letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Finish migration from int64 timestamps to timestamppb (#7142) 

This is a cleanup PR finishing the migration from int64 timestamps to
protobuf `*timestamppb.Timestamps` by removing all usage of the old
int64 fields. In the previous PR
https://github.com/letsencrypt/boulder/pull/7121 all fields were
switched to read from the protobuf timestamppb fields.

Adds a new case to `core.IsAnyNilOrZero` to check various properties of
a `*timestamppb.Timestamp` reducing the visual complexity for receivers.

Fixes https://github.com/letsencrypt/boulder/issues/7060
This commit is contained in:
Phil Porada 2023-11-27 16:37:31 -05:00 committed by GitHub
parent 32adaf1846
commit 6925fad324
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
37 changed files with 1470 additions and 2128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
ca/ca.go
View File

@ -185,13 +185,10 @@ func (ca *certificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
serialHex := core.SerialToString(serialBigInt)
regID := issueReq.RegistrationID
now := ca.clk.Now()
_, err = ca.sa.AddSerial(ctx, &sapb.AddSerialRequest{
Serial: serialHex,
RegID: regID,
CreatedNS: now.UnixNano(),
Created: timestamppb.New(now),
ExpiresNS: validity.NotAfter.UnixNano(),
Created: timestamppb.New(ca.clk.Now()),
Expires: timestamppb.New(validity.NotAfter),
})
if err != nil {
@ -298,12 +295,10 @@ func (ca *certificateAuthorityImpl) IssueCertificateForPrecertificate(ctx contex
ca.log.AuditInfof("Signing cert success: serial=[%s] regID=[%d] names=[%s] certificate=[%s]",
serialHex, req.RegistrationID, names, hex.EncodeToString(certDER))
now := ca.clk.Now()
_, err = ca.sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
Der: certDER,
RegID: req.RegistrationID,
IssuedNS: now.UnixNano(),
Issued: timestamppb.New(now),
Issued: timestamppb.New(ca.clk.Now()),
})
if err != nil {
ca.log.AuditErrf("Failed RPC to store at SA: serial=[%s], cert=[%s], issuerID=[%d], regID=[%d], orderID=[%d], err=[%v]",
@ -316,9 +311,7 @@ func (ca *certificateAuthorityImpl) IssueCertificateForPrecertificate(ctx contex
Serial: core.SerialToString(precert.SerialNumber),
Der: certDER,
Digest: core.Fingerprint256(certDER),
IssuedNS: precert.NotBefore.UnixNano(),
Issued: timestamppb.New(precert.NotBefore),
ExpiresNS: precert.NotAfter.UnixNano(),
Expires: timestamppb.New(precert.NotAfter),
}, nil
}
@ -419,12 +412,10 @@ func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context
return nil, nil, berrors.InternalServerError("failed to prepare precertificate signing: %s", err)
}
now := ca.clk.Now()
_, err = ca.sa.AddPrecertificate(context.Background(), &sapb.AddCertificateRequest{
Der: lintCertBytes,
RegID: issueReq.RegistrationID,
IssuedNS: now.UnixNano(),
Issued: timestamppb.New(now),
Issued: timestamppb.New(ca.clk.Now()),
IssuerNameID: int64(issuer.Cert.NameID()),
OcspNotReady: true,
})

9
ca/crl.go
View File

@ -193,10 +193,11 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
}
func (ci *crlImpl) metadataToTemplate(meta *capb.CRLMetadata) (*x509.RevocationList, error) {
if meta.IssuerNameID == 0 || meta.ThisUpdateNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if meta.IssuerNameID == 0 || core.IsAnyNilOrZero(meta.ThisUpdate) {
return nil, errors.New("got incomplete metadata message")
}
thisUpdate := time.Unix(0, meta.ThisUpdateNS)
thisUpdate := meta.ThisUpdate.AsTime()
number := bcrl.Number(thisUpdate)
return &x509.RevocationList{
@ -212,10 +213,10 @@ func (ci *crlImpl) entryToRevokedCertificate(entry *corepb.CRLEntry) (*x509.Revo
return nil, err
}
if entry.RevokedAtNS == 0 {
if core.IsAnyNilOrZero(entry.RevokedAt) {
return nil, errors.New("got empty or zero revocation timestamp")
}
revokedAt := time.Unix(0, entry.RevokedAtNS)
revokedAt := entry.RevokedAt.AsTime()
return &x509.RevocationListEntry{
SerialNumber: serial,

14
ca/crl_test.go
View File

@ -79,7 +79,6 @@ func TestGenerateCRL(t *testing.T) {
Payload: &capb.GenerateCRLRequest_Metadata{
Metadata: &capb.CRLMetadata{
IssuerNameID: 1,
ThisUpdateNS: now.UnixNano(),
ThisUpdate: timestamppb.New(now),
},
},
@ -98,7 +97,6 @@ func TestGenerateCRL(t *testing.T) {
Payload: &capb.GenerateCRLRequest_Metadata{
Metadata: &capb.CRLMetadata{
IssuerNameID: int64(testCtx.boulderIssuers[0].Cert.NameID()),
ThisUpdateNS: now.UnixNano(),
ThisUpdate: timestamppb.New(now),
},
},
@ -107,7 +105,6 @@ func TestGenerateCRL(t *testing.T) {
Payload: &capb.GenerateCRLRequest_Metadata{
Metadata: &capb.CRLMetadata{
IssuerNameID: int64(testCtx.boulderIssuers[0].Cert.NameID()),
ThisUpdateNS: now.UnixNano(),
ThisUpdate: timestamppb.New(now),
},
},
@ -127,7 +124,6 @@ func TestGenerateCRL(t *testing.T) {
Entry: &corepb.CRLEntry{
Serial: "123",
Reason: 1,
RevokedAtNS: now.UnixNano(),
RevokedAt: timestamppb.New(now),
},
},
@ -148,8 +144,7 @@ func TestGenerateCRL(t *testing.T) {
Entry: &corepb.CRLEntry{
Serial: "deadbeefdeadbeefdeadbeefdeadbeefdead",
Reason: 1,
RevokedAtNS: 0,
RevokedAt: timestamppb.New(time.Time{}),
RevokedAt: nil,
},
},
}
@ -180,7 +175,6 @@ func TestGenerateCRL(t *testing.T) {
Payload: &capb.GenerateCRLRequest_Metadata{
Metadata: &capb.CRLMetadata{
IssuerNameID: int64(testCtx.boulderIssuers[0].Cert.NameID()),
ThisUpdateNS: now.UnixNano(),
ThisUpdate: timestamppb.New(now),
},
},
@ -217,7 +211,6 @@ func TestGenerateCRL(t *testing.T) {
Payload: &capb.GenerateCRLRequest_Metadata{
Metadata: &capb.CRLMetadata{
IssuerNameID: int64(testCtx.boulderIssuers[0].Cert.NameID()),
ThisUpdateNS: now.UnixNano(),
ThisUpdate: timestamppb.New(now),
},
},
@ -226,7 +219,6 @@ func TestGenerateCRL(t *testing.T) {
Payload: &capb.GenerateCRLRequest_Entry{
Entry: &corepb.CRLEntry{
Serial: "000000000000000000000000000000000000",
RevokedAtNS: now.UnixNano(),
RevokedAt: timestamppb.New(now),
// Reason 0, Unspecified, is omitted.
},
@ -237,7 +229,6 @@ func TestGenerateCRL(t *testing.T) {
Entry: &corepb.CRLEntry{
Serial: "111111111111111111111111111111111111",
Reason: 1, // keyCompromise
RevokedAtNS: now.UnixNano(),
RevokedAt: timestamppb.New(now),
},
},
@ -247,7 +238,6 @@ func TestGenerateCRL(t *testing.T) {
Entry: &corepb.CRLEntry{
Serial: "444444444444444444444444444444444444",
Reason: 4, // superseded
RevokedAtNS: now.UnixNano(),
RevokedAt: timestamppb.New(now),
},
},
@ -257,7 +247,6 @@ func TestGenerateCRL(t *testing.T) {
Entry: &corepb.CRLEntry{
Serial: "555555555555555555555555555555555555",
Reason: 5, // cessationOfOperation
RevokedAtNS: now.UnixNano(),
RevokedAt: timestamppb.New(now),
},
},
@ -267,7 +256,6 @@ func TestGenerateCRL(t *testing.T) {
Entry: &corepb.CRLEntry{
Serial: "999999999999999999999999999999999999",
Reason: 9, // privilegeWithdrawn
RevokedAtNS: now.UnixNano(),
RevokedAt: timestamppb.New(now),
},
},

2
ca/ocsp.go
View File

@ -135,7 +135,7 @@ func (oi *ocspImpl) GenerateOCSP(ctx context.Context, req *capb.GenerateOCSPRequ
NextUpdate: now.Add(oi.ocspLifetime - time.Second),
}
if tbsResponse.Status == ocsp.Revoked {
tbsResponse.RevokedAt = time.Unix(0, req.RevokedAtNS)
tbsResponse.RevokedAt = req.RevokedAt.AsTime()
tbsResponse.RevocationReason = int(req.Reason)
}

128
ca/proto/ca.pb.go
View File

@ -220,7 +220,6 @@ type GenerateOCSPRequest struct {
// Next unused field number: 8
Status string `protobuf:"bytes,2,opt,name=status,proto3" json:"status,omitempty"`
Reason int32 `protobuf:"varint,3,opt,name=reason,proto3" json:"reason,omitempty"`
RevokedAtNS int64 `protobuf:"varint,4,opt,name=revokedAtNS,proto3" json:"revokedAtNS,omitempty"` // Unix timestamp (nanoseconds)
RevokedAt *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=revokedAt,proto3" json:"revokedAt,omitempty"`
Serial string `protobuf:"bytes,5,opt,name=serial,proto3" json:"serial,omitempty"`
IssuerID int64 `protobuf:"varint,6,opt,name=issuerID,proto3" json:"issuerID,omitempty"`
@ -272,13 +271,6 @@ func (x *GenerateOCSPRequest) GetReason() int32 {
return 0
}
func (x *GenerateOCSPRequest) GetRevokedAtNS() int64 {
if x != nil {
return x.RevokedAtNS
}
return 0
}
func (x *GenerateOCSPRequest) GetRevokedAt() *timestamppb.Timestamp {
if x != nil {
return x.RevokedAt
@ -435,7 +427,6 @@ type CRLMetadata struct {
// Next unused field number: 5
IssuerNameID int64 `protobuf:"varint,1,opt,name=issuerNameID,proto3" json:"issuerNameID,omitempty"`
ThisUpdateNS int64 `protobuf:"varint,2,opt,name=thisUpdateNS,proto3" json:"thisUpdateNS,omitempty"` // Unix timestamp (nanoseconds), also used for CRLNumber.
ThisUpdate *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=thisUpdate,proto3" json:"thisUpdate,omitempty"`
ShardIdx int64 `protobuf:"varint,3,opt,name=shardIdx,proto3" json:"shardIdx,omitempty"`
}
@ -479,13 +470,6 @@ func (x *CRLMetadata) GetIssuerNameID() int64 {
return 0
}
func (x *CRLMetadata) GetThisUpdateNS() int64 {
if x != nil {
return x.ThisUpdateNS
}
return 0
}
func (x *CRLMetadata) GetThisUpdate() *timestamppb.Timestamp {
if x != nil {
return x.ThisUpdate
@ -576,71 +560,67 @@ var file_ca_proto_rawDesc = []byte{
0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x6f, 0x72, 0x64, 0x65, 0x72, 0x49,
0x44, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x6f, 0x72, 0x64, 0x65, 0x72, 0x49, 0x44,
0x22, 0xd5, 0x01, 0x0a, 0x13, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x4f, 0x43, 0x53,
0x22, 0xb9, 0x01, 0x0a, 0x13, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x4f, 0x43, 0x53,
0x50, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74,
0x75, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05,
0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x20, 0x0a, 0x0b, 0x72, 0x65, 0x76, 0x6f,
0x6b, 0x65, 0x64, 0x41, 0x74, 0x4e, 0x53, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x72,
0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x41, 0x74, 0x4e, 0x53, 0x12, 0x38, 0x0a, 0x09, 0x72, 0x65,
0x76, 0x6f, 0x6b, 0x65, 0x64, 0x41, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x72, 0x65, 0x76, 0x6f, 0x6b,
0x65, 0x64, 0x41, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x05,
0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x1a, 0x0a, 0x08,
0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08,
0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x22, 0x2a, 0x0a, 0x0c, 0x4f, 0x43, 0x53, 0x50,
0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x70,
0x6f, 0x6e, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x72, 0x65, 0x73, 0x70,
0x6f, 0x6e, 0x73, 0x65, 0x22, 0x76, 0x0a, 0x12, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65,
0x43, 0x52, 0x4c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x2d, 0x0a, 0x08, 0x6d, 0x65,
0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0f, 0x2e, 0x63,
0x61, 0x2e, 0x43, 0x52, 0x4c, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x48, 0x00, 0x52,
0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x26, 0x0a, 0x05, 0x65, 0x6e, 0x74,
0x72, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e,
0x43, 0x52, 0x4c, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x48, 0x00, 0x52, 0x05, 0x65, 0x6e, 0x74, 0x72,
0x79, 0x42, 0x09, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x22, 0xad, 0x01, 0x0a,
0x0b, 0x43, 0x52, 0x4c, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x22, 0x0a, 0x0c,
0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01,
0x28, 0x03, 0x52, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44,
0x12, 0x22, 0x0a, 0x0c, 0x74, 0x68, 0x69, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x4e, 0x53,
0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x74, 0x68, 0x69, 0x73, 0x55, 0x70, 0x64, 0x61,
0x74, 0x65, 0x4e, 0x53, 0x12, 0x3a, 0x0a, 0x0a, 0x74, 0x68, 0x69, 0x73, 0x55, 0x70, 0x64, 0x61,
0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x38, 0x0a, 0x09, 0x72, 0x65, 0x76, 0x6f,
0x6b, 0x65, 0x64, 0x41, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64,
0x41, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x05, 0x20, 0x01,
0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x73,
0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x69, 0x73,
0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x22, 0x2a, 0x0a, 0x0c,
0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08,
0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08,
0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x76, 0x0a, 0x12, 0x47, 0x65, 0x6e, 0x65,
0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x2d,
0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x0f, 0x2e, 0x63, 0x61, 0x2e, 0x43, 0x52, 0x4c, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
0x61, 0x48, 0x00, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x26, 0x0a,
0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x63,
0x6f, 0x72, 0x65, 0x2e, 0x43, 0x52, 0x4c, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x48, 0x00, 0x52, 0x05,
0x65, 0x6e, 0x74, 0x72, 0x79, 0x42, 0x09, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
0x22, 0x8f, 0x01, 0x0a, 0x0b, 0x43, 0x52, 0x4c, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
0x12, 0x22, 0x0a, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44,
0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61,
0x6d, 0x65, 0x49, 0x44, 0x12, 0x3a, 0x0a, 0x0a, 0x74, 0x68, 0x69, 0x73, 0x55, 0x70, 0x64, 0x61,
0x74, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
0x74, 0x61, 0x6d, 0x70, 0x52, 0x0a, 0x74, 0x68, 0x69, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65,
0x12, 0x1a, 0x0a, 0x08, 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x18, 0x03, 0x20, 0x01,
0x28, 0x03, 0x52, 0x08, 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x22, 0x2b, 0x0a, 0x13,
0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x52, 0x65, 0x73, 0x70, 0x6f,
0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, 0x18, 0x01, 0x20, 0x01,
0x28, 0x0c, 0x52, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, 0x32, 0xd5, 0x01, 0x0a, 0x14, 0x43, 0x65,
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
0x74, 0x79, 0x12, 0x55, 0x0a, 0x13, 0x49, 0x73, 0x73, 0x75, 0x65, 0x50, 0x72, 0x65, 0x63, 0x65,
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1b, 0x2e, 0x63, 0x61, 0x2e, 0x49,
0x73, 0x73, 0x75, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52,
0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x63, 0x61, 0x2e, 0x49, 0x73, 0x73, 0x75,
0x65, 0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52,
0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x66, 0x0a, 0x21, 0x49, 0x73, 0x73,
0x75, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x46, 0x6f, 0x72,
0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x2c,
0x2e, 0x63, 0x61, 0x2e, 0x49, 0x73, 0x73, 0x75, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
0x63, 0x61, 0x74, 0x65, 0x46, 0x6f, 0x72, 0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x11, 0x2e, 0x63,
0x6f, 0x72, 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x22,
0x00, 0x32, 0x4c, 0x0a, 0x0d, 0x4f, 0x43, 0x53, 0x50, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
0x6f, 0x72, 0x12, 0x3b, 0x0a, 0x0c, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x4f, 0x43,
0x53, 0x50, 0x12, 0x17, 0x2e, 0x63, 0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65,
0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x63, 0x61,
0x2e, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x32,
0x54, 0x0a, 0x0c, 0x43, 0x52, 0x4c, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12,
0x44, 0x0a, 0x0b, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x12, 0x16,
0x2e, 0x63, 0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x52,
0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x63, 0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65,
0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
0x00, 0x28, 0x01, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f,
0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x63, 0x61, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x28, 0x03, 0x52, 0x08, 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x4a, 0x04, 0x08, 0x02,
0x10, 0x03, 0x22, 0x2b, 0x0a, 0x13, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52,
0x4c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x68, 0x75,
0x6e, 0x6b, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x63, 0x68, 0x75, 0x6e, 0x6b, 0x32,
0xd5, 0x01, 0x0a, 0x14, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41,
0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x55, 0x0a, 0x13, 0x49, 0x73, 0x73, 0x75,
0x65, 0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12,
0x1b, 0x2e, 0x63, 0x61, 0x2e, 0x49, 0x73, 0x73, 0x75, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x63,
0x61, 0x2e, 0x49, 0x73, 0x73, 0x75, 0x65, 0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12,
0x66, 0x0a, 0x21, 0x49, 0x73, 0x73, 0x75, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
0x61, 0x74, 0x65, 0x46, 0x6f, 0x72, 0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
0x63, 0x61, 0x74, 0x65, 0x12, 0x2c, 0x2e, 0x63, 0x61, 0x2e, 0x49, 0x73, 0x73, 0x75, 0x65, 0x43,
0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x46, 0x6f, 0x72, 0x50, 0x72, 0x65,
0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65,
0x73, 0x74, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
0x69, 0x63, 0x61, 0x74, 0x65, 0x22, 0x00, 0x32, 0x4c, 0x0a, 0x0d, 0x4f, 0x43, 0x53, 0x50, 0x47,
0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x3b, 0x0a, 0x0c, 0x47, 0x65, 0x6e, 0x65,
0x72, 0x61, 0x74, 0x65, 0x4f, 0x43, 0x53, 0x50, 0x12, 0x17, 0x2e, 0x63, 0x61, 0x2e, 0x47, 0x65,
0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
0x74, 0x1a, 0x10, 0x2e, 0x63, 0x61, 0x2e, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f,
0x6e, 0x73, 0x65, 0x22, 0x00, 0x32, 0x54, 0x0a, 0x0c, 0x43, 0x52, 0x4c, 0x47, 0x65, 0x6e, 0x65,
0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x44, 0x0a, 0x0b, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
0x65, 0x43, 0x52, 0x4c, 0x12, 0x16, 0x2e, 0x63, 0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61,
0x74, 0x65, 0x43, 0x52, 0x4c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x63,
0x61, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x52, 0x65, 0x73,
0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67,
0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e,
0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, 0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x63, 0x61,
0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (

