL:output_type -> ca.GenerateCRLResponse
|
||||
6, // [6:10] is the sub-list for method output_type
|
||||
2, // [2:6] is the sub-list for method input_type
|
||||
2, // [2:2] is the sub-list for extension type_name
|
||||
2, // [2:2] is the sub-list for extension extendee
|
||||
0, // [0:2] is the sub-list for field type_name
|
||||
|
|
|
|||
|
|
@ -9,8 +9,6 @@ import "core/proto/core.proto";
|
|||
service CertificateAuthority {
|
||||
rpc IssuePrecertificate(IssueCertificateRequest) returns (IssuePrecertificateResponse) {}
|
||||
rpc IssueCertificateForPrecertificate(IssueCertificateForPrecertificateRequest) returns (core.Certificate) {}
|
||||
rpc GenerateOCSP(GenerateOCSPRequest) returns (OCSPResponse) {}
|
||||
rpc GenerateCRL(stream GenerateCRLRequest) returns (stream GenerateCRLResponse) {}
|
||||
}
|
||||
|
||||
message IssueCertificateRequest {
|
||||
|
|
|
|||
|
|
@ -25,8 +25,6 @@ const _ = grpc.SupportPackageIsVersion7
|
|||
type CertificateAuthorityClient interface {
|
||||
IssuePrecertificate(ctx context.Context, in *IssueCertificateRequest, opts ...grpc.CallOption) (*IssuePrecertificateResponse, error)
|
||||
IssueCertificateForPrecertificate(ctx context.Context, in *IssueCertificateForPrecertificateRequest, opts ...grpc.CallOption) (*proto.Certificate, error)
|
||||
GenerateOCSP(ctx context.Context, in *GenerateOCSPRequest, opts ...grpc.CallOption) (*OCSPResponse, error)
|
||||
GenerateCRL(ctx context.Context, opts ...grpc.CallOption) (CertificateAuthority_GenerateCRLClient, error)
|
||||
}
|
||||
|
||||
type certificateAuthorityClient struct {
|
||||
|
|
@ -55,54 +53,12 @@ func (c *certificateAuthorityClient) IssueCertificateForPrecertificate(ctx conte
|
|||
return out, nil
|
||||
}
|
||||
|
||||
func (c *certificateAuthorityClient) GenerateOCSP(ctx context.Context, in *GenerateOCSPRequest, opts ...grpc.CallOption) (*OCSPResponse, error) {
|
||||
out := new(OCSPResponse)
|
||||
err := c.cc.Invoke(ctx, "/ca.CertificateAuthority/GenerateOCSP", in, out, opts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
|
||||
func (c *certificateAuthorityClient) GenerateCRL(ctx context.Context, opts ...grpc.CallOption) (CertificateAuthority_GenerateCRLClient, error) {
|
||||
stream, err := c.cc.NewStream(ctx, &CertificateAuthority_ServiceDesc.Streams[0], "/ca.CertificateAuthority/GenerateCRL", opts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
x := &certificateAuthorityGenerateCRLClient{stream}
|
||||
return x, nil
|
||||
}
|
||||
|
||||
type CertificateAuthority_GenerateCRLClient interface {
|
||||
Send(*GenerateCRLRequest) error
|
||||
Recv() (*GenerateCRLResponse, error)
|
||||
grpc.ClientStream
|
||||
}
|
||||
|
||||
type certificateAuthorityGenerateCRLClient struct {
|
||||
grpc.ClientStream
|
||||
}
|
||||
|
||||
func (x *certificateAuthorityGenerateCRLClient) Send(m *GenerateCRLRequest) error {
|
||||
return x.ClientStream.SendMsg(m)
|
||||
}
|
||||
|
||||
func (x *certificateAuthorityGenerateCRLClient) Recv() (*GenerateCRLResponse, error) {
|
||||
m := new(GenerateCRLResponse)
|
||||
if err := x.ClientStream.RecvMsg(m); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return m, nil
|
||||
}
|
||||
|
||||
// CertificateAuthorityServer is the server API for CertificateAuthority service.
