From 6ea74d5be9a3f6aa4cd1c525ec5ccda69169b884 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Wed, 24 May 2023 14:23:27 -0700 Subject: [PATCH] OCSP: Use FilterSource for static responders (#6901) Move the creation of the FilterSource outside of the conditional block, so that the underlying source gets wrapped no matter which kind (either a inMemorySource or a checkedRedisSource) it is. This has two advantages: first, it means that static ocsp responders are safer and more accurate, because they're not basing their responses on both the issuer and the serial, not just the serial; and second, it makes the current config validation tag which marks the "issuerCerts" config field as required with `min=1` accurate. --- cmd/ocsp-responder/main.go | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go index 39a0dac43..52027e8cd 100644 --- a/cmd/ocsp-responder/main.go +++ b/cmd/ocsp-responder/main.go @@ -197,26 +197,26 @@ as generated by Boulder's ceremony command. source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger) cmd.FailOnError(err, "Could not create checkedRedis source") - - // Load the certificate from the file path. - issuerCerts := make([]*issuance.Certificate, len(c.OCSPResponder.IssuerCerts)) - for i, issuerFile := range c.OCSPResponder.IssuerCerts { - issuerCert, err := issuance.LoadCertificate(issuerFile) - cmd.FailOnError(err, "Could not load issuer cert") - issuerCerts[i] = issuerCert - } - - source, err = responder.NewFilterSource( - issuerCerts, - c.OCSPResponder.RequiredSerialPrefixes, - source, - scope, - logger, - clk, - ) - cmd.FailOnError(err, "Could not create filtered source") } + // Load the certificate from the file path. + issuerCerts := make([]*issuance.Certificate, len(c.OCSPResponder.IssuerCerts)) + for i, issuerFile := range c.OCSPResponder.IssuerCerts { + issuerCert, err := issuance.LoadCertificate(issuerFile) + cmd.FailOnError(err, "Could not load issuer cert") + issuerCerts[i] = issuerCert + } + + source, err = responder.NewFilterSource( + issuerCerts, + c.OCSPResponder.RequiredSerialPrefixes, + source, + scope, + logger, + clk, + ) + cmd.FailOnError(err, "Could not create filtered source") + m := mux(c.OCSPResponder.Path, source, c.OCSPResponder.Timeout.Duration, scope, c.OpenTelemetryHTTPConfig.Options(), logger, c.OCSPResponder.LogSampleRate) srv := &http.Server{