4
ca/proto/ca.proto
View File

@ -43,7 +43,7 @@ message GenerateOCSPRequest {
// Next unused field number: 8
string status = 2;
int32 reason = 3;
int64 revokedAtNS = 4; // Unix timestamp (nanoseconds)
reserved 4; // Previously revokedAtNS
google.protobuf.Timestamp revokedAt = 7;
string serial = 5;
int64 issuerID = 6;
@ -68,7 +68,7 @@ message GenerateCRLRequest {
message CRLMetadata {
// Next unused field number: 5
int64 issuerNameID = 1;
int64 thisUpdateNS = 2; // Unix timestamp (nanoseconds), also used for CRLNumber.
reserved 2; // Previously thisUpdateNS
google.protobuf.Timestamp thisUpdate = 4;
int64 shardIdx = 3;
}

4
cmd/admin-revoker/main.go
View File

@ -342,11 +342,9 @@ func (r *revoker) blockByPrivateKey(ctx context.Context, comment string, private
dbcomment := fmt.Sprintf("%s: %s", u.Username, comment)
now := r.clk.Now()
req := &sapb.AddBlockedKeyRequest{
KeyHash: spkiHash,
AddedNS: now.UnixNano(),
Added: timestamppb.New(now),
Added: timestamppb.New(r.clk.Now()),
Source: "admin-revoker",
Comment: dbcomment,
RevokedBy: 0,

4
cmd/admin-revoker/main_test.go
View File

@ -409,13 +409,11 @@ func (c testCtx) addCertificate(t *testing.T, serial *big.Int, names []string, p
rawCert, err := x509.CreateCertificate(rand.Reader, template, c.issuer.Certificate, &pubKey, c.signer)
test.AssertNotError(t, err, "Failed to generate test cert")
now := time.Now()
_, err = c.ssa.AddPrecertificate(
context.Background(), &sapb.AddCertificateRequest{
Der: rawCert,
RegID: regId,
IssuedNS: now.UnixNano(),
Issued: timestamppb.New(now),
Issued: timestamppb.New(time.Now()),
IssuerNameID: 1,
},
)

4
cmd/cert-checker/main_test.go
View File

@ -359,12 +359,10 @@ func TestGetAndProcessCerts(t *testing.T) {
rawCert.SerialNumber = big.NewInt(mrand.Int63())
certDER, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey)
test.AssertNotError(t, err, "Couldn't create certificate")
now := fc.Now()
_, err = sa.AddCertificate(context.Background(), &sapb.AddCertificateRequest{
Der: certDER,
RegID: reg.Id,
IssuedNS: now.UnixNano(),
Issued: timestamppb.New(now),
Issued: timestamppb.New(fc.Now()),
})
test.AssertNotError(t, err, "Couldn't add certificate")
}

1
cmd/rocsp-tool/client.go
View File

@ -214,7 +214,6 @@ func (cl *client) signAndStoreResponses(ctx context.Context, input <-chan *sa.Ce
IssuerID: status.IssuerID,
Status: string(status.Status),
Reason: int32(status.RevokedReason),
RevokedAtNS: status.RevokedDate.UnixNano(),
RevokedAt: timestamppb.New(status.RevokedDate),
}
result, err := cl.ocspGenerator.GenerateOCSP(ctx, ocspReq)

370
core/proto/core.pb.go
View File

@ -35,7 +35,6 @@ type Challenge struct {
KeyAuthorization string `protobuf:"bytes,5,opt,name=keyAuthorization,proto3" json:"keyAuthorization,omitempty"`
Validationrecords []*ValidationRecord `protobuf:"bytes,10,rep,name=validationrecords,proto3" json:"validationrecords,omitempty"`
Error *ProblemDetails `protobuf:"bytes,7,opt,name=error,proto3" json:"error,omitempty"`
ValidatedNS int64 `protobuf:"varint,11,opt,name=validatedNS,proto3" json:"validatedNS,omitempty"`
Validated *timestamppb.Timestamp `protobuf:"bytes,12,opt,name=validated,proto3" json:"validated,omitempty"`
}
@ -127,13 +126,6 @@ func (x *Challenge) GetError() *ProblemDetails {
return nil
}
func (x *Challenge) GetValidatedNS() int64 {
if x != nil {
return x.ValidatedNS
}
return 0
}
func (x *Challenge) GetValidated() *timestamppb.Timestamp {
if x != nil {
return x.Validated
@ -312,9 +304,7 @@ type Certificate struct {
Serial string `protobuf:"bytes,2,opt,name=serial,proto3" json:"serial,omitempty"`
Digest string `protobuf:"bytes,3,opt,name=digest,proto3" json:"digest,omitempty"`
Der []byte `protobuf:"bytes,4,opt,name=der,proto3" json:"der,omitempty"`
IssuedNS int64 `protobuf:"varint,5,opt,name=issuedNS,proto3" json:"issuedNS,omitempty"` // Unix timestamp (nanoseconds)
Issued *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=issued,proto3" json:"issued,omitempty"`
ExpiresNS int64 `protobuf:"varint,6,opt,name=expiresNS,proto3" json:"expiresNS,omitempty"` // Unix timestamp (nanoseconds)
Expires *timestamppb.Timestamp `protobuf:"bytes,8,opt,name=expires,proto3" json:"expires,omitempty"`
}
@ -378,13 +368,6 @@ func (x *Certificate) GetDer() []byte {
return nil
}
func (x *Certificate) GetIssuedNS() int64 {
if x != nil {
return x.IssuedNS
}
return 0
}
func (x *Certificate) GetIssued() *timestamppb.Timestamp {
if x != nil {
return x.Issued
@ -392,13 +375,6 @@ func (x *Certificate) GetIssued() *timestamppb.Timestamp {
return nil
}
func (x *Certificate) GetExpiresNS() int64 {
if x != nil {
return x.ExpiresNS
}
return 0
}
func (x *Certificate) GetExpires() *timestamppb.Timestamp {
if x != nil {
return x.Expires
@ -414,14 +390,10 @@ type CertificateStatus struct {
// Next unused field number: 16
Serial string `protobuf:"bytes,1,opt,name=serial,proto3" json:"serial,omitempty"`
Status string `protobuf:"bytes,3,opt,name=status,proto3" json:"status,omitempty"`
OcspLastUpdatedNS int64 `protobuf:"varint,4,opt,name=ocspLastUpdatedNS,proto3" json:"ocspLastUpdatedNS,omitempty"` // Unix timestamp (nanoseconds)
OcspLastUpdated *timestamppb.Timestamp `protobuf:"bytes,15,opt,name=ocspLastUpdated,proto3" json:"ocspLastUpdated,omitempty"`
RevokedDateNS int64 `protobuf:"varint,5,opt,name=revokedDateNS,proto3" json:"revokedDateNS,omitempty"` // Unix timestamp (nanoseconds)
RevokedDate *timestamppb.Timestamp `protobuf:"bytes,12,opt,name=revokedDate,proto3" json:"revokedDate,omitempty"`
RevokedReason int64 `protobuf:"varint,6,opt,name=revokedReason,proto3" json:"revokedReason,omitempty"`
LastExpirationNagSentNS int64 `protobuf:"varint,7,opt,name=lastExpirationNagSentNS,proto3" json:"lastExpirationNagSentNS,omitempty"` // Unix timestamp (nanoseconds)
LastExpirationNagSent *timestamppb.Timestamp `protobuf:"bytes,13,opt,name=lastExpirationNagSent,proto3" json:"lastExpirationNagSent,omitempty"`
NotAfterNS int64 `protobuf:"varint,9,opt,name=notAfterNS,proto3" json:"notAfterNS,omitempty"` // Unix timestamp (nanoseconds)
NotAfter *timestamppb.Timestamp `protobuf:"bytes,14,opt,name=notAfter,proto3" json:"notAfter,omitempty"`
IsExpired bool `protobuf:"varint,10,opt,name=isExpired,proto3" json:"isExpired,omitempty"`
IssuerID int64 `protobuf:"varint,11,opt,name=issuerID,proto3" json:"issuerID,omitempty"`
@ -473,13 +445,6 @@ func (x *CertificateStatus) GetStatus() string {
return ""
}
func (x *CertificateStatus) GetOcspLastUpdatedNS() int64 {
if x != nil {
return x.OcspLastUpdatedNS
}
return 0
}
func (x *CertificateStatus) GetOcspLastUpdated() *timestamppb.Timestamp {
if x != nil {
return x.OcspLastUpdated
@ -487,13 +452,6 @@ func (x *CertificateStatus) GetOcspLastUpdated() *timestamppb.Timestamp {
return nil
}
func (x *CertificateStatus) GetRevokedDateNS() int64 {
if x != nil {
return x.RevokedDateNS
}
return 0
}
func (x *CertificateStatus) GetRevokedDate() *timestamppb.Timestamp {
if x != nil {
return x.RevokedDate
@ -508,13 +466,6 @@ func (x *CertificateStatus) GetRevokedReason() int64 {
return 0
}
func (x *CertificateStatus) GetLastExpirationNagSentNS() int64 {
if x != nil {
return x.LastExpirationNagSentNS
}
return 0
}
func (x *CertificateStatus) GetLastExpirationNagSent() *timestamppb.Timestamp {
if x != nil {
return x.LastExpirationNagSent
@ -522,13 +473,6 @@ func (x *CertificateStatus) GetLastExpirationNagSent() *timestamppb.Timestamp {
return nil
}
func (x *CertificateStatus) GetNotAfterNS() int64 {
if x != nil {
return x.NotAfterNS
}
return 0
}
func (x *CertificateStatus) GetNotAfter() *timestamppb.Timestamp {
if x != nil {
return x.NotAfter
@ -562,7 +506,6 @@ type Registration struct {
ContactsPresent bool `protobuf:"varint,4,opt,name=contactsPresent,proto3" json:"contactsPresent,omitempty"`
Agreement string `protobuf:"bytes,5,opt,name=agreement,proto3" json:"agreement,omitempty"`
InitialIP []byte `protobuf:"bytes,6,opt,name=initialIP,proto3" json:"initialIP,omitempty"`
CreatedAtNS int64 `protobuf:"varint,7,opt,name=createdAtNS,proto3" json:"createdAtNS,omitempty"` // Unix timestamp (nanoseconds)
CreatedAt *timestamppb.Timestamp `protobuf:"bytes,9,opt,name=createdAt,proto3" json:"createdAt,omitempty"`
Status string `protobuf:"bytes,8,opt,name=status,proto3" json:"status,omitempty"`
}
@ -641,13 +584,6 @@ func (x *Registration) GetInitialIP() []byte {
return nil
}
func (x *Registration) GetCreatedAtNS() int64 {
if x != nil {
return x.CreatedAtNS
}
return 0
}
func (x *Registration) GetCreatedAt() *timestamppb.Timestamp {
if x != nil {
return x.CreatedAt
@ -672,7 +608,6 @@ type Authorization struct {
Identifier string `protobuf:"bytes,2,opt,name=identifier,proto3" json:"identifier,omitempty"`
RegistrationID int64 `protobuf:"varint,3,opt,name=registrationID,proto3" json:"registrationID,omitempty"`
Status string `protobuf:"bytes,4,opt,name=status,proto3" json:"status,omitempty"`
ExpiresNS int64 `protobuf:"varint,5,opt,name=expiresNS,proto3" json:"expiresNS,omitempty"` // Unix timestamp (nanoseconds)
Expires *timestamppb.Timestamp `protobuf:"bytes,9,opt,name=expires,proto3" json:"expires,omitempty"`
Challenges []*Challenge `protobuf:"bytes,6,rep,name=challenges,proto3" json:"challenges,omitempty"`
}
@ -737,13 +672,6 @@ func (x *Authorization) GetStatus() string {
return ""
}
func (x *Authorization) GetExpiresNS() int64 {
if x != nil {
return x.ExpiresNS
}
return 0
}
func (x *Authorization) GetExpires() *timestamppb.Timestamp {
if x != nil {
return x.Expires
@ -766,14 +694,12 @@ type Order struct {
// Next unused field number: 14
Id int64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
RegistrationID int64 `protobuf:"varint,2,opt,name=registrationID,proto3" json:"registrationID,omitempty"`
ExpiresNS int64 `protobuf:"varint,3,opt,name=expiresNS,proto3" json:"expiresNS,omitempty"` // Unix timestamp (nanoseconds)
Expires *timestamppb.Timestamp `protobuf:"bytes,12,opt,name=expires,proto3" json:"expires,omitempty"`
Error *ProblemDetails `protobuf:"bytes,4,opt,name=error,proto3" json:"error,omitempty"`
CertificateSerial string `protobuf:"bytes,5,opt,name=certificateSerial,proto3" json:"certificateSerial,omitempty"`
Status string `protobuf:"bytes,7,opt,name=status,proto3" json:"status,omitempty"`
Names []string `protobuf:"bytes,8,rep,name=names,proto3" json:"names,omitempty"`
BeganProcessing bool `protobuf:"varint,9,opt,name=beganProcessing,proto3" json:"beganProcessing,omitempty"`
CreatedNS int64 `protobuf:"varint,10,opt,name=createdNS,proto3" json:"createdNS,omitempty"` // Unix timestamp (nanoseconds)
Created *timestamppb.Timestamp `protobuf:"bytes,13,opt,name=created,proto3" json:"created,omitempty"`
V2Authorizations []int64 `protobuf:"varint,11,rep,packed,name=v2Authorizations,proto3" json:"v2Authorizations,omitempty"`
}
@ -824,13 +750,6 @@ func (x *Order) GetRegistrationID() int64 {
return 0
}
func (x *Order) GetExpiresNS() int64 {
if x != nil {
return x.ExpiresNS
}
return 0
}
func (x *Order) GetExpires() *timestamppb.Timestamp {
if x != nil {
return x.Expires
@ -873,13 +792,6 @@ func (x *Order) GetBeganProcessing() bool {
return false
}
func (x *Order) GetCreatedNS() int64 {
if x != nil {
return x.CreatedNS
}
return 0
}
func (x *Order) GetCreated() *timestamppb.Timestamp {
if x != nil {
return x.Created
@ -902,7 +814,6 @@ type CRLEntry struct {
// Next unused field number: 5
Serial string `protobuf:"bytes,1,opt,name=serial,proto3" json:"serial,omitempty"`
Reason int32 `protobuf:"varint,2,opt,name=reason,proto3" json:"reason,omitempty"`
RevokedAtNS int64 `protobuf:"varint,3,opt,name=revokedAtNS,proto3" json:"revokedAtNS,omitempty"` // Unix timestamp (nanoseconds)
RevokedAt *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=revokedAt,proto3" json:"revokedAt,omitempty"`
}
@ -952,13 +863,6 @@ func (x *CRLEntry) GetReason() int32 {
return 0
}
func (x *CRLEntry) GetRevokedAtNS() int64 {
if x != nil {
return x.RevokedAtNS
}
return 0
}
func (x *CRLEntry) GetRevokedAt() *timestamppb.Timestamp {
if x != nil {
return x.RevokedAt
@ -972,7 +876,7 @@ var file_core_proto_rawDesc = []byte{
0x0a, 0x0a, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x04, 0x63, 0x6f,
0x72, 0x65, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72,
0x6f, 0x74, 0x6f, 0x22, 0xf5, 0x02, 0x0a, 0x09, 0x43, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67,
0x6f, 0x74, 0x6f, 0x22, 0xd9, 0x02, 0x0a, 0x09, 0x43, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67,
0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69,
0x64, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18,
@ -989,92 +893,78 @@ var file_core_proto_rawDesc = []byte{
0x72, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x12, 0x2a, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72,
0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x50, 0x72,
0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x52, 0x05, 0x65, 0x72,
0x72, 0x6f, 0x72, 0x12, 0x20, 0x0a, 0x0b, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x64,
0x4e, 0x53, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61,
0x74, 0x65, 0x64, 0x4e, 0x53, 0x12, 0x38, 0x0a, 0x09, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74,
0x65, 0x64, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x64, 0x4a,
0x04, 0x08, 0x04, 0x10, 0x05, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x22, 0xee, 0x01, 0x0a, 0x10,
0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64,
0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01,
0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04,
0x70, 0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74,
0x12, 0x2c, 0x0a, 0x11, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x52, 0x65, 0x73,
0x6f, 0x6c, 0x76, 0x65, 0x64, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x11, 0x61, 0x64, 0x64,
0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x64, 0x12, 0x20,
0x0a, 0x0b, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x55, 0x73, 0x65, 0x64, 0x18, 0x04, 0x20,
0x01, 0x28, 0x0c, 0x52, 0x0b, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x55, 0x73, 0x65, 0x64,
0x12, 0x20, 0x0a, 0x0b, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18,
0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69,
0x65, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52,
0x03, 0x75, 0x72, 0x6c, 0x12, 0x26, 0x0a, 0x0e, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65,
0x73, 0x54, 0x72, 0x69, 0x65, 0x64, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x0e, 0x61, 0x64,
0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x54, 0x72, 0x69, 0x65, 0x64, 0x22, 0x6a, 0x0a, 0x0e,
0x50, 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x20,
0x0a, 0x0b, 0x70, 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20,
0x01, 0x28, 0x09, 0x52, 0x0b, 0x70, 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x54, 0x79, 0x70, 0x65,
0x12, 0x16, 0x0a, 0x06, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
0x52, 0x06, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x12, 0x1e, 0x0a, 0x0a, 0x68, 0x74, 0x74, 0x70,
0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x68, 0x74,
0x74, 0x70, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x9b, 0x02, 0x0a, 0x0b, 0x43, 0x65, 0x72,
0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69,
0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03,
0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44,
0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
0x52, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x69, 0x67, 0x65,
0x73, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74,
0x12, 0x10, 0x0a, 0x03, 0x64, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x64,
0x65, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x4e, 0x53, 0x18, 0x05,
0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x4e, 0x53, 0x12, 0x32,
0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75,
0x65, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x4e, 0x53, 0x18,
0x06, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x4e, 0x53,
0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28,
0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65,
0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x22, 0xeb, 0x04, 0x0a, 0x11, 0x43, 0x65, 0x72, 0x74, 0x69,
0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x16, 0x0a, 0x06,
0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65,
0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03,
0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x2c, 0x0a, 0x11,
0x6f, 0x63, 0x73, 0x70, 0x4c, 0x61, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x4e,
0x53, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x11, 0x6f, 0x63, 0x73, 0x70, 0x4c, 0x61, 0x73,
0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x4e, 0x53, 0x12, 0x44, 0x0a, 0x0f, 0x6f, 0x63,
0x73, 0x70, 0x4c, 0x61, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x18, 0x0f, 0x20,
0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52,
0x0f, 0x6f, 0x63, 0x73, 0x70, 0x4c, 0x61, 0x73, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64,
0x12, 0x24, 0x0a, 0x0d, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x44, 0x61, 0x74, 0x65, 0x4e,
0x53, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64,
0x44, 0x61, 0x74, 0x65, 0x4e, 0x53, 0x12, 0x3c, 0x0a, 0x0b, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65,
0x64, 0x44, 0x61, 0x74, 0x65, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
0x72, 0x6f, 0x72, 0x12, 0x38, 0x0a, 0x09, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x64,
0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
0x6d, 0x70, 0x52, 0x09, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x64, 0x4a, 0x04, 0x08,
0x04, 0x10, 0x05, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x4a, 0x04, 0x08, 0x0b, 0x10, 0x0c, 0x22,
0xee, 0x01, 0x0a, 0x10, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65,
0x63, 0x6f, 0x72, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65,
0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65,
0x12, 0x12, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
0x70, 0x6f, 0x72, 0x74, 0x12, 0x2c, 0x0a, 0x11, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65,
0x73, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x64, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0c, 0x52,
0x11, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76,
0x65, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x55, 0x73, 0x65,
0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73,
0x55, 0x73, 0x65, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74,
0x69, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x75, 0x74, 0x68, 0x6f,
0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x06, 0x20,
0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x26, 0x0a, 0x0e, 0x61, 0x64, 0x64, 0x72,
0x65, 0x73, 0x73, 0x65, 0x73, 0x54, 0x72, 0x69, 0x65, 0x64, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0c,
0x52, 0x0e, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x54, 0x72, 0x69, 0x65, 0x64,
0x22, 0x6a, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x44, 0x65, 0x74, 0x61, 0x69,
0x6c, 0x73, 0x12, 0x20, 0x0a, 0x0b, 0x70, 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x54, 0x79, 0x70,
0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x70, 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d,
0x54, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x18, 0x02,
0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x12, 0x1e, 0x0a, 0x0a,
0x68, 0x74, 0x74, 0x70, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05,
0x52, 0x0a, 0x68, 0x74, 0x74, 0x70, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0xed, 0x01, 0x0a,
0x0b, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x26, 0x0a, 0x0e,
0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x01,
0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69,
0x6f, 0x6e, 0x49, 0x44, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x02,
0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06,
0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69,
0x67, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x64, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28,
0x0c, 0x52, 0x03, 0x64, 0x65, 0x72, 0x12, 0x32, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64,
0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
0x6d, 0x70, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78,
0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0b, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64,
0x44, 0x61, 0x74, 0x65, 0x12, 0x24, 0x0a, 0x0d, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x52,
0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d, 0x72, 0x65, 0x76,
0x6f, 0x6b, 0x65, 0x64, 0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x38, 0x0a, 0x17, 0x6c, 0x61,
0x73, 0x74, 0x45, 0x78, 0x70, 0x69, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x67, 0x53,
0x65, 0x6e, 0x74, 0x4e, 0x53, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03, 0x52, 0x17, 0x6c, 0x61, 0x73,
0x74, 0x45, 0x78, 0x70, 0x69, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x67, 0x53, 0x65,
0x6e, 0x74, 0x4e, 0x53, 0x12, 0x50, 0x0a, 0x15, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x78, 0x70, 0x69,
0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x67, 0x53, 0x65, 0x6e, 0x74, 0x18, 0x0d, 0x20,
0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52,
0x15, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x78, 0x70, 0x69, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4e,
0x61, 0x67, 0x53, 0x65, 0x6e, 0x74, 0x12, 0x1e, 0x0a, 0x0a, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74,
0x65, 0x72, 0x4e, 0x53, 0x18, 0x09, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0a, 0x6e, 0x6f, 0x74, 0x41,
0x66, 0x74, 0x65, 0x72, 0x4e, 0x53, 0x12, 0x36, 0x0a, 0x08, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74,
0x65, 0x72, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
0x74, 0x61, 0x6d, 0x70, 0x52, 0x08, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x1c,
0x0a, 0x09, 0x69, 0x73, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28,
0x08, 0x52, 0x09, 0x69, 0x73, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x12, 0x1a, 0x0a, 0x08,
0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08,
0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x4a, 0x04,
0x08, 0x08, 0x10, 0x09, 0x22, 0xa4, 0x02, 0x0a, 0x0c, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73,
0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08, 0x06, 0x10, 0x07, 0x22, 0xd5, 0x03, 0x0a,
0x11, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x74, 0x61, 0x74,
0x75, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01,
0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74,
0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74,
0x75, 0x73, 0x12, 0x44, 0x0a, 0x0f, 0x6f, 0x63, 0x73, 0x70, 0x4c, 0x61, 0x73, 0x74, 0x55, 0x70,
0x64, 0x61, 0x74, 0x65, 0x64, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0f, 0x6f, 0x63, 0x73, 0x70, 0x4c, 0x61, 0x73,
0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x12, 0x3c, 0x0a, 0x0b, 0x72, 0x65, 0x76, 0x6f,
0x6b, 0x65, 0x64, 0x44, 0x61, 0x74, 0x65, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0b, 0x72, 0x65, 0x76, 0x6f, 0x6b,
0x65, 0x64, 0x44, 0x61, 0x74, 0x65, 0x12, 0x24, 0x0a, 0x0d, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65,
0x64, 0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d, 0x72,
0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x50, 0x0a, 0x15,
0x6c, 0x61, 0x73, 0x74, 0x45, 0x78, 0x70, 0x69, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4e, 0x61,
0x67, 0x53, 0x65, 0x6e, 0x74, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x15, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x78, 0x70,
0x69, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x67, 0x53, 0x65, 0x6e, 0x74, 0x12, 0x36,
0x0a, 0x08, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x08, 0x6e, 0x6f,
0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x69, 0x73, 0x45, 0x78, 0x70, 0x69,
0x72, 0x65, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x45, 0x78, 0x70,
0x69, 0x72, 0x65, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44,
0x18, 0x0b, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44,
0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x4a, 0x04, 0x08, 0x05,
0x10, 0x06, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x4a, 0x04,
0x08, 0x09, 0x10, 0x0a, 0x22, 0x88, 0x02, 0x0a, 0x0c, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01,
0x28, 0x0c, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x61,
@ -1085,73 +975,65 @@ var file_core_proto_rawDesc = []byte{
0x67, 0x72, 0x65, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
0x61, 0x67, 0x72, 0x65, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x69, 0x6e, 0x69,
0x74, 0x69, 0x61, 0x6c, 0x49, 0x50, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x69, 0x6e,
0x69, 0x74, 0x69, 0x61, 0x6c, 0x49, 0x50, 0x12, 0x20, 0x0a, 0x0b, 0x63, 0x72, 0x65, 0x61, 0x74,
0x65, 0x64, 0x41, 0x74, 0x4e, 0x53, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x63, 0x72,
0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x4e, 0x53, 0x12, 0x38, 0x0a, 0x09, 0x63, 0x72, 0x65,
0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67,
0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54,
0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65,
0x64, 0x41, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x08, 0x20,
0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x90, 0x02, 0x0a, 0x0d,
0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a,
0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1e, 0x0a,
0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28,
0x09, 0x52, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x26, 0x0a,
0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18,
0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74,
0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18,
0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x1c, 0x0a,
0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x4e, 0x53, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03,
0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x4e, 0x53, 0x12, 0x34, 0x0a, 0x07, 0x65,
0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67,
0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54,
0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65,
0x73, 0x12, 0x2f, 0x0a, 0x0a, 0x63, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x73, 0x18,
0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0f, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x68, 0x61,
0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x52, 0x0a, 0x63, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67,
0x65, 0x73, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x22, 0xcb,
0x03, 0x0a, 0x05, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01,
0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69,
0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03,
0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44,
0x12, 0x1c, 0x0a, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x4e, 0x53, 0x18, 0x03, 0x20,
0x01, 0x28, 0x03, 0x52, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x4e, 0x53, 0x12, 0x34,
0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32,
0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70,
0x69, 0x72, 0x65, 0x73, 0x12, 0x2a, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x04, 0x20,
0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x6c,
0x65, 0x6d, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72,
0x12, 0x2c, 0x0a, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53,
0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x63, 0x65, 0x72,
0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16,
0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18,
0x08, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x0f,
0x62, 0x65, 0x67, 0x61, 0x6e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x69, 0x6e, 0x67, 0x18,
0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x62, 0x65, 0x67, 0x61, 0x6e, 0x50, 0x72, 0x6f, 0x63,
0x65, 0x73, 0x73, 0x69, 0x6e, 0x67, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65,
0x64, 0x4e, 0x53, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74,
0x65, 0x64, 0x4e, 0x53, 0x12, 0x34, 0x0a, 0x07, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x18,
0x69, 0x74, 0x69, 0x61, 0x6c, 0x49, 0x50, 0x12, 0x38, 0x0a, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74,
0x65, 0x64, 0x41, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f,
0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d,
0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41,
0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28,
0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x22,
0xf8, 0x01, 0x0a, 0x0d, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f,
0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69,
0x64, 0x12, 0x1e, 0x0a, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x18,
0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65,
0x72, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f,
0x6e, 0x49, 0x44, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73,
0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61,
0x74, 0x75, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75,
0x73, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x09, 0x20, 0x01,
0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07,
0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x2f, 0x0a, 0x0a, 0x63, 0x68, 0x61, 0x6c, 0x6c,
0x65, 0x6e, 0x67, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0f, 0x2e, 0x63, 0x6f,
0x72, 0x65, 0x2e, 0x43, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x52, 0x0a, 0x63, 0x68,
0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x73, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04,
0x08, 0x07, 0x10, 0x08, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x22, 0x9b, 0x03, 0x0a, 0x05, 0x4f,
0x72, 0x64, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03,
0x52, 0x02, 0x69, 0x64, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65,
0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x34, 0x0a, 0x07,
0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72,
0x65, 0x73, 0x12, 0x2a, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28,
0x0b, 0x32, 0x14, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d,
0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x2c,
0x0a, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72,
0x69, 0x61, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69,
0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06,
0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74,
0x61, 0x74, 0x75, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x08, 0x20,
0x03, 0x28, 0x09, 0x52, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x62, 0x65,
0x67, 0x61, 0x6e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x69, 0x6e, 0x67, 0x18, 0x09, 0x20,
0x01, 0x28, 0x08, 0x52, 0x0f, 0x62, 0x65, 0x67, 0x61, 0x6e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73,
0x73, 0x69, 0x6e, 0x67, 0x12, 0x34, 0x0a, 0x07, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x18,
0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d,
0x70, 0x52, 0x07, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x12, 0x2a, 0x0a, 0x10, 0x76, 0x32,
0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0b,
0x20, 0x03, 0x28, 0x03, 0x52, 0x10, 0x76, 0x32, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a,
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x4a, 0x04, 0x08, 0x06, 0x10, 0x07, 0x22, 0x96, 0x01, 0x0a,
0x08, 0x43, 0x52, 0x4c, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x72,
0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61,
0x6c, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28,
0x05, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x20, 0x0a, 0x0b, 0x72, 0x65, 0x76,
0x6f, 0x6b, 0x65, 0x64, 0x41, 0x74, 0x4e, 0x53, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b,
0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x41, 0x74, 0x4e, 0x53, 0x12, 0x38, 0x0a, 0x09, 0x72,
0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x41, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x72, 0x65, 0x76, 0x6f,
0x6b, 0x65, 0x64, 0x41, 0x74, 0x42, 0x2b, 0x5a, 0x29, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f,
0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x06,
0x10, 0x07, 0x4a, 0x04, 0x08, 0x0a, 0x10, 0x0b, 0x22, 0x7a, 0x0a, 0x08, 0x43, 0x52, 0x4c, 0x45,
0x6e, 0x74, 0x72, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x01,
0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06,
0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x06, 0x72, 0x65,
0x61, 0x73, 0x6f, 0x6e, 0x12, 0x38, 0x0a, 0x09, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x41,
0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74,
0x61, 0x6d, 0x70, 0x52, 0x09, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x41, 0x74, 0x4a, 0x04,
0x08, 0x03, 0x10, 0x04, 0x42, 0x2b, 0x5a, 0x29, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, 0x62,
0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (

