letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Temporarily revert CA and VA proto3 migrations (#4962)

This commit is contained in:
Aaron Gable 2020-07-16 14:29:42 -07:00 committed by GitHub
parent 340d42760d
commit 7e626b63a6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 186 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
ca/ca.go
View File

@ -437,16 +437,16 @@ func (ca *CertificateAuthorityImpl) GenerateOCSP(ctx context.Context, req *caPB.
// that didn't have an IssuerID set when they were created. Once this feature
// has been enabled for a full OCSP lifetime cycle we can remove this
// functionality.
if features.Enabled(features.StoreIssuerInfo) && req.IssuerID != 0 {
serialInt, err := core.StringToSerial(req.Serial)
if features.Enabled(features.StoreIssuerInfo) && req.IssuerID != nil {
serialInt, err := core.StringToSerial(*req.Serial)
if err != nil {
return nil, err
}
serial = serialInt
var ok bool
issuer, ok = ca.idToIssuer[req.IssuerID]
issuer, ok = ca.idToIssuer[*req.IssuerID]
if !ok {
return nil, fmt.Errorf("This CA doesn't have an issuer cert with ID %d", req.IssuerID)
return nil, fmt.Errorf("This CA doesn't have an issuer cert with ID %d", *req.IssuerID)
}
} else {
cert, err := x509.ParseCertificate(req.CertDER)
@ -471,14 +471,14 @@ func (ca *CertificateAuthorityImpl) GenerateOCSP(ctx context.Context, req *caPB.
now := ca.clk.Now().Truncate(time.Hour)
tbsResponse := ocsp.Response{
Status: ocspStatusToCode[req.Status],
Status: ocspStatusToCode[*req.Status],
SerialNumber: serial,
ThisUpdate: now,
NextUpdate: now.Add(ca.ocspLifetime),
}
if tbsResponse.Status == ocsp.Revoked {
tbsResponse.RevokedAt = time.Unix(0, req.RevokedAt)
tbsResponse.RevocationReason = int(req.Reason)
tbsResponse.RevokedAt = time.Unix(0, *req.RevokedAt)
tbsResponse.RevocationReason = int(*req.Reason)
}
ocspResponse, err := ocsp.CreateResponse(issuer.cert, issuer.cert, tbsResponse, issuer.ocspSigner)
@ -495,7 +495,7 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
return nil, err
}
regID := issueReq.RegistrationID
regID := *issueReq.RegistrationID
serialHex := core.SerialToString(serialBigInt)
nowNanos := ca.clk.Now().UnixNano()
@ -515,9 +515,10 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
return nil, err
}
status := string(core.OCSPStatusGood)
ocspResp, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
CertDER: precertDER,
Status: string(core.OCSPStatusGood),
Status: &status,
})
if err != nil {
err = berrors.InternalServerError(err.Error())
@ -544,7 +545,7 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
// Note: This log line is parsed by cmd/orphan-finder. If you make any
// changes here, you should make sure they are reflected in orphan-finder.
ca.log.AuditErrf("Failed RPC to store at SA, orphaning precertificate: serial=[%s] cert=[%s] err=[%v], regID=[%d], orderID=[%d]",
serialHex, hex.EncodeToString(precertDER), err, issueReq.RegistrationID, issueReq.OrderID)
serialHex, hex.EncodeToString(precertDER), err, *issueReq.RegistrationID, *issueReq.OrderID)
if ca.orphanQueue != nil {
ca.queueOrphan(&orphanedCert{
DER: precertDER,
@ -622,7 +623,7 @@ func (ca *CertificateAuthorityImpl) IssueCertificateForPrecertificate(ctx contex
ca.log.AuditInfof("Signing success: serial=[%s] names=[%s] certificate=[%s]",
serialHex, strings.Join(precert.DNSNames, ", "), hex.EncodeToString(req.DER),
hex.EncodeToString(certDER))
return ca.storeCertificate(ctx, req.RegistrationID, req.OrderID, precert.SerialNumber, certDER)
return ca.storeCertificate(ctx, *req.RegistrationID, *req.OrderID, precert.SerialNumber, certDER)
}
type validity struct {
@ -666,7 +667,7 @@ func (ca *CertificateAuthorityImpl) issuePrecertificateInner(ctx context.Context
&ca.keyPolicy,
ca.pa,
ca.forceCNFromSAN,
issueReq.RegistrationID,
*issueReq.RegistrationID,
); err != nil {
ca.log.AuditErr(err.Error())
// VerifyCSR returns berror instances that can be passed through as-is