|
||||
// All implementations must embed UnimplementedCertificateAuthorityServer
|
||||
// for forward compatibility
|
||||
type CertificateAuthorityServer interface {
|
||||
IssuePrecertificate(context.Context, *IssueCertificateRequest) (*IssuePrecertificateResponse, error)
|
||||
IssueCertificateForPrecertificate(context.Context, *IssueCertificateForPrecertificateRequest) (*proto.Certificate, error)
|
||||
GenerateOCSP(context.Context, *GenerateOCSPRequest) (*OCSPResponse, error)
|
||||
GenerateCRL(CertificateAuthority_GenerateCRLServer) error
|
||||
mustEmbedUnimplementedCertificateAuthorityServer()
|
||||
}
|
||||
|
||||
|
|
@ -116,12 +72,6 @@ func (UnimplementedCertificateAuthorityServer) IssuePrecertificate(context.Conte
|
|||
func (UnimplementedCertificateAuthorityServer) IssueCertificateForPrecertificate(context.Context, *IssueCertificateForPrecertificateRequest) (*proto.Certificate, error) {
|
||||
return nil, status.Errorf(codes.Unimplemented, "method IssueCertificateForPrecertificate not implemented")
|
||||
}
|
||||
func (UnimplementedCertificateAuthorityServer) GenerateOCSP(context.Context, *GenerateOCSPRequest) (*OCSPResponse, error) {
|
||||
return nil, status.Errorf(codes.Unimplemented, "method GenerateOCSP not implemented")
|
||||
}
|
||||
func (UnimplementedCertificateAuthorityServer) GenerateCRL(CertificateAuthority_GenerateCRLServer) error {
|
||||
return status.Errorf(codes.Unimplemented, "method GenerateCRL not implemented")
|
||||
}
|
||||
func (UnimplementedCertificateAuthorityServer) mustEmbedUnimplementedCertificateAuthorityServer() {}
|
||||
|
||||
// UnsafeCertificateAuthorityServer may be embedded to opt out of forward compatibility for this service.
|
||||
|
|
@ -171,50 +121,6 @@ func _CertificateAuthority_IssueCertificateForPrecertificate_Handler(srv interfa
|
|||
return interceptor(ctx, in, info, handler)
|
||||
}
|
||||
|
||||
func _CertificateAuthority_GenerateOCSP_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
||||
in := new(GenerateOCSPRequest)
|
||||
if err := dec(in); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if interceptor == nil {
|
||||
return srv.(CertificateAuthorityServer).GenerateOCSP(ctx, in)
|
||||
}
|
||||
info := &grpc.UnaryServerInfo{
|
||||
Server: srv,
|
||||
FullMethod: "/ca.CertificateAuthority/GenerateOCSP",
|
||||
}
|
||||
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
||||
return srv.(CertificateAuthorityServer).GenerateOCSP(ctx, req.(*GenerateOCSPRequest))
|
||||
}
|
||||
return interceptor(ctx, in, info, handler)
|
||||
}
|
||||
|
||||
func _CertificateAuthority_GenerateCRL_Handler(srv interface{}, stream grpc.ServerStream) error {
|
||||
return srv.(CertificateAuthorityServer).GenerateCRL(&certificateAuthorityGenerateCRLServer{stream})
|
||||
}
|
||||
|
||||
type CertificateAuthority_GenerateCRLServer interface {
|
||||
Send(*GenerateCRLResponse) error
|
||||
Recv() (*GenerateCRLRequest, error)
|
||||
grpc.ServerStream
|
||||
}
|
||||
|
||||
type certificateAuthorityGenerateCRLServer struct {
|
||||
grpc.ServerStream
|
||||
}
|
||||
|
||||
func (x *certificateAuthorityGenerateCRLServer) Send(m *GenerateCRLResponse) error {
|
||||
return x.ServerStream.SendMsg(m)
|
||||
}
|
||||
|
||||
func (x *certificateAuthorityGenerateCRLServer) Recv() (*GenerateCRLRequest, error) {
|
||||
m := new(GenerateCRLRequest)
|
||||
if err := x.ServerStream.RecvMsg(m); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return m, nil
|
||||
}
|
||||
|
||||
// CertificateAuthority_ServiceDesc is the grpc.ServiceDesc for CertificateAuthority service.
|
||||
// It's only intended for direct use with grpc.RegisterService,
|
||||
// and not to be introspected or modified (even as a copy)
|
||||
|
|
@ -230,19 +136,8 @@ var CertificateAuthority_ServiceDesc = grpc.ServiceDesc{
|
|||
MethodName: "IssueCertificateForPrecertificate",
|
||||
Handler: _CertificateAuthority_IssueCertificateForPrecertificate_Handler,
|
||||
},
|
||||
{
|
||||
MethodName: "GenerateOCSP",
|
||||
Handler: _CertificateAuthority_GenerateOCSP_Handler,
|
||||
},
|
||||
},
|
||||
Streams: []grpc.StreamDesc{
|
||||
{
|
||||
StreamName: "GenerateCRL",
|
||||
Handler: _CertificateAuthority_GenerateCRL_Handler,
|
||||
ServerStreams: true,
|
||||
ClientStreams: true,
|
||||
},
|
||||
},
|
||||
Streams: []grpc.StreamDesc{},
|
||||
Metadata: "ca.proto",
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -303,8 +303,8 @@ func main() {
|
|||
ocspi = ca.NewDisabledOCSPImpl()
|
||||
}
|
||||
|
||||
// TODO(#6448): Remove this predeclaration when NewCertificateAuthorityImpl
|
||||
// no longer needs crli as an argument.