24
core/proto/core.proto
View File

@ -17,7 +17,7 @@ message Challenge {
repeated ValidationRecord validationrecords = 10;
ProblemDetails error = 7;
reserved 8; // Unused and accidentally skipped during initial commit.
int64 validatedNS = 11;
reserved 11; // Previously validatedNS
google.protobuf.Timestamp validated = 12;
}
@ -47,9 +47,9 @@ message Certificate {
string serial = 2;
string digest = 3;
bytes der = 4;
int64 issuedNS = 5; // Unix timestamp (nanoseconds)
reserved 5; // Previously issuedNS
google.protobuf.Timestamp issued = 7;
int64 expiresNS = 6; // Unix timestamp (nanoseconds)
reserved 6; // Previously expiresNS
google.protobuf.Timestamp expires = 8;
}
@ -58,15 +58,15 @@ message CertificateStatus {
string serial = 1;
reserved 2; // previously subscriberApproved
string status = 3;
int64 ocspLastUpdatedNS = 4; // Unix timestamp (nanoseconds)
reserved 4; // Previously ocspLastUpdatedNS
google.protobuf.Timestamp ocspLastUpdated = 15;
int64 revokedDateNS = 5; // Unix timestamp (nanoseconds)
reserved 5; // Previously revokedDateNS
google.protobuf.Timestamp revokedDate = 12;
int64 revokedReason = 6;
int64 lastExpirationNagSentNS = 7; // Unix timestamp (nanoseconds)
reserved 7; // Previously lastExpirationNagSentNS
reserved 8; // previously ocspResponse
google.protobuf.Timestamp lastExpirationNagSent = 13;
int64 notAfterNS = 9; // Unix timestamp (nanoseconds)
reserved 9; // Previously notAfterNS
google.protobuf.Timestamp notAfter = 14;
bool isExpired = 10;
int64 issuerID = 11;
@ -80,7 +80,7 @@ message Registration {
bool contactsPresent = 4;
string agreement = 5;
bytes initialIP = 6;
int64 createdAtNS = 7; // Unix timestamp (nanoseconds)
reserved 7; // Previously createdAtNS
google.protobuf.Timestamp createdAt = 9;
string status = 8;
}
@ -91,7 +91,7 @@ message Authorization {
string identifier = 2;
int64 registrationID = 3;
string status = 4;
int64 expiresNS = 5; // Unix timestamp (nanoseconds)
reserved 5; // Previously expiresNS
google.protobuf.Timestamp expires = 9;
repeated core.Challenge challenges = 6;
reserved 7; // previously ACMEv1 combinations
@ -102,7 +102,7 @@ message Order {
// Next unused field number: 14
int64 id = 1;
int64 registrationID = 2;
int64 expiresNS = 3; // Unix timestamp (nanoseconds)
reserved 3; // Previously expiresNS
google.protobuf.Timestamp expires = 12;
ProblemDetails error = 4;
string certificateSerial = 5;
@ -110,7 +110,7 @@ message Order {
string status = 7;
repeated string names = 8;
bool beganProcessing = 9;
int64 createdNS = 10; // Unix timestamp (nanoseconds)
reserved 10; // Previously createdNS
google.protobuf.Timestamp created = 13;
repeated int64 v2Authorizations = 11;
}
@ -119,6 +119,6 @@ message CRLEntry {
// Next unused field number: 5
string serial = 1;
int32 reason = 2;
int64 revokedAtNS = 3; // Unix timestamp (nanoseconds)
reserved 3; // Previously revokedAtNS
google.protobuf.Timestamp revokedAt = 4;
}

9
core/util.go
View File

@ -26,6 +26,7 @@ import (
"unicode"
"google.golang.org/protobuf/types/known/durationpb"
"google.golang.org/protobuf/types/known/timestamppb"
"gopkg.in/go-jose/go-jose.v2"
)
@ -213,6 +214,10 @@ func IsAnyNilOrZero(vals ...interface{}) bool {
switch v := val.(type) {
case nil:
return true
case bool:
if !v {
return true
}
case string:
if v == "" {
return true
@ -278,6 +283,10 @@ func IsAnyNilOrZero(vals ...interface{}) bool {
if v.IsZero() {
return true
}
case *timestamppb.Timestamp:
if v == nil || v.AsTime().IsZero() {
return true
}
case *durationpb.Duration:
if v == nil || v.AsDuration() == time.Duration(0) {
return true

6
core/util_test.go
View File

@ -13,6 +13,7 @@ import (
"time"
"google.golang.org/protobuf/types/known/durationpb"
"google.golang.org/protobuf/types/known/timestamppb"
"gopkg.in/go-jose/go-jose.v2"
"github.com/letsencrypt/boulder/test"
@ -170,6 +171,11 @@ func TestIsAnyNilOrZero(t *testing.T) {
test.Assert(t, IsAnyNilOrZero(1, ""), "Mixed values seen as non-zero")
test.Assert(t, IsAnyNilOrZero("", 1), "Mixed values seen as non-zero")
var p *timestamppb.Timestamp
test.Assert(t, IsAnyNilOrZero(p), "Pointer to uninitialized timestamppb.Timestamp seen as non-zero")
test.Assert(t, IsAnyNilOrZero(timestamppb.New(time.Time{})), "*timestamppb.Timestamp containing an uninitialized inner time.Time{} is seen as non-zero")
test.Assert(t, !IsAnyNilOrZero(timestamppb.Now()), "A *timestamppb.Timestamp with valid inner time is seen as zero")
var d *durationpb.Duration
var zeroDuration time.Duration
test.Assert(t, IsAnyNilOrZero(d), "Pointer to uninitialized durationpb.Duration seen as non-zero")

4
crl/updater/updater.go
View File

@ -212,11 +212,8 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN
for _, chunk := range chunks {
saStream, err := cu.sa.GetRevokedCerts(ctx, &sapb.GetRevokedCertsRequest{
IssuerNameID: int64(issuerNameID),
ExpiresAfterNS: chunk.start.UnixNano(),
ExpiresAfter: timestamppb.New(chunk.start),
ExpiresBeforeNS: chunk.end.UnixNano(),
ExpiresBefore: timestamppb.New(chunk.end),
RevokedBeforeNS: atTime.UnixNano(),
RevokedBefore: timestamppb.New(atTime),
})
if err != nil {
@ -249,7 +246,6 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN
Payload: &capb.GenerateCRLRequest_Metadata{
Metadata: &capb.CRLMetadata{
IssuerNameID: int64(issuerNameID),
ThisUpdateNS: atTime.UnixNano(),
ThisUpdate: timestamppb.New(atTime),
ShardIdx: int64(shardIdx),
},