67
ca/ca_test.go
View File

@ -102,6 +102,9 @@ var (
// * DNSNames = example.com, example2.com
ECDSACSR = mustRead("./testdata/ecdsa.der.csr")
// This is never modified, but it must be a var instead of a const so we can make references to it.
arbitraryRegID int64 = 1001
// OIDExtensionCTPoison is defined in RFC 6962 s3.1.
OIDExtensionCTPoison = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3}
@ -122,8 +125,6 @@ var (
}
)
const arbitraryRegID int64 = 1001
// CFSSL config
const rsaProfileName = "rsaEE"
const ecdsaProfileName = "ecdsaEE"
@ -347,7 +348,7 @@ func TestIssuePrecertificate(t *testing.T) {
req, err := x509.ParseCertificateRequest(testCase.csr)
test.AssertNotError(t, err, "Certificate request failed to parse")
issueReq := &caPB.IssueCertificateRequest{Csr: testCase.csr, RegistrationID: arbitraryRegID}
issueReq := &caPB.IssueCertificateRequest{Csr: testCase.csr, RegistrationID: &arbitraryRegID}
var certDER []byte
response, err := ca.IssuePrecertificate(ctx, issueReq)
@ -455,7 +456,7 @@ func TestMultipleIssuers(t *testing.T) {
nil)
test.AssertNotError(t, err, "Failed to remake CA")
issuedCert, err := ca.IssuePrecertificate(ctx, &caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID})
issuedCert, err := ca.IssuePrecertificate(ctx, &caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID})
test.AssertNotError(t, err, "Failed to issue certificate")
cert, err := x509.ParseCertificate(issuedCert.DER)
@ -480,15 +481,16 @@ func TestOCSP(t *testing.T) {
nil)
test.AssertNotError(t, err, "Failed to create CA")
issueReq := caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID}
issueReq := caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID}
cert, err := ca.IssuePrecertificate(ctx, &issueReq)
test.AssertNotError(t, err, "Failed to issue")
parsedCert, err := x509.ParseCertificate(cert.DER)
test.AssertNotError(t, err, "Failed to parse cert")
status := string(core.OCSPStatusGood)
ocspResp, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
CertDER: cert.DER,
Status: string(core.OCSPStatusGood),
Status: &status,
})
test.AssertNotError(t, err, "Failed to generate OCSP")
parsed, err := ocsp.ParseResponse(ocspResp.Response, caCert)
@ -500,7 +502,7 @@ func TestOCSP(t *testing.T) {
// Test that signatures are checked.
_, err = ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
CertDER: append(cert.DER, byte(0)),
Status: string(core.OCSPStatusGood),
Status: &status,
})
test.AssertError(t, err, "Generated OCSP for cert with bad signature")
@ -543,7 +545,7 @@ func TestOCSP(t *testing.T) {
// should be signed by caCert.
ocspResp2, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
CertDER: append([]byte(nil), cert.DER...),
Status: string(core.OCSPStatusGood),
Status: &status,
})
test.AssertNotError(t, err, "Failed to sign second OCSP response")
_, err = ocsp.ParseResponse(ocspResp2.Response, caCert)
@ -553,7 +555,7 @@ func TestOCSP(t *testing.T) {
// and should be signed by newIssuer.
newCertOcspResp, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
CertDER: newCert.DER,
Status: string(core.OCSPStatusGood),
Status: &status,
})
test.AssertNotError(t, err, "Failed to generate OCSP")
parsedNewCertOcspResp, err := ocsp.ParseResponse(newCertOcspResp.Response, newIssuerCert)
@ -629,7 +631,7 @@ func TestInvalidCSRs(t *testing.T) {
t.Run(testCase.name, func(t *testing.T) {
serializedCSR := mustRead(testCase.csrPath)
issueReq := &caPB.IssueCertificateRequest{Csr: serializedCSR, RegistrationID: arbitraryRegID}
issueReq := &caPB.IssueCertificateRequest{Csr: serializedCSR, RegistrationID: &arbitraryRegID}
_, err = ca.IssuePrecertificate(ctx, issueReq)
test.Assert(t, berrors.Is(err, testCase.errorType), "Incorrect error type returned")
@ -664,7 +666,7 @@ func TestRejectValidityTooLong(t *testing.T) {
test.AssertNotError(t, err, "Failed to parse time")
testCtx.fc.Set(future)
// Test that the CA rejects CSRs that would expire after the intermediate cert
_, err = ca.IssuePrecertificate(ctx, &caPB.IssueCertificateRequest{Csr: NoCNCSR, RegistrationID: arbitraryRegID})
_, err = ca.IssuePrecertificate(ctx, &caPB.IssueCertificateRequest{Csr: NoCNCSR, RegistrationID: &arbitraryRegID})
test.AssertError(t, err, "Cannot issue a certificate that expires after the intermediate certificate")
test.Assert(t, berrors.Is(err, berrors.InternalServer), "Incorrect error type returned")
}
