letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

OCSP: Use FilterSource for static responders (#6901) 

Move the creation of the FilterSource outside of the conditional block,
so that the underlying source gets wrapped no matter which kind (either
a inMemorySource or a checkedRedisSource) it is.

This has two advantages: first, it means that static ocsp responders are
safer and more accurate, because they're not basing their responses on
both the issuer and the serial, not just the serial; and second, it
makes the current config validation tag which marks the "issuerCerts"
config field as required with `min=1` accurate.
This commit is contained in:
Aaron Gable 2023-05-24 14:23:27 -07:00 committed by GitHub
parent 4305f64a28
commit 6ea74d5be9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
cmd/ocsp-responder/main.go
View File

@ -197,26 +197,26 @@ as generated by Boulder's ceremony command.
source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger)
cmd.FailOnError(err, "Could not create checkedRedis source")
// Load the certificate from the file path.
issuerCerts := make([]*issuance.Certificate, len(c.OCSPResponder.IssuerCerts))
for i, issuerFile := range c.OCSPResponder.IssuerCerts {
issuerCert, err := issuance.LoadCertificate(issuerFile)
cmd.FailOnError(err, "Could not load issuer cert")
issuerCerts[i] = issuerCert
}
source, err = responder.NewFilterSource(
issuerCerts,
c.OCSPResponder.RequiredSerialPrefixes,
source,
scope,
logger,
clk,
)
cmd.FailOnError(err, "Could not create filtered source")
}
// Load the certificate from the file path.
issuerCerts := make([]*issuance.Certificate, len(c.OCSPResponder.IssuerCerts))
for i, issuerFile := range c.OCSPResponder.IssuerCerts {
issuerCert, err := issuance.LoadCertificate(issuerFile)
cmd.FailOnError(err, "Could not load issuer cert")
issuerCerts[i] = issuerCert
}
source, err = responder.NewFilterSource(
issuerCerts,
c.OCSPResponder.RequiredSerialPrefixes,
source,
scope,
logger,
clk,
)
cmd.FailOnError(err, "Could not create filtered source")
m := mux(c.OCSPResponder.Path, source, c.OCSPResponder.Timeout.Duration, scope, c.OpenTelemetryHTTPConfig.Options(), logger, c.OCSPResponder.LogSampleRate)
srv := &http.Server{