11
docs/CONTRIBUTING.md
View File

@ -307,6 +307,17 @@ ALTER TABLE people ADD isWizard BOOLEAN SET DEFAULT false;
ALTER TABLE people DROP isWizard BOOLEAN SET DEFAULT false;
```
# Expressing "optional" Timestamps
Timestamps in protocol buffers must always be expressed as
[timestamppb.Timestamp](https://pkg.go.dev/google.golang.org/protobuf/types/known/timestamppb).
Timestamps must never contain their zero value, in the sense of
`timestamp.AsTime().IsZero()`. When a timestamp field is optional, absence must
be expressed through the absence of the field, rather than present with a zero
value. The `core.IsAnyNilOrZero` function can check these cases.
Senders must check that timestamps are non-zero before sending them. Receivers
must check that timestamps are non-zero before accepting them.
# Release Process
The current Boulder release process is described in

56
grpc/pb-marshalling.go
View File

@ -71,16 +71,13 @@ func ChallengeToPB(challenge core.Challenge) (*corepb.Challenge, error) {
}
}
var validatedInt int64 = 0
validatedTS := timestamppb.New(time.Time{})
var validated *timestamppb.Timestamp
if challenge.Validated != nil {
validatedInt = challenge.Validated.UTC().UnixNano()
validatedTS = timestamppb.New(challenge.Validated.UTC())
}
if !validatedTS.IsValid() {
validated = timestamppb.New(challenge.Validated.UTC())
if !validated.IsValid() {
return nil, fmt.Errorf("error creating *timestamppb.Timestamp for *corepb.Challenge object")
}
}
return &corepb.Challenge{
Type: string(challenge.Type),
@ -89,8 +86,7 @@ func ChallengeToPB(challenge core.Challenge) (*corepb.Challenge, error) {
KeyAuthorization: challenge.ProvidedKeyAuthorization,
Error: prob,
Validationrecords: recordAry,
ValidatedNS: validatedInt,
Validated: validatedTS,
Validated: validated,
}, nil
}
@ -116,7 +112,7 @@ func PBToChallenge(in *corepb.Challenge) (challenge core.Challenge, err error) {
return core.Challenge{}, err
}
var validated *time.Time
if in.Validated != nil && !in.Validated.AsTime().IsZero() {
if !core.IsAnyNilOrZero(in.Validated) {
val := in.Validated.AsTime()
validated = &val
}
@ -240,15 +236,13 @@ func RegistrationToPB(reg core.Registration) (*corepb.Registration, error) {
if reg.Contact != nil {
contacts = *reg.Contact
}
var createdAtInt int64 = 0
createdAtTS := timestamppb.New(time.Time{})
var createdAt *timestamppb.Timestamp
if reg.CreatedAt != nil {
createdAtInt = reg.CreatedAt.UTC().UnixNano()
createdAtTS = timestamppb.New(reg.CreatedAt.UTC())
}
if !createdAtTS.IsValid() {
createdAt = timestamppb.New(reg.CreatedAt.UTC())
if !createdAt.IsValid() {
return nil, fmt.Errorf("error creating *timestamppb.Timestamp for *corepb.Authorization object")
}
}
return &corepb.Registration{
Id: reg.ID,
@ -257,8 +251,7 @@ func RegistrationToPB(reg core.Registration) (*corepb.Registration, error) {
ContactsPresent: contactsPresent,
Agreement: reg.Agreement,
InitialIP: ipBytes,
CreatedAtNS: createdAtInt,
CreatedAt: createdAtTS,
CreatedAt: createdAt,
Status: string(reg.Status),
}, nil
}
@ -275,7 +268,7 @@ func PbToRegistration(pb *corepb.Registration) (core.Registration, error) {
return core.Registration{}, err
}
var createdAt *time.Time
if pb.CreatedAt != nil && !pb.CreatedAt.AsTime().IsZero() {
if !core.IsAnyNilOrZero(pb.CreatedAt) {
c := pb.CreatedAt.AsTime()
createdAt = &c
}
@ -313,23 +306,20 @@ func AuthzToPB(authz core.Authorization) (*corepb.Authorization, error) {
}
challs[i] = pbChall
}
var expiresInt int64 = 0
expiresTS := timestamppb.New(time.Time{})
var expires *timestamppb.Timestamp
if authz.Expires != nil {
expiresInt = authz.Expires.UTC().UnixNano()
expiresTS = timestamppb.New(authz.Expires.UTC())
}
if !expiresTS.IsValid() {
expires = timestamppb.New(authz.Expires.UTC())
if !expires.IsValid() {
return nil, fmt.Errorf("error creating *timestamppb.Timestamp for *corepb.Authorization object")
}
}
return &corepb.Authorization{
Id: authz.ID,
Identifier: authz.Identifier.Value,
RegistrationID: authz.RegistrationID,
Status: string(authz.Status),
ExpiresNS: expiresInt,
Expires: expiresTS,
Expires: expires,
Challenges: challs,
}, nil
}
@ -344,7 +334,7 @@ func PBToAuthz(pb *corepb.Authorization) (core.Authorization, error) {
challs[i] = chall
}
var expires *time.Time
if pb.Expires != nil && !pb.Expires.AsTime().IsZero() {
if !core.IsAnyNilOrZero(pb.Expires) {
c := pb.Expires.AsTime()
expires = &c
}
@ -363,7 +353,7 @@ func PBToAuthz(pb *corepb.Authorization) (core.Authorization, error) {
// from `newOrderValid` it ensures the order ID and the Created fields are not
// the zero value.
func orderValid(order *corepb.Order) bool {
return order.Id != 0 && order.CreatedNS != 0 && newOrderValid(order)
return order.Id != 0 && order.Created != nil && newOrderValid(order)
}
// newOrderValid checks that a corepb.Order is valid. It allows for a nil
@ -374,7 +364,7 @@ func orderValid(order *corepb.Order) bool {
// `order.CertificateSerial` to be nil such that it can be used in places where
// the order has not been finalized yet.
func newOrderValid(order *corepb.Order) bool {
return !(order.RegistrationID == 0 || order.ExpiresNS == 0 || len(order.Names) == 0)
return !(order.RegistrationID == 0 || order.Expires == nil || len(order.Names) == 0)
}
func CertToPB(cert core.Certificate) *corepb.Certificate {
@ -383,9 +373,7 @@ func CertToPB(cert core.Certificate) *corepb.Certificate {
Serial: cert.Serial,
Digest: cert.Digest,
Der: cert.DER,
IssuedNS: cert.Issued.UnixNano(),
Issued: timestamppb.New(cert.Issued),
ExpiresNS: cert.Expires.UnixNano(),
Expires: timestamppb.New(cert.Expires),
}
}
@ -405,14 +393,10 @@ func CertStatusToPB(certStatus core.CertificateStatus) *corepb.CertificateStatus
return &corepb.CertificateStatus{
Serial: certStatus.Serial,
Status: string(certStatus.Status),
OcspLastUpdatedNS: certStatus.OCSPLastUpdated.UnixNano(),
OcspLastUpdated: timestamppb.New(certStatus.OCSPLastUpdated),
RevokedDateNS: certStatus.RevokedDate.UnixNano(),
RevokedDate: timestamppb.New(certStatus.RevokedDate),
RevokedReason: int64(certStatus.RevokedReason),
LastExpirationNagSentNS: certStatus.LastExpirationNagSent.UnixNano(),
LastExpirationNagSent: timestamppb.New(certStatus.LastExpirationNagSent),
NotAfterNS: certStatus.NotAfter.UnixNano(),
NotAfter: timestamppb.New(certStatus.NotAfter),
IsExpired: certStatus.IsExpired,
IssuerID: certStatus.IssuerNameID,

8
grpc/pb-marshalling_test.go
View File

@ -296,13 +296,11 @@ func TestOrderValid(t *testing.T) {
Order: &corepb.Order{
Id: 1,
RegistrationID: 1,
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
CertificateSerial: "",
V2Authorizations: []int64{},
Names: []string{"example.com"},
BeganProcessing: false,
CreatedNS: created.UnixNano(),
Created: timestamppb.New(created),
},
ExpectedValid: true,
@ -312,12 +310,10 @@ func TestOrderValid(t *testing.T) {
Order: &corepb.Order{
Id: 1,
RegistrationID: 1,
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
V2Authorizations: []int64{},
Names: []string{"example.com"},
BeganProcessing: false,
CreatedNS: created.UnixNano(),
Created: timestamppb.New(created),
},
ExpectedValid: true,
@ -331,7 +327,6 @@ func TestOrderValid(t *testing.T) {
Order: &corepb.Order{
Id: 0,
RegistrationID: 1,
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
CertificateSerial: "",
V2Authorizations: []int64{},
@ -344,7 +339,6 @@ func TestOrderValid(t *testing.T) {
Order: &corepb.Order{
Id: 1,
RegistrationID: 0,
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
CertificateSerial: "",
V2Authorizations: []int64{},
@ -357,7 +351,6 @@ func TestOrderValid(t *testing.T) {
Order: &corepb.Order{
Id: 1,
RegistrationID: 1,
ExpiresNS: 0,
Expires: nil,
CertificateSerial: "",
V2Authorizations: []int64{},
@ -370,7 +363,6 @@ func TestOrderValid(t *testing.T) {
Order: &corepb.Order{
Id: 1,
RegistrationID: 1,
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
CertificateSerial: "",
V2Authorizations: []int64{},

2
mocks/ca.go
View File

@ -44,9 +44,7 @@ func (ca *MockCA) IssueCertificateForPrecertificate(ctx context.Context, req *ca
RegistrationID: 1,
Serial: "mock",
Digest: "mock",
IssuedNS: now.UnixNano(),
Issued: timestamppb.New(now),
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
}, nil
}

25
mocks/mocks.go
View File

@ -119,8 +119,7 @@ func (sa *StorageAuthorityReadOnly) GetRegistration(_ context.Context, req *sapb
}
goodReg.InitialIP, _ = net.ParseIP("5.6.7.8").MarshalText()
createdAt := time.Date(2003, 9, 27, 0, 0, 0, 0, time.UTC)
goodReg.CreatedAtNS = createdAt.UnixNano()
goodReg.CreatedAt = timestamppb.New(time.Date(2003, 9, 27, 0, 0, 0, 0, time.UTC))
return goodReg, nil
}
@ -205,9 +204,7 @@ func (sa *StorageAuthorityReadOnly) GetSerialMetadata(ctx context.Context, req *
return &sapb.SerialMetadata{
Serial: req.Serial,
RegistrationID: 1,
CreatedNS: created.UnixNano(),
Created: timestamppb.New(created),
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
}, nil
}
@ -223,7 +220,6 @@ func (sa *StorageAuthorityReadOnly) GetCertificate(_ context.Context, req *sapb.
return &corepb.Certificate{
RegistrationID: 1,
Der: certBlock.Bytes,
IssuedNS: issuedTime.UnixNano(),
Issued: timestamppb.New(issuedTime),
}, nil
} else if req.Serial == "0000000000000000000000000000000000b2" {
@ -232,7 +228,6 @@ func (sa *StorageAuthorityReadOnly) GetCertificate(_ context.Context, req *sapb.
return &corepb.Certificate{
RegistrationID: 1,
Der: certBlock.Bytes,
IssuedNS: issuedTime.UnixNano(),
Issued: timestamppb.New(issuedTime),
}, nil
} else if req.Serial == "000000000000000000000000000000626164" {
@ -364,18 +359,15 @@ func (sa *StorageAuthority) DeactivateRegistration(_ context.Context, _ *sapb.Re
// NewOrderAndAuthzs is a mock
func (sa *StorageAuthority) NewOrderAndAuthzs(_ context.Context, req *sapb.NewOrderAndAuthzsRequest, _ ...grpc.CallOption) (*corepb.Order, error) {
now := time.Now()
response := &corepb.Order{
// Fields from the input new order request.
RegistrationID: req.NewOrder.RegistrationID,
ExpiresNS: req.NewOrder.ExpiresNS,
Expires: req.NewOrder.Expires,
Names: req.NewOrder.Names,
V2Authorizations: req.NewOrder.V2Authorizations,
// Mock new fields generated by the database transaction.
Id: rand.Int63(),
CreatedNS: now.UnixNano(),
Created: timestamppb.New(now),
Created: timestamppb.Now(),
// A new order is never processing because it can't have been finalized yet.
BeganProcessing: false,
Status: string(core.StatusPending),
@ -406,14 +398,13 @@ func (sa *StorageAuthorityReadOnly) GetOrder(_ context.Context, req *sapb.OrderR
return nil, errors.New("very bad")
}
created := sa.clk.Now().AddDate(-30, 0, 0)
exp := sa.clk.Now().AddDate(30, 0, 0)
now := sa.clk.Now()
created := now.AddDate(-30, 0, 0)
exp := now.AddDate(30, 0, 0)
validOrder := &corepb.Order{
Id: req.Id,
RegistrationID: 1,
CreatedNS: created.UnixNano(),
Created: timestamppb.New(created),
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
Names: []string{"example.com"},
Status: string(core.StatusValid),
@ -440,7 +431,7 @@ func (sa *StorageAuthorityReadOnly) GetOrder(_ context.Context, req *sapb.OrderR
// Order ID 7 is ready, but expired
if req.Id == 7 {
validOrder.Status = string(core.StatusReady)
validOrder.ExpiresNS = sa.clk.Now().AddDate(-30, 0, 0).Unix()
validOrder.Expires = timestamppb.New(now.AddDate(-30, 0, 0))
}
if req.Id == 8 {
@ -449,7 +440,7 @@ func (sa *StorageAuthorityReadOnly) GetOrder(_ context.Context, req *sapb.OrderR
// Order 9 is fresh
if req.Id == 9 {
validOrder.CreatedNS = sa.clk.Now().AddDate(0, 0, 1).Unix()
validOrder.Created = timestamppb.New(now.AddDate(0, 0, 1))
}
// Order 10 is processing
@ -488,7 +479,7 @@ func (sa *StorageAuthorityReadOnly) GetValidAuthorizations2(ctx context.Context,
if req.RegistrationID != 1 && req.RegistrationID != 5 && req.RegistrationID != 4 {
return &sapb.Authorizations{}, nil
}
now := time.Unix(0, req.NowNS)
now := req.Now.AsTime()
auths := &sapb.Authorizations{}
for _, name := range req.Domains {
exp := now.AddDate(100, 0, 0)

5
ra/mock_test.go
View File

@ -49,8 +49,6 @@ type mockInvalidPlusValidAuthzAuthority struct {
}
func (sa *mockInvalidPlusValidAuthzAuthority) GetAuthorizations2(ctx context.Context, req *sapb.GetAuthorizationsRequest, _ ...grpc.CallOption) (*sapb.Authorizations, error) {
date := time.Date(2101, 12, 3, 0, 0, 0, 0, time.UTC)
return &sapb.Authorizations{
Authz: []*sapb.Authorizations_MapElement{
{
@ -59,8 +57,7 @@ func (sa *mockInvalidPlusValidAuthzAuthority) GetAuthorizations2(ctx context.Con
Status: "valid",
Identifier: sa.domainWithFailures,
RegistrationID: 1234,
ExpiresNS: date.Unix(),
Expires: timestamppb.New(date),
Expires: timestamppb.New(time.Date(2101, 12, 3, 0, 0, 0, 0, time.UTC)),
},
},
},

87
ra/ra.go
View File

@ -383,9 +383,7 @@ func (ra *RegistrationAuthorityImpl) checkRegistrationIPLimit(ctx context.Contex
count, err := counter(ctx, &sapb.CountRegistrationsByIPRequest{
Ip: ip,
Range: &sapb.Range{
EarliestNS: limit.WindowBegin(now).UnixNano(),
Earliest: timestamppb.New(limit.WindowBegin(now)),
LatestNS: now.UnixNano(),
Latest: timestamppb.New(now),
},
})
@ -638,9 +636,7 @@ func (ra *RegistrationAuthorityImpl) checkInvalidAuthorizationLimit(ctx context.
RegistrationID: regID,
Hostname: hostname,
Range: &sapb.Range{
EarliestNS: earliest.UnixNano(),
Earliest: timestamppb.New(earliest),
LatestNS: latest.UnixNano(),
Latest: timestamppb.New(latest),
},
}
@ -671,9 +667,7 @@ func (ra *RegistrationAuthorityImpl) checkNewOrdersPerAccountLimit(ctx context.C
count, err := ra.SA.CountOrders(ctx, &sapb.CountOrdersRequest{
AccountID: acctID,
Range: &sapb.Range{
EarliestNS: now.Add(-limit.Window.Duration).UnixNano(),
Earliest: timestamppb.New(now.Add(-limit.Window.Duration)),
LatestNS: now.UnixNano(),
Latest: timestamppb.New(now),
},
})
@ -1048,7 +1042,7 @@ func (ra *RegistrationAuthorityImpl) FinalizeOrder(ctx context.Context, req *rap
// Observe the age of this order, so we know how quickly most clients complete
// issuance flows.
ra.orderAges.WithLabelValues("FinalizeOrder").Observe(ra.clk.Since(time.Unix(0, req.Order.CreatedNS)).Seconds())
ra.orderAges.WithLabelValues("FinalizeOrder").Observe(ra.clk.Since(req.Order.Created.AsTime()).Seconds())
// Step 2: Set the Order to Processing status
//
@ -1404,9 +1398,7 @@ func (ra *RegistrationAuthorityImpl) enforceNameCounts(ctx context.Context, name
req := &sapb.CountCertificatesByNamesRequest{
Names: names,
Range: &sapb.Range{
EarliestNS: limit.WindowBegin(now).UnixNano(),
Earliest: timestamppb.New(limit.WindowBegin(now)),
LatestNS: now.UnixNano(),
Latest: timestamppb.New(now),
},
}
@ -1512,7 +1504,12 @@ func (ra *RegistrationAuthorityImpl) checkCertificatesPerFQDNSetLimit(ctx contex
return fmt.Errorf("checking duplicate certificate limit for %q: %s", names, err)
}
issuanceCount := int64(len(prevIssuances.TimestampsNS))
if overrideKey != "" {
utilization := float64(len(prevIssuances.Timestamps)) / float64(threshold)
ra.rlOverrideUsageGauge.WithLabelValues(ratelimit.CertificatesPerFQDNSet, overrideKey).Set(utilization)
}
issuanceCount := int64(len(prevIssuances.Timestamps))
if issuanceCount < threshold {
// Issuance in window is below the threshold, no need to limit.
if overrideKey != "" {
@ -1527,9 +1524,9 @@ func (ra *RegistrationAuthorityImpl) checkCertificatesPerFQDNSetLimit(ctx contex
// timestamps start from the most recent issuance and go back in time.
now := ra.clk.Now()
nsPerToken := limit.Window.Nanoseconds() / threshold
for i, timestamp := range prevIssuances.TimestampsNS {
for i, timestamp := range prevIssuances.Timestamps {
tokensGeneratedSince := now.Add(-time.Duration(int64(i+1) * nsPerToken))
if time.Unix(0, timestamp).Before(tokensGeneratedSince) {
if timestamp.AsTime().Before(tokensGeneratedSince) {
// We know `i+1` tokens were generated since `tokenGeneratedSince`,
// and only `i` certificates were issued, so there's room to allow
// for an additional issuance.
@ -1540,7 +1537,7 @@ func (ra *RegistrationAuthorityImpl) checkCertificatesPerFQDNSetLimit(ctx contex
return nil
}
}
retryTime := time.Unix(0, prevIssuances.TimestampsNS[0]).Add(time.Duration(nsPerToken))
retryTime := prevIssuances.Timestamps[0].AsTime().Add(time.Duration(nsPerToken))
retryAfter := retryTime.Sub(now)
return berrors.DuplicateCertificateError(
retryAfter,
@ -1705,7 +1702,6 @@ func mergeUpdate(base *corepb.Registration, update *corepb.Registration) (*corep
ContactsPresent: base.ContactsPresent,
Agreement: base.Agreement,