@ -840,7 +842,7 @@ func TestIssueCertificateForPrecertificate(t *testing.T) {
test.AssertNotError(t, err, "Failed to create CA")
orderID := int64(0)
issueReq := caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID, OrderID: orderID}
issueReq := caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID, OrderID: &orderID}
precert, err := ca.IssuePrecertificate(ctx, &issueReq)
test.AssertNotError(t, err, "Failed to issue precert")
parsedPrecert, err := x509.ParseCertificate(precert.DER)
@ -864,8 +866,8 @@ func TestIssueCertificateForPrecertificate(t *testing.T) {
cert, err := ca.IssueCertificateForPrecertificate(ctx, &caPB.IssueCertificateForPrecertificateRequest{
DER: precert.DER,
SCTs: sctBytes,
RegistrationID: arbitraryRegID,
OrderID: 0,
RegistrationID: &arbitraryRegID,
OrderID: new(int64),
})
test.AssertNotError(t, err, "Failed to issue cert from precert")
parsedCert, err := x509.ParseCertificate(cert.DER)
@ -927,14 +929,14 @@ func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {
}
orderID := int64(0)
issueReq := caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID, OrderID: orderID}
issueReq := caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID, OrderID: &orderID}
precert, err := ca.IssuePrecertificate(ctx, &issueReq)
test.AssertNotError(t, err, "Failed to issue precert")
_, err = ca.IssueCertificateForPrecertificate(ctx, &caPB.IssueCertificateForPrecertificateRequest{
DER: precert.DER,
SCTs: sctBytes,
RegistrationID: arbitraryRegID,
OrderID: 0,
RegistrationID: &arbitraryRegID,
OrderID: new(int64),
})
if err == nil {
t.Error("Expected error issuing duplicate serial but got none.")
@ -961,8 +963,8 @@ func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {
_, err = errorca.IssueCertificateForPrecertificate(ctx, &caPB.IssueCertificateForPrecertificateRequest{
DER: precert.DER,
SCTs: sctBytes,
RegistrationID: arbitraryRegID,
OrderID: 0,
RegistrationID: &arbitraryRegID,
OrderID: new(int64),
})
if err == nil {
t.Fatal("Expected error issuing duplicate serial but got none.")
@ -1036,9 +1038,10 @@ func TestPrecertOrphanQueue(t *testing.T) {
t.Fatalf("Unexpected error, wanted %q, got %q", goque.ErrEmpty, err)
}
var one int64 = 1
_, err = ca.IssuePrecertificate(context.Background(), &caPB.IssueCertificateRequest{
RegistrationID: int64(1),
OrderID: int64(1),
RegistrationID: &one,
OrderID: &one,
Csr: CNandSANCSR,
})
test.AssertError(t, err, "Expected IssuePrecertificate to fail with `failSA`")
@ -1226,7 +1229,7 @@ func TestIssuePrecertificateLinting(t *testing.T) {
// Attempt to issue a pre-certificate
_, err = ca.IssuePrecertificate(ctx, &caPB.IssueCertificateRequest{
Csr: CNandSANCSR,
RegistrationID: arbitraryRegID,
RegistrationID: &arbitraryRegID,
})
// It should error
test.AssertError(t, err, "expected err from IssuePrecertificate with linttrapSigner")
@ -1259,28 +1262,32 @@ func TestGenerateOCSPWithIssuerID(t *testing.T) {
test.AssertNotError(t, err, "Failed to create CA")
// GenerateOCSP with feature enabled + req contains bad IssuerID
issuerID := int64(666)
serial := "DEADDEADDEADDEADDEADDEADDEADDEADDEAD"
status := string(core.OCSPStatusGood)
_, err = ca.GenerateOCSP(context.Background(), &caPB.GenerateOCSPRequest{
IssuerID: int64(666),
Serial: "DEADDEADDEADDEADDEADDEADDEADDEADDEAD",
Status: string(core.OCSPStatusGood),
IssuerID: &issuerID,
Serial: &serial,
Status: &status,
})
test.AssertError(t, err, "GenerateOCSP didn't fail with invalid IssuerID")
// GenerateOCSP with feature enabled + req contains good IssuerID
issuerID = idForIssuer(ca.defaultIssuer.cert)
_, err = ca.GenerateOCSP(context.Background(), &caPB.GenerateOCSPRequest{
IssuerID: idForIssuer(ca.defaultIssuer.cert),
Serial: "DEADDEADDEADDEADDEADDEADDEADDEADDEAD",
Status: string(core.OCSPStatusGood),
IssuerID: &issuerID,
Serial: &serial,
Status: &status,
})
test.AssertNotError(t, err, "GenerateOCSP failed")
// GenerateOCSP with feature enabled + req doesn't contain IssuerID
issueReq := caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID}
issueReq := caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID}
cert, err := ca.IssuePrecertificate(ctx, &issueReq)
test.AssertNotError(t, err, "Failed to issue")
_, err = ca.GenerateOCSP(context.Background(), &caPB.GenerateOCSPRequest{
CertDER: cert.DER,
Status: string(core.OCSPStatusGood),
Status: &status,
})
test.AssertNotError(t, err, "GenerateOCSP failed")
}

