Add error checking and default value for LifespanOCSP (#7222)

We do this in code, rather than with the config validation package,
because our custom config.Duration type confuses the config validator.

Fixes https://github.com/letsencrypt/boulder/issues/7219

ca/ca_test.go

@@ -238,7 +238,7 @@ func setup(t *testing.T) *testCtx {
 
 	ocsp, err := NewOCSPImpl(
 		boulderIssuers,
-		time.Hour,
+		24*time.Hour,
 		0,
 		time.Second,
 		blog.NewMock(),

ca/ocsp.go

@@ -68,6 +68,10 @@ func NewOCSPImpl(
 		issuersByID[issuer.ID()] = issuer
 	}
 
+	if ocspLifetime < 8*time.Hour || ocspLifetime > 7*24*time.Hour {
+		return nil, fmt.Errorf("invalid OCSP lifetime %q", ocspLifetime)
+	}
+
 	var ocspLogQueue *ocspLogQueue
 	if ocspLogMaxLength > 0 {
 		ocspLogQueue = newOCSPLogQueue(ocspLogMaxLength, ocspLogPeriod, stats, logger)

cmd/boulder-ca/main.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"flag"
 	"os"
+	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
 
@@ -52,7 +53,7 @@ type Config struct {
 		MaxNames int `validate:"required,min=1,max=100"`
 
 		// LifespanOCSP is how long OCSP responses are valid for. Per the BRs,
-		// Section 4.9.10, it MUST NOT be more than 10 days.
+		// Section 4.9.10, it MUST NOT be more than 10 days. Default 96h.
 		LifespanOCSP config.Duration
 
 		// LifespanCRL is how long CRLs are valid for. It should be longer than the
@@ -165,6 +166,10 @@ func main() {
 		cmd.Fail("Error in CA config: MaxNames must not be 0")
 	}
 
+	if c.CA.LifespanOCSP.Duration == 0 {
+		c.CA.LifespanOCSP.Duration = 96 * time.Hour
+	}
+
 	scope, logger, oTelShutdown := cmd.StatsAndLogging(c.Syslog, c.OpenTelemetry, c.CA.DebugAddr)
 	defer oTelShutdown(context.Background())
 	logger.Info(cmd.VersionString())