InitialIP: base.InitialIP,
CreatedAtNS: base.CreatedAtNS,
CreatedAt: base.CreatedAt,
Status: base.Status,
}
@ -1760,20 +1756,16 @@ func (ra *RegistrationAuthorityImpl) recordValidation(ctx context.Context, authI
if err != nil {
return err
}
var validatedInt int64 = 0
validatedTS := timestamppb.New(time.Time{})
var validated *timestamppb.Timestamp
if challenge.Validated != nil {
validatedInt = challenge.Validated.UTC().UnixNano()
validatedTS = timestamppb.New(*challenge.Validated)
validated = timestamppb.New(*challenge.Validated)
}
_, err = ra.SA.FinalizeAuthorization2(ctx, &sapb.FinalizeAuthorizationRequest{
Id: authzID,
Status: string(challenge.Status),
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
Attempted: string(challenge.Type),
AttemptedAtNS: validatedInt,
AttemptedAt: validatedTS,
AttemptedAt: validated,
ValidationRecords: vr.Records,
ValidationError: vr.Problems,
})
@ -1793,7 +1785,8 @@ func (ra *RegistrationAuthorityImpl) PerformValidation(
// Clock for start of PerformValidation.
vStart := ra.clk.Now()
if req.Authz == nil || req.Authz.Id == "" || req.Authz.Identifier == "" || req.Authz.Status == "" || req.Authz.ExpiresNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if req.Authz == nil || req.Authz.Id == "" || req.Authz.Identifier == "" || req.Authz.Status == "" || core.IsAnyNilOrZero(req.Authz.Expires) {
return nil, errIncompleteGRPCRequest
}
@ -1871,7 +1864,6 @@ func (ra *RegistrationAuthorityImpl) PerformValidation(
copy(challenges, authz.Challenges)
authz.Challenges = challenges
chall, _ := bgrpc.ChallengeToPB(authz.Challenges[challIndex])
req := vapb.PerformValidationRequest{
Domain: authz.Identifier.Value,
Challenge: chall,
@ -1881,10 +1873,8 @@ func (ra *RegistrationAuthorityImpl) PerformValidation(
},
}
res, err := ra.VA.PerformValidation(vaCtx, &req)
challenge := &authz.Challenges[challIndex]
var prob *probs.ProblemDetails
if err != nil {
prob = probs.ServerInternal("Could not communicate with VA")
ra.log.AuditErrf("Could not communicate with VA: %s", err)
@ -1896,7 +1886,6 @@ func (ra *RegistrationAuthorityImpl) PerformValidation(
ra.log.AuditErrf("Could not communicate with VA: %s", err)
}
}
// Save the updated records
records := make([]core.ValidationRecord, len(res.Records))
for i, r := range res.Records {
@ -1907,7 +1896,6 @@ func (ra *RegistrationAuthorityImpl) PerformValidation(
}
challenge.ValidationRecord = records
}
if !challenge.RecordsSane() && prob == nil {
prob = probs.ServerInternal("Records for validation failed sanity check")
}
@ -1935,13 +1923,11 @@ func (ra *RegistrationAuthorityImpl) PerformValidation(
// TODO(#5152) make the issuerID argument an issuance.IssuerNameID
func (ra *RegistrationAuthorityImpl) revokeCertificate(ctx context.Context, serial *big.Int, issuerID int64, reason revocation.Reason) error {
serialString := core.SerialToString(serial)
now := ra.clk.Now()
_, err := ra.SA.RevokeCertificate(ctx, &sapb.RevokeCertificateRequest{
Serial: serialString,
Reason: int64(reason),
DateNS: now.UnixNano(),
Date: timestamppb.New(now),
Date: timestamppb.New(ra.clk.Now()),
IssuerID: issuerID,
})
if err != nil {
@ -1959,7 +1945,6 @@ func (ra *RegistrationAuthorityImpl) revokeCertificate(ctx context.Context, seri
// TODO(#5152) make the issuerID argument an issuance.IssuerNameID
func (ra *RegistrationAuthorityImpl) updateRevocationForKeyCompromise(ctx context.Context, serial *big.Int, issuerID int64) error {
serialString := core.SerialToString(serial)
now := ra.clk.Now()
status, err := ra.SA.GetCertificateStatus(ctx, &sapb.Serial{Serial: serialString})
if err != nil {
@ -1978,10 +1963,8 @@ func (ra *RegistrationAuthorityImpl) updateRevocationForKeyCompromise(ctx contex
_, err = ra.SA.UpdateRevokedCertificate(ctx, &sapb.RevokeCertificateRequest{
Serial: serialString,
Reason: int64(ocsp.KeyCompromise),
DateNS: now.UnixNano(),
Date: timestamppb.New(now),
BackdateNS: status.RevokedDateNS,
Backdate: timestamppb.New(time.Unix(0, status.RevokedDateNS)),
Date: timestamppb.New(ra.clk.Now()),
Backdate: status.RevokedDate,
IssuerID: issuerID,
})
if err != nil {
@ -2078,13 +2061,11 @@ func (ra *RegistrationAuthorityImpl) RevokeCertByApplicant(ctx context.Context,
// authorizations for all names in the cert.
logEvent.Method = "control"
now := ra.clk.Now()
var authzMapPB *sapb.Authorizations
authzMapPB, err = ra.SA.GetValidAuthorizations2(ctx, &sapb.GetValidAuthorizationsRequest{
RegistrationID: req.RegID,
Domains: cert.DNSNames,
NowNS: now.UnixNano(),
Now: timestamppb.New(now),
Now: timestamppb.New(ra.clk.Now()),
})
if err != nil {
return nil, err
@ -2135,11 +2116,9 @@ func (ra *RegistrationAuthorityImpl) addToBlockedKeys(ctx context.Context, key c
}
// Add the public key to the blocked keys list.
now := ra.clk.Now()
_, err = ra.SA.AddBlockedKey(ctx, &sapb.AddBlockedKeyRequest{
KeyHash: digest[:],
AddedNS: now.UnixNano(),
Added: timestamppb.New(now),
Added: timestamppb.New(ra.clk.Now()),
Source: src,
Comment: comment,
})
@ -2420,8 +2399,7 @@ func (ra *RegistrationAuthorityImpl) GenerateOCSP(ctx context.Context, req *rapb
return nil, errors.New("serial belongs to a certificate that errored during issuance")
}
notAfter := time.Unix(0, status.NotAfterNS).UTC()
if ra.clk.Now().After(notAfter) {
if ra.clk.Now().After(status.NotAfter.AsTime()) {
return nil, berrors.NotFoundError("certificate is expired")
}
@ -2429,8 +2407,7 @@ func (ra *RegistrationAuthorityImpl) GenerateOCSP(ctx context.Context, req *rapb
Serial: req.Serial,
Status: status.Status,
Reason: int32(status.RevokedReason),
RevokedAtNS: status.RevokedDateNS,
RevokedAt: timestamppb.New(time.Unix(0, status.RevokedDateNS)),
RevokedAt: status.RevokedDate,
IssuerID: status.IssuerID,
})
}
@ -2478,11 +2455,12 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
// Error if an incomplete order is returned.
if existingOrder != nil {
// Check to see if the expected fields of the existing order are set.
if existingOrder.Id == 0 || existingOrder.CreatedNS == 0 || existingOrder.Status == "" || existingOrder.RegistrationID == 0 || existingOrder.ExpiresNS == 0 || len(existingOrder.Names) == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if existingOrder.Id == 0 || existingOrder.Status == "" || existingOrder.RegistrationID == 0 || len(existingOrder.Names) == 0 || core.IsAnyNilOrZero(existingOrder.Created, existingOrder.Expires) {
return nil, errIncompleteGRPCResponse
}
// Track how often we reuse an existing order and how old that order is.
ra.orderAges.WithLabelValues("NewOrder").Observe(ra.clk.Since(time.Unix(0, existingOrder.CreatedNS)).Seconds())
ra.orderAges.WithLabelValues("NewOrder").Observe(ra.clk.Since(existingOrder.Created.AsTime()).Seconds())
return existingOrder, nil
}
@ -2503,7 +2481,6 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
getAuthReq := &sapb.GetAuthorizationsRequest{
RegistrationID: newOrder.RegistrationID,
NowNS: authzExpiryCutoff.UnixNano(),
Now: timestamppb.New(authzExpiryCutoff),
Domains: newOrder.Names,
}
@ -2530,7 +2507,7 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
continue
}
authz := nameToExistingAuthz[name]
authzAge := (ra.authorizationLifetime - time.Unix(0, authz.ExpiresNS).Sub(ra.clk.Now())).Seconds()
authzAge := (ra.authorizationLifetime - authz.Expires.AsTime().Sub(ra.clk.Now())).Seconds()
// If the identifier is a wildcard and the existing authz only has one
// DNS-01 type challenge we can reuse it. In theory we will
// never get back an authorization for a domain with a wildcard prefix
@ -2604,14 +2581,14 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
// minExpiry (the order's lifetime)
for _, authz := range nameToExistingAuthz {
// An authz without an expiry is an unexpected internal server event
if authz.ExpiresNS == 0 {
if core.IsAnyNilOrZero(authz.Expires) {
return nil, berrors.InternalServerError(
"SA.GetAuthorizations returned an authz (%s) with zero expiry",
authz.Id)
}
// If the reused authorization expires before the minExpiry, it's expiry
// is the new minExpiry.
authzExpiry := time.Unix(0, authz.ExpiresNS)
authzExpiry := authz.Expires.AsTime()
if authzExpiry.Before(minExpiry) {
minExpiry = authzExpiry
}
@ -2626,7 +2603,6 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
}
// Set the order's expiry to the minimum expiry. The db doesn't store
// sub-second values, so truncate here.
newOrder.ExpiresNS = minExpiry.Truncate(time.Second).UnixNano()
newOrder.Expires = timestamppb.New(minExpiry.Truncate(time.Second))
newOrderAndAuthzsReq := &sapb.NewOrderAndAuthzsRequest{
@ -2637,7 +2613,8 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
if err != nil {
return nil, err
}
if storedOrder.Id == 0 || storedOrder.CreatedNS == 0 || storedOrder.Status == "" || storedOrder.RegistrationID == 0 || storedOrder.ExpiresNS == 0 || len(storedOrder.Names) == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if storedOrder.Id == 0 || storedOrder.Status == "" || storedOrder.RegistrationID == 0 || len(storedOrder.Names) == 0 || core.IsAnyNilOrZero(storedOrder.Created, storedOrder.Expires) {
return nil, errIncompleteGRPCResponse
}
ra.orderAges.WithLabelValues("NewOrder").Observe(0)
@ -2652,13 +2629,11 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
// necessary challenges for it and puts this and all of the relevant information
// into a corepb.Authorization for transmission to the SA to be stored
func (ra *RegistrationAuthorityImpl) createPendingAuthz(reg int64, identifier identifier.ACMEIdentifier) (*corepb.Authorization, error) {
expires := ra.clk.Now().Add(ra.pendingAuthorizationLifetime).Truncate(time.Second)
authz := &corepb.Authorization{
Identifier: identifier.Value,
RegistrationID: reg,
Status: string(core.StatusPending),
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
Expires: timestamppb.New(ra.clk.Now().Add(ra.pendingAuthorizationLifetime).Truncate(time.Second)),
}
// Create challenges. The WFE will update them with URIs before sending them out.

61
ra/ra_test.go
View File

@ -100,7 +100,6 @@ func createPendingAuthorization(t *testing.T, sa sapb.StorageAuthorityClient, do
res, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
Names: []string{domain},
},
@ -119,10 +118,8 @@ func createFinalizedAuthorization(t *testing.T, sa sapb.StorageAuthorityClient,
_, err = sa.FinalizeAuthorization2(context.Background(), &sapb.FinalizeAuthorizationRequest{
Id: pendingID,
Status: "valid",
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
Attempted: string(chall),
AttemptedAtNS: attemptedAt.UnixNano(),
AttemptedAt: timestamppb.New(attemptedAt),
})
test.AssertNotError(t, err, "sa.FinalizeAuthorizations2 failed")
@ -898,7 +895,6 @@ func TestPerformValidationSuccess(t *testing.T) {
// The DB authz's expiry should be equal to the current time plus the
// configured authorization lifetime
test.AssertEquals(t, dbAuthzPB.ExpiresNS, now.Add(ra.authorizationLifetime).UnixNano())
test.AssertEquals(t, dbAuthzPB.Expires.AsTime(), now.Add(ra.authorizationLifetime))
// Check that validated timestamp was recorded, stored, and retrieved
@ -964,7 +960,6 @@ func TestCertificateKeyNotEqualAccountKey(t *testing.T) {
order, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
Names: []string{"www.example.com"},
V2Authorizations: []int64{authzID},
@ -1143,16 +1138,10 @@ type mockSAWithNameCounts struct {
func (m mockSAWithNameCounts) CountCertificatesByNames(ctx context.Context, req *sapb.CountCertificatesByNamesRequest, _ ...grpc.CallOption) (*sapb.CountByNames, error) {
expectedLatest := m.clk.Now()
if req.Range.LatestNS != expectedLatest.UnixNano() {
m.t.Errorf("incorrect latestNS: got '%d', expected '%d'", req.Range.LatestNS, expectedLatest.UnixNano())
}
if req.Range.Latest.AsTime() != expectedLatest {
m.t.Errorf("incorrect latest: got '%v', expected '%v'", req.Range.Latest.AsTime(), expectedLatest)
}
expectedEarliest := m.clk.Now().Add(-23 * time.Hour)
if req.Range.EarliestNS != expectedEarliest.UnixNano() {
m.t.Errorf("incorrect earliestNS: got '%d', expected '%d'", req.Range.EarliestNS, expectedEarliest.UnixNano())
}
if req.Range.Earliest.AsTime() != expectedEarliest {
m.t.Errorf("incorrect earliest: got '%v', expected '%v'", req.Range.Earliest.AsTime(), expectedEarliest)
}
@ -1292,10 +1281,10 @@ func TestCheckExactCertificateLimit(t *testing.T) {
test.AssertEquals(t, expectRetryAfterNS, expectRetryAfter)
ra.SA = &mockSAWithFQDNSet{
issuanceTimestamps: map[string]*sapb.Timestamps{
"none.example.com": {TimestampsNS: []int64{}, Timestamps: []*timestamppb.Timestamp{}},
"under.example.com": {TimestampsNS: issuanceTimestampsNS[3:3], Timestamps: issuanceTimestamps[3:3]},
"equalbutvalid.example.com": {TimestampsNS: issuanceTimestampsNS[1:3], Timestamps: issuanceTimestamps[1:3]},
"over.example.com": {TimestampsNS: issuanceTimestampsNS[0:3], Timestamps: issuanceTimestamps[0:3]},
"none.example.com": {Timestamps: []*timestamppb.Timestamp{}},
"under.example.com": {Timestamps: issuanceTimestamps[3:3]},
"equalbutvalid.example.com": {Timestamps: issuanceTimestamps[1:3]},
"over.example.com": {Timestamps: issuanceTimestamps[0:3]},
},
t: t,
}
@ -1483,7 +1472,7 @@ func (m mockSAWithFQDNSet) CountCertificatesByNames(ctx context.Context, req *sa
for _, name := range req.Names {
entry, ok := m.issuanceTimestamps[name]
if ok {
counts[name] = int64(len(entry.TimestampsNS))
counts[name] = int64(len(entry.Timestamps))
}
}
return &sapb.CountByNames{Counts: counts}, nil
@ -1494,7 +1483,7 @@ func (m mockSAWithFQDNSet) CountFQDNSets(_ context.Context, req *sapb.CountFQDNS
for _, name := range req.Domains {
entry, ok := m.issuanceTimestamps[name]
if ok {
total += int64(len(entry.TimestampsNS))
total += int64(len(entry.Timestamps))
}
}
return &sapb.Count{Count: total}, nil
@ -1526,13 +1515,11 @@ func TestCheckFQDNSetRateLimitOverride(t *testing.T) {
}
// Create a mock SA that has both name counts and an FQDN set
now := ra.clk.Now()
tsNS := now.UnixNano()
ts := timestamppb.New(now)
ts := timestamppb.New(ra.clk.Now())
mockSA := &mockSAWithFQDNSet{
issuanceTimestamps: map[string]*sapb.Timestamps{
"example.com": {TimestampsNS: []int64{tsNS, tsNS}, Timestamps: []*timestamppb.Timestamp{ts, ts}},
"zombo.com": {TimestampsNS: []int64{tsNS, tsNS}, Timestamps: []*timestamppb.Timestamp{ts, ts}},
"example.com": {Timestamps: []*timestamppb.Timestamp{ts, ts}},
"zombo.com": {Timestamps: []*timestamppb.Timestamp{ts, ts}},
},
fqdnSet: map[string]bool{},
t: t,
@ -1976,7 +1963,6 @@ func TestNewOrder(t *testing.T) {
})
test.AssertNotError(t, err, "ra.NewOrder failed")
test.AssertEquals(t, orderA.RegistrationID, int64(1))
test.AssertEquals(t, orderA.ExpiresNS, now.Add(time.Hour).UnixNano())
test.AssertEquals(t, orderA.Expires.AsTime(), now.Add(time.Hour))
test.AssertEquals(t, len(orderA.Names), 3)
// We expect the order names to have been sorted, deduped, and lowercased
@ -1992,7 +1978,6 @@ func TestNewOrder(t *testing.T) {
})
test.AssertNotError(t, err, "ra.NewOrder failed")
test.AssertEquals(t, orderB.RegistrationID, int64(1))
test.AssertEquals(t, orderB.ExpiresNS, now.Add(time.Hour).UnixNano())
test.AssertEquals(t, orderB.Expires.AsTime(), now.Add(time.Hour))
// We expect orderB's ID to match orderA's because of pending order reuse
test.AssertEquals(t, orderB.Id, orderA.Id)
@ -2011,7 +1996,6 @@ func TestNewOrder(t *testing.T) {
})
test.AssertNotError(t, err, "ra.NewOrder failed")
test.AssertEquals(t, orderC.RegistrationID, int64(1))
test.AssertEquals(t, orderC.ExpiresNS, now.Add(time.Hour).UnixNano())
test.AssertEquals(t, orderC.Expires.AsTime(), now.Add(time.Hour))
test.AssertEquals(t, len(orderC.Names), 4)
test.AssertDeepEquals(t, orderC.Names, []string{"a.com", "b.com", "c.com", "d.com"})
@ -2155,15 +2139,12 @@ func TestNewOrderReuseInvalidAuthz(t *testing.T) {
// It should have one authorization
test.AssertEquals(t, numAuthorizations(order), 1)
now := ra.clk.Now()
_, err = ra.SA.FinalizeAuthorization2(ctx, &sapb.FinalizeAuthorizationRequest{
Id: order.V2Authorizations[0],
Status: string(core.StatusInvalid),
ExpiresNS: order.ExpiresNS,
Expires: order.Expires,
Attempted: string(core.ChallengeTypeDNS01),
AttemptedAtNS: now.UnixNano(),
AttemptedAt: timestamppb.New(now),
AttemptedAt: timestamppb.New(ra.clk.Now()),
})
test.AssertNotError(t, err, "FinalizeAuthorization2 failed")
@ -2593,11 +2574,11 @@ func TestNewOrderExpiry(t *testing.T) {
test.AssertEquals(t, order.V2Authorizations[0], int64(1))
