Replace integration test root ocsp with crls (#6905)

We no longer issue OCSP responses for our intermediate certificates, instead producing CRLs which cover those intermediates. Remove the OCSP response from our integration test ceremony, remove the configuration for the static ocsp-responder which serves that response, and remove the integration test which spins up and checks that responder. Replace all of the above with new CRLs generated as part of the integration test ceremony.
2023-05-24 14:22:43 -07:00 · 2023-05-24 14:22:43 -07:00 · 4305f64a28
parent 54b5294651
commit 4305f64a28
8 changed files with 40 additions and 60 deletions
--- a/test/cert-ceremonies/generate.go
+++ b/test/cert-ceremonies/generate.go
@ -153,13 +153,18 @@ func main() {
 	err = genCert(ecdsaTmpIntermediateB)
 	cmd.FailOnError(err, "failed to generate ECDSA intermediate cert")

-	// Rewrite OCSP configs and generate OCSP responses for the A intermediates
-	rsaTmpOCSPConfig, err := rewriteConfig("test/cert-ceremonies/intermediate-ocsp-rsa.yaml", map[string]string{
+	// Create CRLs stating that the intermediates are not revoked.
+	rsaTmpCRLConfig, err := rewriteConfig("test/cert-ceremonies/root-crl-rsa.yaml", map[string]string{
 		"SlotID": rsaRootKeySlot,
 	})
-	cmd.FailOnError(err, "failed to rewrite RSA intermediate OCSP config with key ID")
-	err = genCert(rsaTmpOCSPConfig)
-	cmd.FailOnError(err, "failed to generate RSA intermediate OCSP response")
-	// We do not generate OCSP for the ECDSA intermediates, as our new issuers
-	// only use CRLs, not OCSP.
+	cmd.FailOnError(err, "failed to rewrite RSA root CRL config with key ID")
+	err = genCert(rsaTmpCRLConfig)
+	cmd.FailOnError(err, "failed to generate RSA root CRL")
+
+	ecdsaTmpCRLConfig, err := rewriteConfig("test/cert-ceremonies/root-crl-ecdsa.yaml", map[string]string{
+		"SlotID": ecdsaRootKeySlot,
+	})
+	cmd.FailOnError(err, "failed to rewrite ECDSA root CRL config with key ID")
+	err = genCert(ecdsaTmpCRLConfig)
+	cmd.FailOnError(err, "failed to generate ECDSA root CRL")
 }
--- a/test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml
+++ b/test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml
@ -16,7 +16,6 @@ certificate-profile:
    country: US
    not-before: 2020-01-01 12:00:00
    not-after: 2040-01-01 12:00:00
-    ocsp-url: http://example.com/ocsp
    crl-url:  http://example.com/crl
    issuer-url:  http://example.com/root
    policies:
--- a/test/cert-ceremonies/intermediate-ceremony-rsa.yaml
+++ b/test/cert-ceremonies/intermediate-ceremony-rsa.yaml
@ -16,7 +16,6 @@ certificate-profile:
    country: US
    not-before: 2020-01-01 12:00:00
    not-after: 2040-01-01 12:00:00
-    ocsp-url: http://example.com/ocsp
    crl-url:  http://example.com/crl
    issuer-url:  http://example.com/root
    policies:
--- a/test/cert-ceremonies/intermediate-ocsp-rsa.yaml
+++ b/test/cert-ceremonies/intermediate-ocsp-rsa.yaml
@ -1,15 +0,0 @@
-ceremony-type: ocsp-response
-pkcs11:
-    module: /usr/lib/softhsm/libsofthsm2.so
-    pin: 1234
-    signing-key-slot: {{ .SlotID}}
-    signing-key-label: root signing key (rsa)
-inputs:
-    certificate-path: /hierarchy/intermediate-cert-rsa-a.pem
-    issuer-certificate-path: /hierarchy/root-cert-rsa.pem
-outputs:
-    response-path: /hierarchy/intermediate-ocsp-rsa.b64
-ocsp-profile:
-    this-update: 2020-01-01 12:00:00
-    next-update: 2039-01-01 12:00:00
-    status: good
--- a/test/cert-ceremonies/root-crl-ecdsa.yaml
+++ b/test/cert-ceremonies/root-crl-ecdsa.yaml
@ -0,0 +1,14 @@
+ceremony-type: crl
+pkcs11:
+    module: /usr/lib/softhsm/libsofthsm2.so
+    pin: 1234
+    signing-key-slot: {{ .SlotID}}
+    signing-key-label: root signing key (ecdsa)
+inputs:
+    issuer-certificate-path: /hierarchy/root-cert-ecdsa.pem
+outputs:
+    crl-path: /hierarchy/root-crl-ecdsa.pem
+crl-profile:
+    this-update: 2023-01-01 12:00:00
+    next-update: 2023-12-15 12:00:00
+    number: 100
--- a/test/cert-ceremonies/root-crl-rsa.yaml
+++ b/test/cert-ceremonies/root-crl-rsa.yaml
@ -0,0 +1,14 @@
+ceremony-type: crl
+pkcs11:
+    module: /usr/lib/softhsm/libsofthsm2.so
+    pin: 1234
+    signing-key-slot: {{ .SlotID}}
+    signing-key-label: root signing key (rsa)
+inputs:
+    issuer-certificate-path: /hierarchy/root-cert-rsa.pem
+outputs:
+    crl-path: /hierarchy/root-crl-rsa.pem
+crl-profile:
+    this-update: 2023-01-01 12:00:00
+    next-update: 2023-12-15 12:00:00
+    number: 100
--- a/test/integration-test.py
+++ b/test/integration-test.py
@ -46,24 +46,6 @@ def run_go_tests(filterPattern=None):
    cmdLine = cmdLine + ["-tags", "integration", "-count=1", "-race", "./test/integration"]
    subprocess.check_call(cmdLine, stderr=subprocess.STDOUT)

-def test_single_ocsp():
-    """Run ocsp-responder with the single OCSP response generated for the intermediate
-       certificate using the ceremony tool during setup and check that it successfully
-       answers OCSP requests, and shut the responder back down.
-
-       This is a non-API test.
-    """
-    p = subprocess.Popen(
-        ["./bin/boulder", "ocsp-responder", "--config", "test/issuer-ocsp-responder.json"])
-    waitport(4003, ' '.join(p.args))
-
-    # Verify that the static OCSP responder, which answers with a
-    # pre-signed, long-lived response for the CA cert, works.
-    verify_ocsp("/hierarchy/intermediate-cert-rsa-a.pem", "/hierarchy/root-cert-rsa.pem", "http://localhost:4003", "good")
-
-    p.send_signal(signal.SIGTERM)
-    p.wait()
-
 exit_status = 1

 def main():
--- a/test/issuer-ocsp-responder.json
+++ b/test/issuer-ocsp-responder.json
@ -1,18 +0,0 @@
-{
-  "ocspResponder": {
-    "source": "file:///hierarchy/intermediate-ocsp-rsa.b64",
-    "path": "/",
-    "listenAddress": "0.0.0.0:4003",
-    "issuerCerts": [
-      "/hierarchy/intermediate-cert-rsa-a.pem"
-    ],
-    "timeout": "4.9s",
-    "shutdownStopTimeout": "10s",
-    "debugAddr": "localhost:8010"
-  },
-
-  "syslog": {
-   "stdoutlevel": 6,
-   "sysloglevel": 6
- }
-}