Add error checking and default value for LifespanOCSP (#7222)

We do this in code, rather than with the config validation package, because our custom config.Duration type confuses the config validator. Fixes https://github.com/letsencrypt/boulder/issues/7219
2023-12-21 10:07:06 -08:00 · 2023-12-21 10:07:06 -08:00 · 5972d43924
parent 0fc9de63ee
commit 5972d43924
3 changed files with 11 additions and 2 deletions
--- a/ca/ca_test.go
+++ b/ca/ca_test.go
@ -238,7 +238,7 @@ func setup(t *testing.T) *testCtx {

 	ocsp, err := NewOCSPImpl(
 		boulderIssuers,
-		time.Hour,
+		24*time.Hour,
 		0,
 		time.Second,
 		blog.NewMock(),
--- a/ca/ocsp.go
+++ b/ca/ocsp.go
@ -68,6 +68,10 @@ func NewOCSPImpl(
 		issuersByID[issuer.ID()] = issuer
 	}

+	if ocspLifetime < 8*time.Hour || ocspLifetime > 7*24*time.Hour {
+		return nil, fmt.Errorf("invalid OCSP lifetime %q", ocspLifetime)
+	}
+
 	var ocspLogQueue *ocspLogQueue
 	if ocspLogMaxLength > 0 {
 		ocspLogQueue = newOCSPLogQueue(ocspLogMaxLength, ocspLogPeriod, stats, logger)
--- a/cmd/boulder-ca/main.go
+++ b/cmd/boulder-ca/main.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"flag"
 	"os"
+	"time"

 	"github.com/prometheus/client_golang/prometheus"

@ -52,7 +53,7 @@ type Config struct {
 		MaxNames int `validate:"required,min=1,max=100"`

 		// LifespanOCSP is how long OCSP responses are valid for. Per the BRs,
-		// Section 4.9.10, it MUST NOT be more than 10 days.
+		// Section 4.9.10, it MUST NOT be more than 10 days. Default 96h.
 		LifespanOCSP config.Duration

 		// LifespanCRL is how long CRLs are valid for. It should be longer than the
@ -165,6 +166,10 @@ func main() {
 		cmd.Fail("Error in CA config: MaxNames must not be 0")
 	}

+	if c.CA.LifespanOCSP.Duration == 0 {
+		c.CA.LifespanOCSP.Duration = 96 * time.Hour
+	}
+
 	scope, logger, oTelShutdown := cmd.StatsAndLogging(c.Syslog, c.OpenTelemetry, c.CA.DebugAddr)
 	defer oTelShutdown(context.Background())
 	logger.Info(cmd.VersionString())