68
ca/proto/ca.pb.go
View File

@ -35,9 +35,9 @@ type IssueCertificateRequest struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Csr []byte `protobuf:"bytes,1,opt,name=csr,proto3" json:"csr,omitempty"`
RegistrationID int64 `protobuf:"varint,2,opt,name=registrationID,proto3" json:"registrationID,omitempty"`
OrderID int64 `protobuf:"varint,3,opt,name=orderID,proto3" json:"orderID,omitempty"`
Csr []byte `protobuf:"bytes,1,opt,name=csr" json:"csr,omitempty"`
RegistrationID *int64 `protobuf:"varint,2,opt,name=registrationID" json:"registrationID,omitempty"`
OrderID *int64 `protobuf:"varint,3,opt,name=orderID" json:"orderID,omitempty"`
}
func (x *IssueCertificateRequest) Reset() {
@ -80,15 +80,15 @@ func (x *IssueCertificateRequest) GetCsr() []byte {
}
func (x *IssueCertificateRequest) GetRegistrationID() int64 {
if x != nil {
return x.RegistrationID
if x != nil && x.RegistrationID != nil {
return *x.RegistrationID
}
return 0
}
func (x *IssueCertificateRequest) GetOrderID() int64 {
if x != nil {
return x.OrderID
if x != nil && x.OrderID != nil {
return *x.OrderID
}
return 0
}
@ -98,7 +98,7 @@ type IssuePrecertificateResponse struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
DER []byte `protobuf:"bytes,1,opt,name=DER,proto3" json:"DER,omitempty"`
DER []byte `protobuf:"bytes,1,opt,name=DER" json:"DER,omitempty"`
}
func (x *IssuePrecertificateResponse) Reset() {
@ -145,10 +145,10 @@ type IssueCertificateForPrecertificateRequest struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
DER []byte `protobuf:"bytes,1,opt,name=DER,proto3" json:"DER,omitempty"`
SCTs [][]byte `protobuf:"bytes,2,rep,name=SCTs,proto3" json:"SCTs,omitempty"`
RegistrationID int64 `protobuf:"varint,3,opt,name=registrationID,proto3" json:"registrationID,omitempty"`
OrderID int64 `protobuf:"varint,4,opt,name=orderID,proto3" json:"orderID,omitempty"`
DER []byte `protobuf:"bytes,1,opt,name=DER" json:"DER,omitempty"`
SCTs [][]byte `protobuf:"bytes,2,rep,name=SCTs" json:"SCTs,omitempty"`
RegistrationID *int64 `protobuf:"varint,3,opt,name=registrationID" json:"registrationID,omitempty"`
OrderID *int64 `protobuf:"varint,4,opt,name=orderID" json:"orderID,omitempty"`
}
func (x *IssueCertificateForPrecertificateRequest) Reset() {
@ -198,15 +198,15 @@ func (x *IssueCertificateForPrecertificateRequest) GetSCTs() [][]byte {
}
func (x *IssueCertificateForPrecertificateRequest) GetRegistrationID() int64 {
if x != nil {
return x.RegistrationID
if x != nil && x.RegistrationID != nil {
return *x.RegistrationID
}
return 0
}
func (x *IssueCertificateForPrecertificateRequest) GetOrderID() int64 {
if x != nil {
return x.OrderID
if x != nil && x.OrderID != nil {
return *x.OrderID
}
return 0
}
@ -217,12 +217,12 @@ type GenerateOCSPRequest struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
CertDER []byte `protobuf:"bytes,1,opt,name=certDER,proto3" json:"certDER,omitempty"`
Status string `protobuf:"bytes,2,opt,name=status,proto3" json:"status,omitempty"`
Reason int32 `protobuf:"varint,3,opt,name=reason,proto3" json:"reason,omitempty"`
RevokedAt int64 `protobuf:"varint,4,opt,name=revokedAt,proto3" json:"revokedAt,omitempty"`
Serial string `protobuf:"bytes,5,opt,name=serial,proto3" json:"serial,omitempty"`
IssuerID int64 `protobuf:"varint,6,opt,name=issuerID,proto3" json:"issuerID,omitempty"`
CertDER []byte `protobuf:"bytes,1,opt,name=certDER" json:"certDER,omitempty"`
Status *string `protobuf:"bytes,2,opt,name=status" json:"status,omitempty"`
Reason *int32 `protobuf:"varint,3,opt,name=reason" json:"reason,omitempty"`
RevokedAt *int64 `protobuf:"varint,4,opt,name=revokedAt" json:"revokedAt,omitempty"`
Serial *string `protobuf:"bytes,5,opt,name=serial" json:"serial,omitempty"`
IssuerID *int64 `protobuf:"varint,6,opt,name=issuerID" json:"issuerID,omitempty"`
}
func (x *GenerateOCSPRequest) Reset() {
@ -265,36 +265,36 @@ func (x *GenerateOCSPRequest) GetCertDER() []byte {
}
func (x *GenerateOCSPRequest) GetStatus() string {
if x != nil {
return x.Status
if x != nil && x.Status != nil {
return *x.Status
}
return ""
}
func (x *GenerateOCSPRequest) GetReason() int32 {
if x != nil {
return x.Reason
if x != nil && x.Reason != nil {
return *x.Reason
}
return 0
}
func (x *GenerateOCSPRequest) GetRevokedAt() int64 {
if x != nil {
return x.RevokedAt
if x != nil && x.RevokedAt != nil {
return *x.RevokedAt
}
return 0
}
func (x *GenerateOCSPRequest) GetSerial() string {
if x != nil {
return x.Serial
if x != nil && x.Serial != nil {
return *x.Serial
}
return ""
}
func (x *GenerateOCSPRequest) GetIssuerID() int64 {
if x != nil {
return x.IssuerID
if x != nil && x.IssuerID != nil {
return *x.IssuerID
}
return 0
}
@ -304,7 +304,7 @@ type OCSPResponse struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Response []byte `protobuf:"bytes,1,opt,name=response,proto3" json:"response,omitempty"`
Response []byte `protobuf:"bytes,1,opt,name=response" json:"response,omitempty"`
}
func (x *OCSPResponse) Reset() {
@ -410,7 +410,7 @@ var file_ca_proto_ca_proto_rawDesc = []byte{
0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
0x2f, 0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x63, 0x61, 0x2f, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x6f,
}
var (