// The order's expiry should be the fake authz's expiry since it is sooner
// than the order's own expiry.
test.AssertEquals(t, order.ExpiresNS, fakeAuthzExpires.UnixNano())
test.AssertEquals(t, order.Expires.AsTime(), fakeAuthzExpires)
// Set the order lifetime to be lower than the fakeAuthzLifetime
ra.orderLifetime = 12 * time.Hour
expectedOrderExpiry := clk.Now().Add(ra.orderLifetime).UnixNano()
expectedOrderExpiry := clk.Now().Add(ra.orderLifetime)
// Create the order again
order, err = ra.NewOrder(ctx, orderReq)
// It shouldn't fail
@ -2607,7 +2588,7 @@ func TestNewOrderExpiry(t *testing.T) {
test.AssertEquals(t, order.V2Authorizations[0], int64(1))
// The order's expiry should be the order's own expiry since it is sooner than
// the fake authz's expiry.
test.AssertEquals(t, order.ExpiresNS, expectedOrderExpiry)
test.AssertEquals(t, order.Expires.AsTime(), expectedOrderExpiry)
}
func TestFinalizeOrder(t *testing.T) {
@ -2689,7 +2670,6 @@ func TestFinalizeOrder(t *testing.T) {
validatedOrder, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
Names: []string{"not-example.com", "www.not-example.com"},
V2Authorizations: []int64{authzIDA, authzIDB},
@ -2821,7 +2801,6 @@ func TestFinalizeOrder(t *testing.T) {
RegistrationID: 1,
Status: string(core.StatusReady),
Names: []string{"example.org"},
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
CertificateSerial: "",
BeganProcessing: false,
@ -2838,11 +2817,9 @@ func TestFinalizeOrder(t *testing.T) {
Names: []string{"a.com"},
Id: fakeRegOrder.Id,
RegistrationID: fakeRegID,
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
CertificateSerial: "",
BeganProcessing: false,
CreatedNS: now.UnixNano(),
Created: timestamppb.New(now),
},
Csr: oneDomainCSR,
@ -2857,11 +2834,9 @@ func TestFinalizeOrder(t *testing.T) {
Names: []string{"a.com", "b.com"},
Id: missingAuthzOrder.Id,
RegistrationID: Registration.Id,
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
CertificateSerial: "",
BeganProcessing: false,
CreatedNS: now.UnixNano(),
Created: timestamppb.New(now),
},
Csr: twoDomainCSR,
@ -2896,7 +2871,6 @@ func TestFinalizeOrder(t *testing.T) {
test.AssertNotError(t, err, "Error getting order to check serial")
test.AssertNotEquals(t, updatedOrder.CertificateSerial, "")
test.AssertEquals(t, updatedOrder.Status, "valid")
test.AssertEquals(t, updatedOrder.ExpiresNS, exp.UnixNano())
test.AssertEquals(t, updatedOrder.Expires.AsTime(), exp)
}
})
@ -2921,7 +2895,6 @@ func TestFinalizeOrderWithMixedSANAndCN(t *testing.T) {
mixedOrder, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
Names: []string{"not-example.com", "www.not-example.com"},
V2Authorizations: []int64{authzIDA, authzIDB},
@ -3046,10 +3019,8 @@ func TestFinalizeOrderWildcard(t *testing.T) {
_, err = sa.FinalizeAuthorization2(ctx, &sapb.FinalizeAuthorizationRequest{
Id: validOrder.V2Authorizations[0],
Status: string(core.StatusValid),
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
Attempted: string(core.ChallengeTypeDNS01),
AttemptedAtNS: now.UnixNano(),
AttemptedAt: timestamppb.New(now),
})
test.AssertNotError(t, err, "sa.FinalizeAuthorization2 failed")
@ -3090,7 +3061,6 @@ func TestIssueCertificateAuditLog(t *testing.T) {
order, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
Names: names,
V2Authorizations: authzIDs,
@ -3222,7 +3192,6 @@ func TestIssueCertificateCAACheckLog(t *testing.T) {
order, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
Names: names,
V2Authorizations: authzIDs,
@ -3387,7 +3356,6 @@ func TestCTPolicyMeasurements(t *testing.T) {
order, err := ra.SA.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
Names: []string{"not-example.com", "www.not-example.com"},
V2Authorizations: []int64{authzIDA, authzIDB},
@ -3518,7 +3486,6 @@ func TestIssueCertificateInnerErrs(t *testing.T) {
order, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
ExpiresNS: exp.UnixNano(),
Expires: timestamppb.New(exp),
Names: names,
V2Authorizations: authzIDs,
@ -3755,7 +3722,6 @@ func (msgo *mockSAGenerateOCSP) GetCertificateStatus(_ context.Context, req *sap
return &corepb.CertificateStatus{
Serial: req.Serial,
Status: "good",
NotAfterNS: msgo.expiration.UTC().UnixNano(),
NotAfter: timestamppb.New(msgo.expiration.UTC()),
}, nil
}
@ -4100,7 +4066,6 @@ func TestAdministrativelyRevokeCertificate(t *testing.T) {
test.Assert(t, bytes.Equal(digest[:], mockSA.blocked[0].KeyHash), "key hash mismatch")
test.AssertEquals(t, mockSA.blocked[0].Source, "admin-revoker")
test.AssertEquals(t, mockSA.blocked[0].Comment, "revoked by root")
test.AssertEquals(t, mockSA.blocked[0].AddedNS, clk.Now().UnixNano())
test.AssertEquals(t, mockSA.blocked[0].Added.AsTime(), clk.Now())
test.AssertMetricWithLabelsEquals(
t, ra.revocationReasonCounter, prometheus.Labels{"reason": "keyCompromise"}, 1)

34
sa/model.go
View File

@ -301,12 +301,9 @@ func registrationPbToModel(reg *corepb.Registration) (*regModel, error) {
return nil, err
}
// Converting the int64 zero-value to a unix timestamp does not produce
// the time.Time zero-value (the former is 1970; the latter is year 0),
// so we have to do this check.
var createdAt time.Time
if reg.CreatedAtNS != 0 {
createdAt = time.Unix(0, reg.CreatedAtNS)
if !core.IsAnyNilOrZero(reg.CreatedAt) {
createdAt = reg.CreatedAt.AsTime()
}
return &regModel{
@ -353,7 +350,6 @@ func registrationModelToPb(reg *regModel) (*corepb.Registration, error) {
ContactsPresent: contactsPresent,
Agreement: reg.Agreement,
InitialIP: ipBytes,
CreatedAtNS: reg.CreatedAt.UTC().UnixNano(),
CreatedAt: timestamppb.New(reg.CreatedAt.UTC()),
Status: reg.Status,
}, nil
@ -401,8 +397,8 @@ func orderToModel(order *corepb.Order) (*orderModel, error) {
om := &orderModel{
ID: order.Id,
RegistrationID: order.RegistrationID,
Expires: time.Unix(0, order.ExpiresNS),
Created: time.Unix(0, order.CreatedNS),
Expires: order.Expires.AsTime(),
Created: order.Created.AsTime(),
BeganProcessing: order.BeganProcessing,
CertificateSerial: order.CertificateSerial,
}
@ -424,9 +420,7 @@ func modelToOrder(om *orderModel) (*corepb.Order, error) {
order := &corepb.Order{
Id: om.ID,
RegistrationID: om.RegistrationID,
ExpiresNS: om.Expires.UnixNano(),
Expires: timestamppb.New(om.Expires),
CreatedNS: om.Created.UnixNano(),
Created: timestamppb.New(om.Created),
CertificateSerial: om.CertificateSerial,
BeganProcessing: om.BeganProcessing,
@ -638,7 +632,7 @@ func authzPBToModel(authz *corepb.Authorization) (*authzModel, error) {
IdentifierValue: authz.Identifier,
RegistrationID: authz.RegistrationID,
Status: statusToUint[core.AcmeStatus(authz.Status)],
Expires: time.Unix(0, authz.ExpiresNS).UTC(),
Expires: authz.Expires.AsTime(),
}
if authz.Id != "" {
// The v1 internal authorization objects use a string for the ID, the v2
@ -676,8 +670,8 @@ func authzPBToModel(authz *corepb.Authorization) (*authzModel, error) {
// If validated Unix timestamp is zero then keep the core.Challenge Validated object nil.
var validated *time.Time
if chall.ValidatedNS != 0 {
val := time.Unix(0, chall.ValidatedNS).UTC()
if !core.IsAnyNilOrZero(chall.Validated) {
val := chall.Validated.AsTime()
validated = &val
}
am.AttemptedAt = validated
@ -781,7 +775,6 @@ func modelToAuthzPB(am authzModel) (*corepb.Authorization, error) {
Status: string(uintToStatus[am.Status]),
Identifier: am.IdentifierValue,
RegistrationID: am.RegistrationID,
ExpiresNS: am.Expires.UTC().UnixNano(),
Expires: timestamppb.New(am.Expires),
}
// Populate authorization challenge array. We do this by iterating through
@ -811,14 +804,11 @@ func modelToAuthzPB(am authzModel) (*corepb.Authorization, error) {
return nil, err
}
// Get the attemptedAt time and assign to the challenge validated time.
var validatedInt int64 = 0
validatedTS := timestamppb.New(time.Time{})
var validated *timestamppb.Timestamp
if am.AttemptedAt != nil {
validatedInt = am.AttemptedAt.UTC().UnixNano()
validatedTS = timestamppb.New(*am.AttemptedAt)
validated = timestamppb.New(*am.AttemptedAt)
}
challenge.ValidatedNS = validatedInt
challenge.Validated = validatedTS
challenge.Validated = validated
pb.Challenges = append(pb.Challenges, challenge)
}
} else {
@ -857,7 +847,6 @@ func incidentModelToPB(i incidentModel) sapb.Incident {
Id: i.ID,
SerialTable: i.SerialTable,
Url: i.URL,
RenewByNS: i.RenewBy.UnixNano(),
RenewBy: timestamppb.New(i.RenewBy),
Enabled: i.Enabled,
}
@ -1015,8 +1004,7 @@ func statusForOrder(ctx context.Context, s db.Selector, order *corepb.Order, now
// in ra.NewOrder), and expired authorizations may be purged from the DB.
// Because of this purging fetching the authz's for an expired order may
// return fewer authz objects than expected, triggering a 500 error response.
orderExpiry := time.Unix(0, order.ExpiresNS)
if orderExpiry.Before(now) {
if order.Expires.AsTime().Before(now) {
return string(core.StatusInvalid), nil
}

7
sa/model_test.go
View File

@ -71,14 +71,12 @@ func TestAuthzModel(t *testing.T) {
Identifier: "example.com",
RegistrationID: 1,
Status: string(core.StatusValid),
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
Challenges: []*corepb.Challenge{
{
Type: string(core.ChallengeTypeHTTP01),
Status: string(core.StatusValid),
Token: "MTIz",
ValidatedNS: now.UnixNano(),
Validated: timestamppb.New(now),
Validationrecords: []*corepb.ValidationRecord{
{
@ -119,14 +117,12 @@ func TestAuthzModel(t *testing.T) {
Identifier: "example.com",
RegistrationID: 1,
Status: string(core.StatusValid),
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
Challenges: []*corepb.Challenge{
{
Type: string(core.ChallengeTypeHTTP01),
Status: string(core.StatusValid),
Token: "MTIz",
ValidatedNS: now.UnixNano(),
Validated: timestamppb.New(now),
Validationrecords: []*corepb.ValidationRecord{
{
@ -172,7 +168,6 @@ func TestAuthzModel(t *testing.T) {
Identifier: "example.com",
RegistrationID: 1,
Status: string(core.StatusInvalid),
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
Challenges: []*corepb.Challenge{
{
@ -214,14 +209,12 @@ func TestAuthzModel(t *testing.T) {
Identifier: "example.com",
RegistrationID: 1,
Status: string(core.StatusValid),
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
Challenges: []*corepb.Challenge{
{
Type: string(core.ChallengeTypeHTTP01),
Status: string(core.StatusValid),
Token: "MTIz",
ValidatedNS: now.UnixNano(),
Validated: timestamppb.New(now),
Validationrecords: []*corepb.ValidationRecord{
{

1517
sa/proto/sa.pb.go
View File

File diff suppressed because it is too large Load Diff

44
sa/proto/sa.proto
View File

@ -110,7 +110,7 @@ message GetPendingAuthorizationRequest {
string identifierType = 2;
string identifierValue = 3;
// Result must be valid until at least this Unix timestamp (nanos)
int64 validUntilNS = 4;
reserved 4; // Previously validUntilNS
google.protobuf.Timestamp validUntil = 5; // Result must be valid until at least this timestamp
}
@ -118,7 +118,7 @@ message GetValidAuthorizationsRequest {
// Next unused field number: 5
int64 registrationID = 1;
repeated string domains = 2;
int64 nowNS = 3; // Unix timestamp (nanoseconds)
reserved 3; // Previously nowNS
google.protobuf.Timestamp now = 4;
}
@ -138,17 +138,17 @@ message SerialMetadata {
// Next unused field number: 7
string serial = 1;
int64 registrationID = 2;
int64 createdNS = 3; // Unix timestamp (nanoseconds)
reserved 3; // Previously createdNS
google.protobuf.Timestamp created = 5;
int64 expiresNS = 4; // Unix timestamp (nanoseconds)
reserved 4; // Previously expiresNS
google.protobuf.Timestamp expires = 6;
}
message Range {
// Next unused field number: 5
int64 earliestNS = 1; // Unix timestamp (nanoseconds)
reserved 1; // Previously earliestNS
google.protobuf.Timestamp earliest = 3;
int64 latestNS = 2; // Unix timestamp (nanoseconds)
reserved 2; // Previously latestNS
google.protobuf.Timestamp latest = 4;
}
@ -158,7 +158,7 @@ message Count {
message Timestamps {
// Next unused field number: 3
repeated int64 timestampsNS = 1; // Unix timestamp (nanoseconds)
reserved 1; // Previously repeated timestampsNS
repeated google.protobuf.Timestamp timestamps = 2;
}
@ -213,9 +213,9 @@ message AddSerialRequest {
// Next unused field number: 7
int64 regID = 1;
string serial = 2;
int64 createdNS = 3; // Unix timestamp (nanoseconds)
reserved 3; // Previously createdNS
google.protobuf.Timestamp created = 5;
int64 expiresNS = 4; // Unix timestamp (nanoseconds)
reserved 4; // Previously expiresNS
google.protobuf.Timestamp expires = 6;
}
@ -226,7 +226,7 @@ message AddCertificateRequest {
reserved 3; // previously ocsp
// An issued time. When not present the SA defaults to using
// the current time.
int64 issuedNS = 4; // Unix timestamp (nanoseconds)
reserved 4; // Previously issuedNS
google.protobuf.Timestamp issued = 7;
int64 issuerNameID = 5; // https://pkg.go.dev/github.com/letsencrypt/boulder/issuance#IssuerNameID
@ -253,7 +253,7 @@ message OrderRequest {
message NewOrderRequest {
// Next unused field number: 6
int64 registrationID = 1;
int64 expiresNS = 2; // Unix timestamp (nanoseconds)
reserved 2; // Previously expiresNS
google.protobuf.Timestamp expires = 5;
repeated string names = 3;
repeated int64 v2Authorizations = 4;
@ -288,7 +288,7 @@ message GetAuthorizationsRequest {
// Next unused field number: 5
int64 registrationID = 1;
repeated string domains = 2;
int64 nowNS = 3; // Unix timestamp (nanoseconds)
reserved 3; // Previously nowNS
google.protobuf.Timestamp now = 4;
}
@ -312,9 +312,9 @@ message RevokeCertificateRequest {
// Next unused field number: 10
string serial = 1;
int64 reason = 2;
int64 dateNS = 3; // Unix timestamp (nanoseconds)
reserved 3; // Previously dateNS
google.protobuf.Timestamp date = 8;
int64 backdateNS = 5; // Unix timestamp (nanoseconds)
reserved 5; // Previously backdateNS
google.protobuf.Timestamp backdate = 9;
bytes response = 4;
int64 issuerID = 6;
@ -325,19 +325,19 @@ message FinalizeAuthorizationRequest {
// Next unused field number: 10
int64 id = 1;
string status = 2;
int64 expiresNS = 3; // Unix timestamp (nanoseconds)
reserved 3; // Previously
google.protobuf.Timestamp expires = 8;
string attempted = 4;
repeated core.ValidationRecord validationRecords = 5;
core.ProblemDetails validationError = 6;
int64 attemptedAtNS = 7; // Unix timestamp (nanoseconds)
reserved 7; // Previously attemptedAtNS
google.protobuf.Timestamp attemptedAt = 9;
}
message AddBlockedKeyRequest {
// Next unused field number: 7
bytes keyHash = 1;
int64 addedNS = 2; // Unix timestamp (nanoseconds)
reserved 2; // Previously addedNS
google.protobuf.Timestamp added = 6;
string source = 3;
string comment = 4;
@ -353,7 +353,7 @@ message Incident {
int64 id = 1;
string serialTable = 2;
string url = 3;
int64 renewByNS = 4; // Unix timestamp (nanoseconds)
reserved 4; // Previously renewByNS
google.protobuf.Timestamp renewBy = 6;
bool enabled = 5;
}
@ -371,18 +371,18 @@ message IncidentSerial {
string serial = 1;
int64 registrationID = 2; // May be 0 (NULL)
int64 orderID = 3; // May be 0 (NULL)
int64 lastNoticeSentNS = 4; // Unix timestamp (nanoseconds), may be 0 (NULL)
reserved 4; // Previously lastNoticeSentNS
google.protobuf.Timestamp lastNoticeSent = 5;
}
message GetRevokedCertsRequest {
// Next unused field number: 9
int64 issuerNameID = 1;
int64 expiresAfterNS = 2; // Unix timestamp (nanoseconds), inclusive
reserved 2; // Previously expiresAfterNS
google.protobuf.Timestamp expiresAfter = 6; // inclusive
int64 expiresBeforeNS = 3; // Unix timestamp (nanoseconds), exclusive
reserved 3; // Previously expiresBeforeNS
google.protobuf.Timestamp expiresBefore = 7; // exclusive
int64 revokedBeforeNS = 4; // Unix timestamp (nanoseconds)
reserved 4; // Previously revokedBeforeNS
google.protobuf.Timestamp revokedBefore = 8;
int64 shardIdx = 5; // Must not be set until the revokedCertificates table has 90+ days of entries.
}

8
sa/rate_limits.go
View File

@ -58,7 +58,7 @@ func (ssa *SQLStorageAuthority) addCertificatesPerName(ctx context.Context, db d
// countCertificates returns the count of certificates issued for a domain's
// eTLD+1 (aka base domain), during a given time range.
func (ssa *SQLStorageAuthorityRO) countCertificates(ctx context.Context, dbMap db.Selector, domain string, timeRange *sapb.Range) (int64, time.Time, error) {
latest := time.Unix(0, timeRange.LatestNS)
latest := timeRange.Latest.AsTime()
var results []struct {
Count int64
Time time.Time
@ -72,7 +72,7 @@ func (ssa *SQLStorageAuthorityRO) countCertificates(ctx context.Context, dbMap d