|
||||
// TODO(#6448): Remove this predeclaration when the separate CRL and OCSP
|
||||
// servers listening on separate ports have been remove.
|
||||
var crli capb.CRLGeneratorServer
|
||||
if !c.CA.DisableCRLService {
|
||||
crli, err = ca.NewCRLImpl(
|
||||
|
|
@ -326,8 +326,6 @@ func main() {
|
|||
wg.Done()
|
||||
}()
|
||||
stopFns = append(stopFns, crlStop)
|
||||
} else {
|
||||
crli = ca.NewDisabledCRLImpl()
|
||||
}
|
||||
|
||||
if !c.CA.DisableCertService {
|
||||
|
|
@ -335,7 +333,6 @@ func main() {
|
|||
sa,
|
||||
pa,
|
||||
ocspi,
|
||||
crli,
|
||||
boulderIssuers,
|
||||
ecdsaAllowList,
|
||||
c.CA.Expiry.Duration,
|
||||
|
|
|
|||
|
|
@ -158,13 +158,9 @@ func main() {
|
|||
cmd.FailOnError(err, "Unable to create CA client")
|
||||
cac := capb.NewCertificateAuthorityClient(caConn)
|
||||
|
||||
var ocspc capb.OCSPGeneratorClient
|
||||
ocspc = cac
|
||||
if c.RA.OCSPService != nil {
|
||||
ocspConn, err := bgrpc.ClientSetup(c.RA.OCSPService, tlsConfig, scope, clk)
|
||||
cmd.FailOnError(err, "Unable to create CA client")
|
||||
ocspc = capb.NewOCSPGeneratorClient(ocspConn)
|
||||
}
|
||||
ocspConn, err := bgrpc.ClientSetup(c.RA.OCSPService, tlsConfig, scope, clk)
|
||||
cmd.FailOnError(err, "Unable to create CA OCSP client")
|
||||
ocspc := capb.NewOCSPGeneratorClient(ocspConn)
|
||||
|
||||
saConn, err := bgrpc.ClientSetup(c.RA.SAService, tlsConfig, scope, clk)
|
||||
cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
|
||||
|
|
|
|||
|
|
@ -44,12 +44,16 @@ func (ca *MockCA) IssueCertificateForPrecertificate(ctx context.Context, req *ca
|
|||
}, nil
|
||||
}
|
||||
|
||||
type MockOCSPGenerator struct{}
|
||||
|
||||
// GenerateOCSP is a mock
|
||||
func (ca *MockCA) GenerateOCSP(ctx context.Context, req *capb.GenerateOCSPRequest, _ ...grpc.CallOption) (*capb.OCSPResponse, error) {
|
||||
func (ca *MockOCSPGenerator) GenerateOCSP(ctx context.Context, req *capb.GenerateOCSPRequest, _ ...grpc.CallOption) (*capb.OCSPResponse, error) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
type MockCRLGenerator struct{}
|
||||
|
||||
// GenerateCRL is a mock
|
||||
func (ca *MockCA) GenerateCRL(ctx context.Context, opts ...grpc.CallOption) (capb.CertificateAuthority_GenerateCRLClient, error) {
|
||||
func (ca *MockCRLGenerator) GenerateCRL(ctx context.Context, opts ...grpc.CallOption) (capb.CRLGenerator_GenerateCRLClient, error) {
|
||||
return nil, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -368,7 +368,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, sapb.StorageAutho
|
|||
ra.SA = sa
|
||||
ra.VA = va
|
||||
ra.CA = ca
|
||||
ra.OCSP = ca
|
||||
ra.OCSP = &mocks.MockOCSPGenerator{}
|
||||
ra.PA = pa
|
||||
return va, sa, ra, fc, cleanUp
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,6 +34,11 @@
|
|||
"timeout": "15s",
|
||||
"hostOverride": "ca.boulder"
|
||||
},
|
||||
"ocspService": {
|
||||
"serverAddress": "ca.service.consul:9096",
|
||||
"timeout": "15s",
|
||||
"hostOverride": "ca.boulder"
|
||||
},
|
||||
"publisherService": {
|
||||
"serverAddress": "publisher.service.consul:9091",
|
||||
"timeout": "300s",
|
||||
|
|
|
|||
Loading…
Reference in New Issue