30
ca/proto/ca.proto
View File

@ -1,4 +1,4 @@
syntax = "proto3";
syntax = "proto2";
package ca;
option go_package = "github.com/letsencrypt/boulder/ca/proto";
@ -21,32 +21,32 @@ service OCSPGenerator {
}
message IssueCertificateRequest {
bytes csr = 1;
int64 registrationID = 2;
int64 orderID = 3;
optional bytes csr = 1;
optional int64 registrationID = 2;
optional int64 orderID = 3;
}
message IssuePrecertificateResponse {
bytes DER = 1;
optional bytes DER = 1;
}
message IssueCertificateForPrecertificateRequest {
bytes DER = 1;
optional bytes DER = 1;
repeated bytes SCTs = 2;
int64 registrationID = 3;
int64 orderID = 4;
optional int64 registrationID = 3;
optional int64 orderID = 4;
}
// Exactly one of certDER or [serial and issuerID] must be set.
message GenerateOCSPRequest {
bytes certDER = 1;
string status = 2;
int32 reason = 3;
int64 revokedAt = 4;
string serial = 5;
int64 issuerID = 6;
optional bytes certDER = 1;
optional string status = 2;
optional int32 reason = 3;
optional int64 revokedAt = 4;
optional string serial = 5;
optional int64 issuerID = 6;
}
message OCSPResponse {
bytes response = 1;
optional bytes response = 1;
}

13
cmd/ocsp-updater/main.go
View File

@ -178,14 +178,17 @@ func getCertDER(selector ocspDB, serial string) ([]byte, error) {
}
func (updater *OCSPUpdater) generateResponse(ctx context.Context, status core.CertificateStatus) (*core.CertificateStatus, error) {
reason := int32(status.RevokedReason)
statusStr := string(status.Status)
revokedAt := status.RevokedDate.UnixNano()
ocspReq := capb.GenerateOCSPRequest{
Reason: int32(status.RevokedReason),
Status: string(status.Status),
RevokedAt: status.RevokedDate.UnixNano(),
Reason: &reason,
Status: &statusStr,
RevokedAt: &revokedAt,
}
if status.IssuerID != nil {
ocspReq.Serial = status.Serial
ocspReq.IssuerID = *status.IssuerID
ocspReq.Serial = &status.Serial
ocspReq.IssuerID = status.IssuerID
} else {
certDER, err := getCertDER(updater.dbMap, status.Serial)
if err != nil {

2
cmd/ocsp-updater/main_test.go
View File

@ -416,7 +416,7 @@ type mockOCSPRecordIssuer struct {
}
func (ca *mockOCSPRecordIssuer) GenerateOCSP(_ context.Context, req *caPB.GenerateOCSPRequest, _ ...grpc.CallOption) (*caPB.OCSPResponse, error) {
ca.gotIssuer = req.IssuerID != 0 && req.Serial != ""
ca.gotIssuer = req.IssuerID != nil && req.Serial != nil
return &caPB.OCSPResponse{Response: []byte{1, 2, 3}}, nil
}

9
cmd/orphan-finder/main.go
View File

@ -234,11 +234,14 @@ func storeParsedLogLine(sa certificateStorage, ca ocspGenerator, logger blog.Log
func generateOCSP(ctx context.Context, ca ocspGenerator, certDER []byte) ([]byte, error) {
// generate a fresh OCSP response
statusGood := string(core.OCSPStatusGood)
zeroInt32 := int32(0)
zeroInt64 := int64(0)
ocspResponse, err := ca.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
CertDER: certDER,
Status: string(core.OCSPStatusGood),
Reason: int32(0),
RevokedAt: int64(0),
Status: &statusGood,
Reason: &zeroInt32,
RevokedAt: &zeroInt64,
})
if err != nil {
return nil, err