time <= :latest`,
map[string]interface{}{
"baseDomain": baseDomain(domain),
"earliest": time.Unix(0, timeRange.EarliestNS),
"earliest": timeRange.Earliest.AsTime(),
"latest": latest,
})
if err != nil {
@ -128,8 +128,8 @@ func countNewOrders(ctx context.Context, dbMap db.Selector, req *sapb.CountOrder
time <= :latest`,
map[string]interface{}{
"regID": req.AccountID,
"earliest": time.Unix(0, req.Range.EarliestNS),
"latest": time.Unix(0, req.Range.LatestNS),
"earliest": req.Range.Earliest.AsTime(),
"latest": req.Range.Latest.AsTime(),
},
)
if err != nil {

8
sa/rate_limits_test.go
View File

@ -79,9 +79,7 @@ func TestCertsPerNameRateLimitTable(t *testing.T) {
for _, tc := range testCases {
t.Run(tc.caseName, func(t *testing.T) {
timeRange := &sapb.Range{
EarliestNS: aprilFirst.Add(-1 * time.Second).UnixNano(),
Earliest: timestamppb.New(aprilFirst.Add(-1 * time.Second)),
LatestNS: aprilFirst.Add(aWeek).UnixNano(),
Latest: timestamppb.New(aprilFirst.Add(aWeek)),
}
count, earliest, err := sa.countCertificatesByName(ctx, sa.dbMap, tc.domainName, timeRange)
@ -110,9 +108,7 @@ func TestNewOrdersRateLimitTable(t *testing.T) {
req := &sapb.CountOrdersRequest{
AccountID: 1,
Range: &sapb.Range{
EarliestNS: start.UnixNano(),
Earliest: timestamppb.New(start),
LatestNS: start.Add(time.Minute * 10).UnixNano(),
Latest: timestamppb.New(start.Add(time.Minute * 10)),
},
}
@ -136,8 +132,8 @@ func TestNewOrdersRateLimitTable(t *testing.T) {
test.AssertNotError(t, err, "countNewOrders failed")
test.AssertEquals(t, count.Count, int64(65))
req.Range.EarliestNS = start.Add(time.Minute * 5).UnixNano()
req.Range.LatestNS = start.Add(time.Minute * 10).UnixNano()
req.Range.Earliest = timestamppb.New(start.Add(time.Minute * 5))
req.Range.Latest = timestamppb.New(start.Add(time.Minute * 10))
count, err = countNewOrders(ctx, sa.dbMap, req)
test.AssertNotError(t, err, "countNewOrders failed")
test.AssertEquals(t, count.Count, int64(45))

53
sa/sa.go
View File

@ -158,14 +158,15 @@ func (ssa *SQLStorageAuthority) UpdateRegistration(ctx context.Context, req *cor
// AddSerial writes a record of a serial number generation to the DB.
func (ssa *SQLStorageAuthority) AddSerial(ctx context.Context, req *sapb.AddSerialRequest) (*emptypb.Empty, error) {
if req.Serial == "" || req.RegID == 0 || req.CreatedNS == 0 || req.ExpiresNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if req.Serial == "" || req.RegID == 0 || core.IsAnyNilOrZero(req.Created, req.Expires) {
return nil, errIncompleteRequest
}
err := ssa.dbMap.Insert(ctx, &recordedSerialModel{
Serial: req.Serial,
RegistrationID: req.RegID,
Created: time.Unix(0, req.CreatedNS),
Expires: time.Unix(0, req.ExpiresNS),
Created: req.Created.AsTime(),
Expires: req.Expires.AsTime(),
})
if err != nil {
return nil, err
@ -204,7 +205,8 @@ func (ssa *SQLStorageAuthority) SetCertificateStatusReady(ctx context.Context, r
// certificate multiple times. Calling code needs to first insert the cert's
// serial into the Serials table to ensure uniqueness.
func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*emptypb.Empty, error) {
if len(req.Der) == 0 || req.RegID == 0 || req.IssuedNS == 0 || req.IssuerNameID == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if len(req.Der) == 0 || req.RegID == 0 || req.IssuerNameID == 0 || core.IsAnyNilOrZero(req.Issued) {
return nil, errIncompleteRequest
}
parsed, err := x509.ParseCertificate(req.Der)
@ -217,7 +219,7 @@ func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb
Serial: serialHex,
RegistrationID: req.RegID,
DER: req.Der,
Issued: time.Unix(0, req.IssuedNS),
Issued: req.Issued.AsTime(),
Expires: parsed.NotAfter,
}
@ -295,7 +297,8 @@ func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb
// AddCertificate stores an issued certificate, returning an error if it is a
// duplicate or if any other failure occurs.
func (ssa *SQLStorageAuthority) AddCertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*emptypb.Empty, error) {
if len(req.Der) == 0 || req.RegID == 0 || req.IssuedNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if len(req.Der) == 0 || req.RegID == 0 || core.IsAnyNilOrZero(req.Issued) {
return nil, errIncompleteRequest
}
parsedCertificate, err := x509.ParseCertificate(req.Der)
@ -310,7 +313,7 @@ func (ssa *SQLStorageAuthority) AddCertificate(ctx context.Context, req *sapb.Ad
Serial: serial,
Digest: digest,
DER: req.Der,
Issued: time.Unix(0, req.IssuedNS),
Issued: req.Issued.AsTime(),
Expires: parsedCertificate.NotAfter,
}
@ -496,7 +499,7 @@ func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb
// Second, insert the new order.
order := &orderModel{
RegistrationID: req.NewOrder.RegistrationID,
Expires: time.Unix(0, req.NewOrder.ExpiresNS),
Expires: req.NewOrder.Expires.AsTime(),
Created: ssa.clk.Now(),
}
err := tx.Insert(ctx, order)
@ -552,12 +555,10 @@ func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb
res := &corepb.Order{
// ID and Created were auto-populated on the order model when it was inserted.
Id: order.ID,
CreatedNS: order.Created.UnixNano(),
Created: timestamppb.New(order.Created),
// These are carried over from the original request unchanged.
RegistrationID: req.NewOrder.RegistrationID,
ExpiresNS: req.NewOrder.ExpiresNS,
Expires: timestamppb.New(time.Unix(0, req.NewOrder.ExpiresNS)),
Expires: req.NewOrder.Expires,
Names: req.NewOrder.Names,
// Have to combine the already-associated and newly-reacted authzs.
V2Authorizations: append(req.NewOrder.V2Authorizations, newAuthzIDs...),
@ -707,7 +708,8 @@ func (ssa *SQLStorageAuthority) FinalizeOrder(ctx context.Context, req *sapb.Fin
// the authorization is being moved to invalid the validationError field must be set. If the
// authorization is being moved to valid the validationRecord and expires fields must be set.
func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req *sapb.FinalizeAuthorizationRequest) (*emptypb.Empty, error) {
if req.Status == "" || req.Attempted == "" || req.ExpiresNS == 0 || req.Id == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if req.Status == "" || req.Attempted == "" || req.Id == 0 || core.IsAnyNilOrZero(req.Expires) {
return nil, errIncompleteRequest
}
@ -753,12 +755,11 @@ func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req
veJSON = j
}
// Check to see if the AttemptedAt time is non zero and convert to
// *time.Time if so. If it is zero, leave nil and don't convert. Keep
// the the database attemptedAt field Null instead of
// 1970-01-01 00:00:00.
// *time.Time if so. If it is zero, leave nil and don't convert. Keep the
// database attemptedAt field Null instead of 1970-01-01 00:00:00.
var attemptedTime *time.Time
if req.AttemptedAtNS != 0 {
val := time.Unix(0, req.AttemptedAtNS).UTC()
if !core.IsAnyNilOrZero(req.AttemptedAt) {
val := req.AttemptedAt.AsTime()
attemptedTime = &val
}
params := map[string]interface{}{
@ -768,7 +769,7 @@ func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req
"validationRecord": vrJSON,
"id": req.Id,
"pending": statusUint(core.StatusPending),
"expires": time.Unix(0, req.ExpiresNS).UTC(),
"expires": req.Expires.AsTime(),
// if req.ValidationError is nil veJSON should also be nil
// which should result in a NULL field
"validationError": veJSON,
@ -830,12 +831,13 @@ func addRevokedCertificate(ctx context.Context, tx db.Executor, req *sapb.Revoke
// RevokeCertificate stores revocation information about a certificate. It will only store this
// information if the certificate is not already marked as revoked.
func (ssa *SQLStorageAuthority) RevokeCertificate(ctx context.Context, req *sapb.RevokeCertificateRequest) (*emptypb.Empty, error) {
if req.Serial == "" || req.DateNS == 0 || req.IssuerID == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if req.Serial == "" || req.IssuerID == 0 || core.IsAnyNilOrZero(req.Date) {
return nil, errIncompleteRequest
}
_, overallError := db.WithTransaction(ctx, ssa.dbMap, func(tx db.Executor) (interface{}, error) {
revokedDate := time.Unix(0, req.DateNS)
revokedDate := req.Date.AsTime()
res, err := tx.ExecContext(ctx,
`UPDATE certificateStatus SET
@ -883,7 +885,8 @@ func (ssa *SQLStorageAuthority) RevokeCertificate(ctx context.Context, req *sapb
// cert is already revoked, if the new revocation reason is `KeyCompromise`,
// and if the revokedDate is identical to the current revokedDate.
func (ssa *SQLStorageAuthority) UpdateRevokedCertificate(ctx context.Context, req *sapb.RevokeCertificateRequest) (*emptypb.Empty, error) {
if req.Serial == "" || req.DateNS == 0 || req.BackdateNS == 0 || req.IssuerID == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if req.Serial == "" || req.IssuerID == 0 || core.IsAnyNilOrZero(req.Date, req.Backdate) {
return nil, errIncompleteRequest
}
if req.Reason != ocsp.KeyCompromise {
@ -891,8 +894,8 @@ func (ssa *SQLStorageAuthority) UpdateRevokedCertificate(ctx context.Context, re
}
_, overallError := db.WithTransaction(ctx, ssa.dbMap, func(tx db.Executor) (interface{}, error) {
thisUpdate := time.Unix(0, req.DateNS)
revokedDate := time.Unix(0, req.BackdateNS)
thisUpdate := req.Date.AsTime()
revokedDate := req.Backdate.AsTime()
res, err := tx.ExecContext(ctx,
`UPDATE certificateStatus SET
@ -964,7 +967,7 @@ func (ssa *SQLStorageAuthority) UpdateRevokedCertificate(ctx context.Context, re
// AddBlockedKey adds a key hash to the blockedKeys table
func (ssa *SQLStorageAuthority) AddBlockedKey(ctx context.Context, req *sapb.AddBlockedKeyRequest) (*emptypb.Empty, error) {
if core.IsAnyNilOrZero(req.KeyHash, req.AddedNS, req.Source) {
if core.IsAnyNilOrZero(req.KeyHash, req.Added, req.Source) {
return nil, errIncompleteRequest
}
sourceInt, ok := stringToSourceInt[req.Source]
@ -974,7 +977,7 @@ func (ssa *SQLStorageAuthority) AddBlockedKey(ctx context.Context, req *sapb.Add
cols, qs := blockedKeysColumns, "?, ?, ?, ?"
vals := []interface{}{
req.KeyHash,
time.Unix(0, req.AddedNS),
req.Added.AsTime(),
sourceInt,
req.Comment,
}

231
sa/sa_test.go
View File

File diff suppressed because it is too large Load Diff

66
sa/saro.go
View File

@ -218,7 +218,8 @@ func ipRange(ip net.IP) (net.IP, net.IP) {
// CountRegistrationsByIP returns the number of registrations created in the
// time range for a single IP address.
func (ssa *SQLStorageAuthorityRO) CountRegistrationsByIP(ctx context.Context, req *sapb.CountRegistrationsByIPRequest) (*sapb.Count, error) {
if len(req.Ip) == 0 || req.Range.EarliestNS == 0 || req.Range.LatestNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if len(req.Ip) == 0 || core.IsAnyNilOrZero(req.Range.Earliest, req.Range.Latest) {
return nil, errIncompleteRequest
}
@ -233,8 +234,8 @@ func (ssa *SQLStorageAuthorityRO) CountRegistrationsByIP(ctx context.Context, re
createdAt <= :latest`,
map[string]interface{}{
"ip": req.Ip,
"earliest": time.Unix(0, req.Range.EarliestNS),
"latest": time.Unix(0, req.Range.LatestNS),
"earliest": req.Range.Earliest.AsTime(),
"latest": req.Range.Latest.AsTime(),
})
if err != nil {
return nil, err
@ -251,7 +252,8 @@ func (ssa *SQLStorageAuthority) CountRegistrationsByIP(ctx context.Context, req
// the single IP. For IPv6 addresses, that range is a /48, since it's not
// uncommon for one person to have a /48 to themselves.
func (ssa *SQLStorageAuthorityRO) CountRegistrationsByIPRange(ctx context.Context, req *sapb.CountRegistrationsByIPRequest) (*sapb.Count, error) {
if len(req.Ip) == 0 || req.Range.EarliestNS == 0 || req.Range.LatestNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if len(req.Ip) == 0 || core.IsAnyNilOrZero(req.Range.Earliest, req.Range.Latest) {
return nil, errIncompleteRequest
}
@ -267,8 +269,8 @@ func (ssa *SQLStorageAuthorityRO) CountRegistrationsByIPRange(ctx context.Contex
:earliest < createdAt AND
createdAt <= :latest`,
map[string]interface{}{
"earliest": time.Unix(0, req.Range.EarliestNS),
"latest": time.Unix(0, req.Range.LatestNS),
"earliest": req.Range.Earliest.AsTime(),
"latest": req.Range.Latest.AsTime(),
"beginIP": beginIP,
"endIP": endIP,
})
@ -290,7 +292,8 @@ func (ssa *SQLStorageAuthority) CountRegistrationsByIPRange(ctx context.Context,
// issued for any of the domains during the provided range of time. Queries will
// be run in parallel. If any of them error, only one error will be returned.
func (ssa *SQLStorageAuthorityRO) CountCertificatesByNames(ctx context.Context, req *sapb.CountCertificatesByNamesRequest) (*sapb.CountByNames, error) {
if len(req.Names) == 0 || req.Range.EarliestNS == 0 || req.Range.LatestNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if len(req.Names) == 0 || core.IsAnyNilOrZero(req.Range.Earliest, req.Range.Latest) {
return nil, errIncompleteRequest
}
@ -343,7 +346,7 @@ func (ssa *SQLStorageAuthorityRO) CountCertificatesByNames(ctx context.Context,
// Set earliest to the latest possible time, so that we can find the
// earliest certificate in the results.
earliest := timestamppb.New(time.Unix(0, req.Range.LatestNS))
earliest := req.Range.Latest
counts := make(map[string]int64)
for r := range results {
if r.err != nil {
@ -404,9 +407,7 @@ func (ssa *SQLStorageAuthorityRO) GetSerialMetadata(ctx context.Context, req *sa
return &sapb.SerialMetadata{
Serial: recordedSerial.Serial,
RegistrationID: recordedSerial.RegistrationID,
CreatedNS: recordedSerial.Created.UnixNano(),
Created: timestamppb.New(recordedSerial.Created),
ExpiresNS: recordedSerial.Expires.UnixNano(),
Expires: timestamppb.New(recordedSerial.Expires),
}, nil
}
@ -493,7 +494,8 @@ func (ssa *SQLStorageAuthority) GetRevocationStatus(ctx context.Context, req *sa
}
func (ssa *SQLStorageAuthorityRO) CountOrders(ctx context.Context, req *sapb.CountOrdersRequest) (*sapb.Count, error) {
if req.AccountID == 0 || req.Range.EarliestNS == 0 || req.Range.LatestNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if req.AccountID == 0 || core.IsAnyNilOrZero(req.Range.Earliest, req.Range.Latest) {
return nil, errIncompleteRequest
}
@ -553,13 +555,11 @@ func (ssa *SQLStorageAuthorityRO) FQDNSetTimestampsForWindow(ctx context.Context
return nil, err
}
var resultsNS []int64
var results []*timestamppb.Timestamp
for _, i := range rows {
resultsNS = append(resultsNS, i.Issued.UnixNano())
results = append(results, timestamppb.New(i.Issued))
}
return &sapb.Timestamps{TimestampsNS: resultsNS, Timestamps: results}, nil
return &sapb.Timestamps{Timestamps: results}, nil
}
func (ssa *SQLStorageAuthority) FQDNSetTimestampsForWindow(ctx context.Context, req *sapb.CountFQDNSetsRequest) (*sapb.Timestamps, error) {
@ -687,7 +687,7 @@ func (ssa *SQLStorageAuthorityRO) GetOrder(ctx context.Context, req *sapb.OrderR
return nil, err
}
orderExp := time.Unix(0, order.ExpiresNS)
orderExp := order.Expires.AsTime()
if orderExp.Before(ssa.clk.Now()) {
return nil, berrors.NotFoundError("no order found for ID %d", req.Id)
}
@ -759,7 +759,6 @@ func (ssa *SQLStorageAuthority) GetOrder(ctx context.Context, req *sapb.OrderReq
// unexpired orders are considered. If no order meeting these requirements is
// found a nil corepb.Order pointer is returned.
func (ssa *SQLStorageAuthorityRO) GetOrderForNames(ctx context.Context, req *sapb.GetOrderForNamesRequest) (*corepb.Order, error) {
if req.AcctID == 0 || len(req.Names) == 0 {
return nil, errIncompleteRequest
}
@ -873,7 +872,8 @@ func authzModelMapToPB(m map[string]authzModel) (*sapb.Authorizations, error) {
// GetAuthorizations2 returns any valid or pending authorizations that exist for the list of domains
// provided. If both a valid and pending authorization exist only the valid one will be returned.
func (ssa *SQLStorageAuthorityRO) GetAuthorizations2(ctx context.Context, req *sapb.GetAuthorizationsRequest) (*sapb.Authorizations, error) {
if len(req.Domains) == 0 || req.RegistrationID == 0 || req.NowNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if len(req.Domains) == 0 || req.RegistrationID == 0 || core.IsAnyNilOrZero(req.Now) {
return nil, errIncompleteRequest
}
var authzModels []authzModel
@ -881,7 +881,7 @@ func (ssa *SQLStorageAuthorityRO) GetAuthorizations2(ctx context.Context, req *s
req.RegistrationID,
statusUint(core.StatusValid),
statusUint(core.StatusPending),
time.Unix(0, req.NowNS),
req.Now.AsTime(),
identifierTypeToUint[string(identifier.DNS)],
}
@ -934,7 +934,8 @@ func (ssa *SQLStorageAuthority) GetAuthorizations2(ctx context.Context, req *sap
// the given identifier, if available. This method only supports DNS identifier types.