6
grpc/ca-wrappers.go
View File

@ -82,14 +82,14 @@ func NewCertificateAuthorityServer(inner core.CertificateAuthority) *Certificate
}
func (cas *CertificateAuthorityServerWrapper) IssuePrecertificate(ctx context.Context, request *capb.IssueCertificateRequest) (*capb.IssuePrecertificateResponse, error) {
if request == nil || request.Csr == nil {
if request == nil || request.Csr == nil || request.OrderID == nil || request.RegistrationID == nil {
return nil, errIncompleteRequest
}
return cas.inner.IssuePrecertificate(ctx, request)
}
func (cas *CertificateAuthorityServerWrapper) IssueCertificateForPrecertificate(ctx context.Context, req *capb.IssueCertificateForPrecertificateRequest) (*corepb.Certificate, error) {
if req == nil || req.DER == nil || req.SCTs == nil {
if req == nil || req.DER == nil || req.OrderID == nil || req.RegistrationID == nil || req.SCTs == nil {
return nil, errIncompleteRequest
}
cert, err := cas.inner.IssueCertificateForPrecertificate(ctx, req)
@ -100,7 +100,7 @@ func (cas *CertificateAuthorityServerWrapper) IssueCertificateForPrecertificate(
}
func (cas *CertificateAuthorityServerWrapper) GenerateOCSP(ctx context.Context, req *capb.GenerateOCSPRequest) (*capb.OCSPResponse, error) {
if req.CertDER == nil && (req.Serial == "" || req.IssuerID == 0) {
if (req.CertDER == nil && (req.Serial == nil || req.IssuerID == nil)) || req.Status == nil || req.Reason == nil || req.RevokedAt == nil {
return nil, errIncompleteRequest
}
return cas.inner.GenerateOCSP(ctx, req)

16
grpc/pb-marshalling.go
View File

@ -27,18 +27,18 @@ var ErrMissingParameters = CodedError(codes.FailedPrecondition, "required RPC pa
func authzMetaToPB(authz core.Authorization) (*vapb.AuthzMeta, error) {
return &vapb.AuthzMeta{
Id: authz.ID,
RegID: authz.RegistrationID,
Id: &authz.ID,
RegID: &authz.RegistrationID,
}, nil
}
func pbToAuthzMeta(in *vapb.AuthzMeta) (core.Authorization, error) {
if in == nil || in.Id == "" || in.RegID == 0 {
if in == nil || in.Id == nil || in.RegID == nil {
return core.Authorization{}, ErrMissingParameters
}
return core.Authorization{
ID: in.Id,
RegistrationID: in.RegID,
ID: *in.Id,
RegistrationID: *in.RegID,
}, nil
}
@ -228,11 +228,11 @@ func performValidationReqToArgs(in *vapb.PerformValidationRequest) (domain strin
err = ErrMissingParameters
return
}
if in.Domain == "" {
if in.Domain == nil {
err = ErrMissingParameters
return
}
domain = in.Domain
domain = *in.Domain
challenge, err = pbToChallenge(in.Challenge)
if err != nil {
return
@ -255,7 +255,7 @@ func argsToPerformValidationRequest(domain string, challenge core.Challenge, aut
return nil, err
}
return &vapb.PerformValidationRequest{
Domain: domain,
Domain: &domain,
Challenge: pbChall,
Authz: authzMeta,
}, nil

14
grpc/pb-marshalling_test.go
View File

@ -21,10 +21,10 @@ func TestAuthzMeta(t *testing.T) {
pb, err := authzMetaToPB(authz)
test.AssertNotError(t, err, "authzMetaToPB failed")
test.Assert(t, pb != nil, "return vapb.AuthzMeta is nill")
test.Assert(t, pb.Id != "", "Id field is not set")
test.AssertEquals(t, pb.Id, authz.ID)
test.Assert(t, pb.RegID != 0, "RegistrationID field is not set")
test.AssertEquals(t, pb.RegID, authz.RegistrationID)
test.Assert(t, pb.Id != nil, "Id field is nil")
test.AssertEquals(t, *pb.Id, authz.ID)
test.Assert(t, pb.RegID != nil, "RegistrationID field is nil")
test.AssertEquals(t, *pb.RegID, authz.RegistrationID)
recon, err := pbToAuthzMeta(pb)
test.AssertNotError(t, err, "pbToAuthzMeta failed")
@ -37,10 +37,12 @@ func TestAuthzMeta(t *testing.T) {
_, err = pbToAuthzMeta(&vapb.AuthzMeta{})
test.AssertError(t, err, "pbToAuthzMeta did not fail")
test.AssertEquals(t, err, ErrMissingParameters)
_, err = pbToAuthzMeta(&vapb.AuthzMeta{Id: ""})
empty := ""
one := int64(1)
_, err = pbToAuthzMeta(&vapb.AuthzMeta{Id: &empty})
test.AssertError(t, err, "pbToAuthzMeta did not fail")
test.AssertEquals(t, err, ErrMissingParameters)
_, err = pbToAuthzMeta(&vapb.AuthzMeta{RegID: int64(1)})
_, err = pbToAuthzMeta(&vapb.AuthzMeta{RegID: &one})
test.AssertError(t, err, "pbToAuthzMeta did not fail")
test.AssertEquals(t, err, ErrMissingParameters)
}