// TODO(#5816): Consider removing this method, as it has no callers.
func (ssa *SQLStorageAuthorityRO) GetPendingAuthorization2(ctx context.Context, req *sapb.GetPendingAuthorizationRequest) (*corepb.Authorization, error) {
if req.RegistrationID == 0 || req.IdentifierValue == "" || req.ValidUntilNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if req.RegistrationID == 0 || req.IdentifierValue == "" || core.IsAnyNilOrZero(req.ValidUntil) {
return nil, errIncompleteRequest
}
var am authzModel
@ -952,7 +953,7 @@ func (ssa *SQLStorageAuthorityRO) GetPendingAuthorization2(ctx context.Context,
map[string]interface{}{
"regID": req.RegistrationID,
"status": statusUint(core.StatusPending),
"validUntil": time.Unix(0, req.ValidUntilNS),
"validUntil": req.ValidUntil.AsTime(),
"dnsType": identifierTypeToUint[string(identifier.DNS)],
"ident": req.IdentifierValue,
},
@ -1060,7 +1061,8 @@ func (ssa *SQLStorageAuthority) GetValidOrderAuthorizations2(ctx context.Context
// CountInvalidAuthorizations2 counts invalid authorizations for a user expiring
// in a given time range. This method only supports DNS identifier types.
func (ssa *SQLStorageAuthorityRO) CountInvalidAuthorizations2(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest) (*sapb.Count, error) {
if req.RegistrationID == 0 || req.Hostname == "" || req.Range.EarliestNS == 0 || req.Range.LatestNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if req.RegistrationID == 0 || req.Hostname == "" || core.IsAnyNilOrZero(req.Range.Earliest, req.Range.Latest) {
return nil, errIncompleteRequest
}
@ -1079,8 +1081,8 @@ func (ssa *SQLStorageAuthorityRO) CountInvalidAuthorizations2(ctx context.Contex
"regID": req.RegistrationID,
"dnsType": identifierTypeToUint[string(identifier.DNS)],
"ident": req.Hostname,
"expiresEarliest": time.Unix(0, req.Range.EarliestNS),
"expiresLatest": time.Unix(0, req.Range.LatestNS),
"expiresEarliest": req.Range.Earliest.AsTime(),
"expiresLatest": req.Range.Latest.AsTime(),
"status": statusUint(core.StatusInvalid),
},
)
@ -1098,7 +1100,8 @@ func (ssa *SQLStorageAuthority) CountInvalidAuthorizations2(ctx context.Context,
// domain names that the account has authorizations for. This method
// only supports DNS identifier types.
func (ssa *SQLStorageAuthorityRO) GetValidAuthorizations2(ctx context.Context, req *sapb.GetValidAuthorizationsRequest) (*sapb.Authorizations, error) {
if len(req.Domains) == 0 || req.RegistrationID == 0 || req.NowNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if len(req.Domains) == 0 || req.RegistrationID == 0 || core.IsAnyNilOrZero(req.Now) {
return nil, errIncompleteRequest
}
@ -1116,7 +1119,7 @@ func (ssa *SQLStorageAuthorityRO) GetValidAuthorizations2(ctx context.Context, r
params := []interface{}{
req.RegistrationID,
statusUint(core.StatusValid),
time.Unix(0, req.NowNS),
req.Now.AsTime(),
identifierTypeToUint[string(identifier.DNS)],
}
for _, domain := range req.Domains {
@ -1264,7 +1267,6 @@ func (ssa *SQLStorageAuthorityRO) SerialsForIncident(req *sapb.SerialsForInciden
ispb.OrderID = *ism.OrderID
}
if ism.LastNoticeSent != nil {
ispb.LastNoticeSentNS = ism.LastNoticeSent.UnixNano()
ispb.LastNoticeSent = timestamppb.New(*ism.LastNoticeSent)
}
@ -1311,7 +1313,7 @@ func (ssa *SQLStorageAuthorityRO) getRevokedCertsFromRevokedCertificatesTable(re
return errors.New("can't select shard 0 from revokedCertificates table")
}
atTime := time.Unix(0, req.RevokedBeforeNS)
atTime := req.RevokedBefore.AsTime()
clauses := `
WHERE issuerID = ?
@ -1322,7 +1324,7 @@ func (ssa *SQLStorageAuthorityRO) getRevokedCertsFromRevokedCertificatesTable(re
req.ShardIdx,
// Round the expiry down to the nearest hour, to take advantage of our
// smaller index while still capturing at least as many certs as intended.
time.Unix(0, req.ExpiresAfterNS).Truncate(time.Hour),
req.ExpiresAfter.AsTime().Truncate(time.Hour),
}
selector, err := db.NewMappedSelector[revokedCertModel](ssa.dbReadOnlyMap)
@ -1359,7 +1361,6 @@ func (ssa *SQLStorageAuthorityRO) getRevokedCertsFromRevokedCertificatesTable(re
err = stream.Send(&corepb.CRLEntry{
Serial: row.Serial,
Reason: int32(row.RevokedReason),
RevokedAtNS: row.RevokedDate.UnixNano(),
RevokedAt: timestamppb.New(row.RevokedDate),
})
if err != nil {
@ -1378,7 +1379,7 @@ func (ssa *SQLStorageAuthorityRO) getRevokedCertsFromRevokedCertificatesTable(re
// getRevokedCertsFromCertificateStatusTable uses the new old certificateStatus
// table to implement GetRevokedCerts.
func (ssa *SQLStorageAuthorityRO) getRevokedCertsFromCertificateStatusTable(req *sapb.GetRevokedCertsRequest, stream sapb.StorageAuthorityReadOnly_GetRevokedCertsServer) error {
atTime := time.Unix(0, req.RevokedBeforeNS)
atTime := req.RevokedBefore.AsTime()
clauses := `
WHERE notAfter >= ?
@ -1386,8 +1387,8 @@ func (ssa *SQLStorageAuthorityRO) getRevokedCertsFromCertificateStatusTable(req
AND issuerID = ?
AND status = ?`
params := []interface{}{
time.Unix(0, req.ExpiresAfterNS),
time.Unix(0, req.ExpiresBeforeNS),
req.ExpiresAfter.AsTime(),
req.ExpiresBefore.AsTime(),
req.IssuerNameID,
core.OCSPStatusRevoked,
}
@ -1426,7 +1427,6 @@ func (ssa *SQLStorageAuthorityRO) getRevokedCertsFromCertificateStatusTable(req
err = stream.Send(&corepb.CRLEntry{
Serial: row.Serial,
Reason: int32(row.RevokedReason),
RevokedAtNS: row.RevokedDate.UnixNano(),
RevokedAt: timestamppb.New(row.RevokedDate),
})
if err != nil {

4
sa/satest/satest.go
View File

@ -16,7 +16,6 @@ import (
// SA using GoodKey under the hood. This is used by various non-SA tests
// to initialize the a registration for the test to reference.
func CreateWorkingRegistration(t *testing.T, sa sapb.StorageAuthorityClient) *corepb.Registration {
created := time.Date(2003, 5, 10, 0, 0, 0, 0, time.UTC)
initialIP, _ := net.ParseIP("88.77.66.11").MarshalText()
reg, err := sa.NewRegistration(context.Background(), &corepb.Registration{
Key: []byte(`{
@ -26,8 +25,7 @@ func CreateWorkingRegistration(t *testing.T, sa sapb.StorageAuthorityClient) *co
}`),
Contact: []string{"mailto:foo@example.com"},
InitialIP: initialIP,
CreatedAtNS: created.UnixNano(),
CreatedAt: timestamppb.New(created),
CreatedAt: timestamppb.New(time.Date(2003, 5, 10, 0, 0, 0, 0, time.UTC)),
Status: string(core.StatusValid),
})
if err != nil {

8
wfe2/stale.go
View File

@ -24,13 +24,13 @@ func requiredStale(req *http.Request, logEvent *web.RequestEvent) bool {
// in the past to be acceptably stale for accessing via the Boulder specific GET
// API.
func (wfe *WebFrontEndImpl) staleEnoughToGETOrder(order *corepb.Order) *probs.ProblemDetails {
return wfe.staleEnoughToGET("Order", time.Unix(0, order.CreatedNS))
return wfe.staleEnoughToGET("Order", order.Created.AsTime())
}
// staleEnoughToGETCert checks if the given cert was issued long enough in the
// past to be acceptably stale for accessing via the Boulder specific GET API.
func (wfe *WebFrontEndImpl) staleEnoughToGETCert(cert *corepb.Certificate) *probs.ProblemDetails {
return wfe.staleEnoughToGET("Certificate", time.Unix(0, cert.IssuedNS))
return wfe.staleEnoughToGET("Certificate", cert.Issued.AsTime())
}
// staleEnoughToGETAuthz checks if the given authorization was created long
@ -50,11 +50,11 @@ func (wfe *WebFrontEndImpl) staleEnoughToGETAuthz(authzPB *corepb.Authorization)
// pendingAuthorization lifetime from the expiry. This will be inaccurate if
// we change the pendingAuthorizationLifetime but is sufficient for the weak
// staleness requirements of the GET API.
createdTime := time.Unix(0, authzPB.ExpiresNS).Add(-wfe.pendingAuthorizationLifetime)
createdTime := authzPB.Expires.AsTime().Add(-wfe.pendingAuthorizationLifetime)
// if the authz is valid then we need to subtract the authorizationLifetime
// instead of the pendingAuthorizationLifetime.
if core.AcmeStatus(authzPB.Status) == core.StatusValid {
createdTime = time.Unix(0, authzPB.ExpiresNS).Add(-wfe.authorizationLifetime)
createdTime = authzPB.Expires.AsTime().Add(-wfe.authorizationLifetime)
}
return wfe.staleEnoughToGET("Authorization", createdTime)
}

2
wfe2/stale_test.go
View File

@ -54,7 +54,6 @@ func TestSaleEnoughToGETOrder(t *testing.T) {
created := fc.Now()
fc.Add(time.Hour)
prob := wfe.staleEnoughToGETOrder(&corepb.Order{
CreatedNS: created.UnixNano(),
Created: timestamppb.New(created),
})
test.Assert(t, prob == nil, "wfe.staleEnoughToGETOrder returned a non-nil problem")
@ -73,7 +72,6 @@ func TestStaleEnoughToGETAuthzDeactivated(t *testing.T) {
fc.Add(time.Hour)
prob := wfe.staleEnoughToGETAuthz(&corepb.Authorization{
Status: string(core.StatusDeactivated),
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
})
test.Assert(t, prob == nil, "wfe.staleEnoughToGETOrder returned a non-nil problem")

31
wfe2/wfe.go
View File

@ -1148,7 +1148,8 @@ func (wfe *WebFrontEndImpl) Challenge(
}
// Ensure gRPC response is complete.
if authzPB.Id == "" || authzPB.Identifier == "" || authzPB.Status == "" || authzPB.ExpiresNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if authzPB.Id == "" || authzPB.Identifier == "" || authzPB.Status == "" || core.IsAnyNilOrZero(authzPB.Expires) {
wfe.sendError(response, logEvent, probs.ServerInternal("Problem getting authorization"), errIncompleteGRPCResponse)
return
}
@ -1346,7 +1347,8 @@ func (wfe *WebFrontEndImpl) postChallenge(
Authz: authzPB,
ChallengeIndex: int64(challengeIndex),
})
if err != nil || authzPB == nil || authzPB.Id == "" || authzPB.Identifier == "" || authzPB.Status == "" || authzPB.ExpiresNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if err != nil || authzPB == nil || authzPB.Id == "" || authzPB.Identifier == "" || authzPB.Status == "" || core.IsAnyNilOrZero(authzPB.Expires) {
wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "Unable to update challenge"), err)
return
}
@ -1590,7 +1592,8 @@ func (wfe *WebFrontEndImpl) Authorization(
}
// Ensure gRPC response is complete.
if authzPB.Id == "" || authzPB.Identifier == "" || authzPB.Status == "" || authzPB.ExpiresNS == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if authzPB.Id == "" || authzPB.Identifier == "" || authzPB.Status == "" || core.IsAnyNilOrZero(authzPB.Expires) {
wfe.sendError(response, logEvent, probs.ServerInternal("Problem getting authorization"), errIncompleteGRPCResponse)
return
}
@ -1601,7 +1604,7 @@ func (wfe *WebFrontEndImpl) Authorization(
logEvent.Status = authzPB.Status
// After expiring, authorizations are inaccessible
if time.Unix(0, authzPB.ExpiresNS).Before(wfe.clk.Now()) {
if authzPB.Expires.AsTime().Before(wfe.clk.Now()) {
wfe.sendError(response, logEvent, probs.NotFound("Expired authorization"), nil)
return
}
@ -2024,7 +2027,7 @@ func (wfe *WebFrontEndImpl) orderToOrderJSON(request *http.Request, order *corep
fmt.Sprintf("%s%d/%d", finalizeOrderPath, order.RegistrationID, order.Id))
respObj := orderJSON{
Status: core.AcmeStatus(order.Status),
Expires: time.Unix(0, order.ExpiresNS).UTC(),
Expires: order.Expires.AsTime(),
Identifiers: idents,
Finalize: finalizeURL,
}
@ -2127,7 +2130,8 @@ func (wfe *WebFrontEndImpl) NewOrder(
RegistrationID: acct.ID,
Names: names,
})
if err != nil || order == nil || order.Id == 0 || order.CreatedNS == 0 || order.RegistrationID == 0 || order.ExpiresNS == 0 || len(order.Names) == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if err != nil || order == nil || order.Id == 0 || order.RegistrationID == 0 || len(order.Names) == 0 || core.IsAnyNilOrZero(order.Created, order.Expires) {
wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "Error creating new order"), err)
return
}
@ -2187,7 +2191,8 @@ func (wfe *WebFrontEndImpl) GetOrder(ctx context.Context, logEvent *web.RequestE
return
}
if order.Id == 0 || order.CreatedNS == 0 || order.Status == "" || order.RegistrationID == 0 || order.ExpiresNS == 0 || len(order.Names) == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if order.Id == 0 || order.Status == "" || order.RegistrationID == 0 || len(order.Names) == 0 || core.IsAnyNilOrZero(order.Created, order.Expires) {
wfe.sendError(response, logEvent, probs.ServerInternal(fmt.Sprintf("Failed to retrieve order for ID %d", orderID)), errIncompleteGRPCResponse)
return
}
@ -2267,7 +2272,8 @@ func (wfe *WebFrontEndImpl) FinalizeOrder(ctx context.Context, logEvent *web.Req
return
}
if order.Id == 0 || order.CreatedNS == 0 || order.Status == "" || order.RegistrationID == 0 || order.ExpiresNS == 0 || len(order.Names) == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if order.Id == 0 || order.Status == "" || order.RegistrationID == 0 || len(order.Names) == 0 || core.IsAnyNilOrZero(order.Created, order.Expires) {
wfe.sendError(response, logEvent, probs.ServerInternal(fmt.Sprintf("Failed to retrieve order for ID %d", orderID)), errIncompleteGRPCResponse)
return
}
@ -2295,7 +2301,7 @@ func (wfe *WebFrontEndImpl) FinalizeOrder(ctx context.Context, logEvent *web.Req
}
// If the order is expired we can not finalize it and must return an error
orderExpiry := time.Unix(order.ExpiresNS, 0)
orderExpiry := order.Expires.AsTime()
if orderExpiry.Before(wfe.clk.Now()) {
wfe.sendError(response, logEvent, probs.NotFound(fmt.Sprintf("Order %d is expired", order.Id)), nil)
return
@ -2328,7 +2334,8 @@ func (wfe *WebFrontEndImpl) FinalizeOrder(ctx context.Context, logEvent *web.Req
wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "Error finalizing order"), err)
return
}
if updatedOrder == nil || order.Id == 0 || order.CreatedNS == 0 || order.RegistrationID == 0 || order.ExpiresNS == 0 || len(order.Names) == 0 {
// TODO(#7153): Check each value via core.IsAnyNilOrZero
if updatedOrder == nil || order.Id == 0 || order.RegistrationID == 0 || len(order.Names) == 0 || core.IsAnyNilOrZero(order.Created, order.Expires) {
wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "Error validating order"), errIncompleteGRPCResponse)
return
}
@ -2460,9 +2467,7 @@ func (wfe *WebFrontEndImpl) RenewalInfo(ctx context.Context, logEvent *web.Reque
// using that to compute the actual issuerNameHash and issuerKeyHash, and
// comparing those to the ones in the request.
sendRI(core.RenewalInfoSimple(
time.Unix(0, cert.IssuedNS).UTC(),
time.Unix(0, cert.ExpiresNS).UTC()))
sendRI(core.RenewalInfoSimple(cert.Issued.AsTime(), cert.Expires.AsTime()))
}
// UpdateRenewal is used by the client to inform the server that they have

14
wfe2/wfe_test.go
View File

@ -191,7 +191,6 @@ type MockRegistrationAuthority struct {
func (ra *MockRegistrationAuthority) NewRegistration(ctx context.Context, in *corepb.Registration, _ ...grpc.CallOption) (*corepb.Registration, error) {
in.Id = 1
created := time.Date(2021, 1, 1, 0, 0, 0, 0, time.UTC)
in.CreatedAtNS = created.UnixNano()
in.CreatedAt = timestamppb.New(created)
return in, nil
}
@ -244,9 +243,7 @@ func (ra *MockRegistrationAuthority) NewOrder(ctx context.Context, in *rapb.NewO
return &corepb.Order{
Id: 1,
RegistrationID: in.RegistrationID,
CreatedNS: created.UnixNano(),
Created: timestamppb.New(created),
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
Names: in.Names,
Status: string(core.StatusPending),
@ -1846,9 +1843,7 @@ func (sa *mockSAWithCert) GetCertificate(_ context.Context, req *sapb.Serial, _
return &corepb.Certificate{
RegistrationID: 1,
Serial: core.SerialToString(sa.cert.SerialNumber),
IssuedNS: sa.cert.NotBefore.UnixNano(),
Issued: timestamppb.New(sa.cert.NotBefore),
ExpiresNS: sa.cert.NotAfter.UnixNano(),
Expires: timestamppb.New(sa.cert.NotAfter),
Der: sa.cert.Raw,
}, nil
@ -1883,8 +1878,7 @@ func newMockSAWithIncident(sa sapb.StorageAuthorityReadOnlyClient, serial []stri
Id: 0,
SerialTable: "incident_foo",
Url: agreementURL,
RenewByNS: 0,
RenewBy: timestamppb.New(time.Time{}),
RenewBy: nil,
Enabled: true,
},
},
@ -2144,13 +2138,10 @@ func (sa *mockSAWithNewCert) GetCertificate(_ context.Context, req *sapb.Serial,
return nil, fmt.Errorf("failed to parse test cert: %w", err)
}
issued := sa.clk.Now().Add(-1 * time.Second)
return &corepb.Certificate{
RegistrationID: 1,
Serial: core.SerialToString(cert.SerialNumber),
IssuedNS: issued.UnixNano(),
Issued: timestamppb.New(issued),
Issued: timestamppb.New(sa.clk.Now().Add(-1 * time.Second)),
Der: cert.Raw,
}, nil
}
@ -3390,7 +3381,6 @@ func TestOrderToOrderJSONV2Authorizations(t *testing.T) {
RegistrationID: 1,
Names: []string{"a"},
Status: string(core.StatusPending),
ExpiresNS: expires.UnixNano(),
Expires: timestamppb.New(expires),
V2Authorizations: []int64{1, 2},
})