21
ra/ra.go
View File

@ -848,9 +848,9 @@ func (ra *RegistrationAuthorityImpl) recheckCAA(ctx context.Context, authzs []*c
}
resp, err := ra.caa.IsCAAValid(ctx, &vaPB.IsCAAValidRequest{
Domain: name,
ValidationMethod: method,
AccountURIID: authz.RegistrationID,
Domain: &name,
ValidationMethod: &method,
AccountURIID: &authz.RegistrationID,
})
if err != nil {
ra.log.AuditErrf("Rechecking CAA: %s", err)
@ -1188,8 +1188,8 @@ func (ra *RegistrationAuthorityImpl) issueCertificateInner(
orderIDInt := int64(oID)
issueReq := &caPB.IssueCertificateRequest{
Csr: csr.Raw,
RegistrationID: acctIDInt,
OrderID: orderIDInt,
RegistrationID: &acctIDInt,
OrderID: &orderIDInt,
}
// wrapError adds a prefix to an error. If the error is a boulder error then
@ -1218,8 +1218,8 @@ func (ra *RegistrationAuthorityImpl) issueCertificateInner(
cert, err := ra.CA.IssueCertificateForPrecertificate(ctx, &caPB.IssueCertificateForPrecertificateRequest{
DER: precert.DER,
SCTs: scts,
RegistrationID: acctIDInt,
OrderID: orderIDInt,
RegistrationID: &acctIDInt,
OrderID: &orderIDInt,
})
if err != nil {
return emptyCert, wrapError(err, "issuing certificate for precertificate")
@ -1659,13 +1659,14 @@ func revokeEvent(state, serial, cn string, names []string, revocationCode revoca
// revokeCertificate generates a revoked OCSP response for the given certificate, stores
// the revocation information, and purges OCSP request URLs from Akamai.
func (ra *RegistrationAuthorityImpl) revokeCertificate(ctx context.Context, cert x509.Certificate, code revocation.Reason, revokedBy int64, source string, comment string) error {
status := string(core.OCSPStatusRevoked)
reason := int32(code)
revokedAt := ra.clk.Now().UnixNano()
ocspResponse, err := ra.CA.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
CertDER: cert.Raw,
Status: string(core.OCSPStatusRevoked),
Reason: reason,
RevokedAt: revokedAt,
Status: &status,
Reason: &reason,
RevokedAt: &revokedAt,
})
if err != nil {
return err

4
ra/ra_test.go
View File

@ -1780,7 +1780,7 @@ func (cr *caaRecorder) IsCAAValid(
) (*vaPB.IsCAAValidResponse, error) {
cr.Lock()
defer cr.Unlock()
cr.names[in.Domain] = true
cr.names[*in.Domain] = true
return &vaPB.IsCAAValidResponse{}, nil
}
@ -1899,7 +1899,7 @@ func (cf *caaFailer) IsCAAValid(
opts ...grpc.CallOption,
) (*vaPB.IsCAAValidResponse, error) {
cvrpb := &vaPB.IsCAAValidResponse{}
switch in.Domain {
switch *in.Domain {
case "a.com":
cvrpb.Problem = &corepb.ProblemDetails{
Detail: proto.String("CAA invalid for a.com"),

8
va/caa.go
View File

@ -23,15 +23,15 @@ type caaParams struct {
func (va *ValidationAuthorityImpl) IsCAAValid(ctx context.Context, req *vapb.IsCAAValidRequest) (*vapb.IsCAAValidResponse, error) {
acmeID := identifier.ACMEIdentifier{
Type: identifier.DNS,
Value: req.Domain,
Value: *req.Domain,
}
params := &caaParams{
accountURIID: &req.AccountURIID,
validationMethod: &req.ValidationMethod,
accountURIID: req.AccountURIID,
validationMethod: req.ValidationMethod,
}
if prob := va.checkCAA(ctx, acmeID, params); prob != nil {
typ := string(prob.Type)
detail := fmt.Sprintf("While processing CAA for %s: %s", req.Domain, prob.Detail)
detail := fmt.Sprintf("While processing CAA for %s: %s", *req.Domain, prob.Detail)
return &vapb.IsCAAValidResponse{
Problem: &corepb.ProblemDetails{
ProblemType: &typ,

2
va/caa_test.go
View File

@ -565,7 +565,7 @@ func TestIsCAAValidErrMessage(t *testing.T) {
// caaMockDNS.
domain := "caa-timeout.com"
resp, err := va.IsCAAValid(ctx, &vapb.IsCAAValidRequest{
Domain: domain,
Domain: &domain,
})
// The lookup itself should not return an error

48
va/proto/va.pb.go
View File

@ -36,9 +36,9 @@ type IsCAAValidRequest struct {
unknownFields protoimpl.UnknownFields
// NOTE: Domain may be a name with a wildcard prefix (e.g. `*.example.com`)
Domain string `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
ValidationMethod string `protobuf:"bytes,2,opt,name=validationMethod,proto3" json:"validationMethod,omitempty"`
AccountURIID int64 `protobuf:"varint,3,opt,name=accountURIID,proto3" json:"accountURIID,omitempty"`
Domain *string `protobuf:"bytes,1,opt,name=domain" json:"domain,omitempty"`
ValidationMethod *string `protobuf:"bytes,2,opt,name=validationMethod" json:"validationMethod,omitempty"`
AccountURIID *int64 `protobuf:"varint,3,opt,name=accountURIID" json:"accountURIID,omitempty"`
}
func (x *IsCAAValidRequest) Reset() {
@ -74,22 +74,22 @@ func (*IsCAAValidRequest) Descriptor() ([]byte, []int) {
}
func (x *IsCAAValidRequest) GetDomain() string {
if x != nil {
return x.Domain
if x != nil && x.Domain != nil {
return *x.Domain
}
return ""
}
func (x *IsCAAValidRequest) GetValidationMethod() string {
if x != nil {
return x.ValidationMethod
if x != nil && x.ValidationMethod != nil {
return *x.ValidationMethod
}
return ""
}
func (x *IsCAAValidRequest) GetAccountURIID() int64 {
if x != nil {
return x.AccountURIID
if x != nil && x.AccountURIID != nil {
return *x.AccountURIID
}
return 0
}
@ -100,7 +100,7 @@ type IsCAAValidResponse struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Problem *proto1.ProblemDetails `protobuf:"bytes,1,opt,name=problem,proto3" json:"problem,omitempty"`
Problem *proto1.ProblemDetails `protobuf:"bytes,1,opt,name=problem" json:"problem,omitempty"`
}
func (x *IsCAAValidResponse) Reset() {
@ -147,9 +147,9 @@ type PerformValidationRequest struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Domain string `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
Challenge *proto1.Challenge `protobuf:"bytes,2,opt,name=challenge,proto3" json:"challenge,omitempty"`
Authz *AuthzMeta `protobuf:"bytes,3,opt,name=authz,proto3" json:"authz,omitempty"`
Domain *string `protobuf:"bytes,1,opt,name=domain" json:"domain,omitempty"`
Challenge *proto1.Challenge `protobuf:"bytes,2,opt,name=challenge" json:"challenge,omitempty"`
Authz *AuthzMeta `protobuf:"bytes,3,opt,name=authz" json:"authz,omitempty"`
}
func (x *PerformValidationRequest) Reset() {
@ -185,8 +185,8 @@ func (*PerformValidationRequest) Descriptor() ([]byte, []int) {
}
func (x *PerformValidationRequest) GetDomain() string {
if x != nil {
return x.Domain
if x != nil && x.Domain != nil {
return *x.Domain
}
return ""
}
@ -210,8 +210,8 @@ type AuthzMeta struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
RegID int64 `protobuf:"varint,2,opt,name=regID,proto3" json:"regID,omitempty"`
Id *string `protobuf:"bytes,1,opt,name=id" json:"id,omitempty"`
RegID *int64 `protobuf:"varint,2,opt,name=regID" json:"regID,omitempty"`
}
func (x *AuthzMeta) Reset() {
@ -247,15 +247,15 @@ func (*AuthzMeta) Descriptor() ([]byte, []int) {
}
func (x *AuthzMeta) GetId() string {
if x != nil {
return x.Id
if x != nil && x.Id != nil {
return *x.Id
}
return ""
}
func (x *AuthzMeta) GetRegID() int64 {
if x != nil {
return x.RegID
if x != nil && x.RegID != nil {
return *x.RegID
}
return 0
}
@ -265,8 +265,8 @@ type ValidationResult struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Records []*proto1.ValidationRecord `protobuf:"bytes,1,rep,name=records,proto3" json:"records,omitempty"`
Problems *proto1.ProblemDetails `protobuf:"bytes,2,opt,name=problems,proto3" json:"problems,omitempty"`
Records []*proto1.ValidationRecord `protobuf:"bytes,1,rep,name=records" json:"records,omitempty"`
Problems *proto1.ProblemDetails `protobuf:"bytes,2,opt,name=problems" json:"problems,omitempty"`
}
func (x *ValidationResult) Reset() {
@ -364,7 +364,7 @@ var file_va_proto_va_proto_rawDesc = []byte{
0x69, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x29, 0x5a, 0x27,
0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65,
0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, 0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x76,
0x61, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x61, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
}
var (

22
va/proto/va.proto
View File

@ -1,4 +1,4 @@
syntax = "proto3";
syntax = "proto2";
package va;
option go_package = "github.com/letsencrypt/boulder/va/proto";
@ -15,28 +15,28 @@ service CAA {
message IsCAAValidRequest {
// NOTE: Domain may be a name with a wildcard prefix (e.g. `*.example.com`)
string domain = 1;
string validationMethod = 2;
int64 accountURIID = 3;
optional string domain = 1;
optional string validationMethod = 2;
optional int64 accountURIID = 3;
}
// If CAA is valid for the requested domain, the problem will be empty
message IsCAAValidResponse {
core.ProblemDetails problem = 1;
optional core.ProblemDetails problem = 1;
}
message PerformValidationRequest {
string domain = 1;
core.Challenge challenge = 2;
AuthzMeta authz = 3;
optional string domain = 1;
optional core.Challenge challenge = 2;
optional AuthzMeta authz = 3;
}
message AuthzMeta {
string id = 1;
int64 regID = 2;
optional string id = 1;
optional int64 regID = 2;
}
message ValidationResult {
repeated core.ValidationRecord records = 1;
core.ProblemDetails problems = 2;
optional core.ProblemDetails problems = 2;
}