letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Deprecate ROCSPStage6 feature flag (#6770) 

Deprecate the ROCSPStage6 feature flag. Remove all references to the
`ocspResponse` column from the SA, both when reading from and when
writing to the `certificateStatus` table. This makes it safe to fully
remove that column from the database.

IN-8731 enabled this flag in all environments, so it is safe to
deprecate.

Part of #6285
This commit is contained in:
Aaron Gable 2023-04-04 15:41:51 -07:00 committed by GitHub
parent 8824e347fd
commit 7e994a1216
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 86 additions and 406 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/rocsp-tool/client_test.go
View File

@ -131,7 +131,6 @@ func TestLoadFromDB(t *testing.T) {
for i := 0; i < 100; i++ {
err = dbMap.Insert(&core.CertificateStatus{
Serial: fmt.Sprintf("%036x", i),
OCSPResponse: []byte("phthpbt"),
NotAfter: clk.Now().Add(200 * time.Hour),
OCSPLastUpdated: clk.Now(),
})

7
core/objects.go
View File

@ -433,13 +433,6 @@ type CertificateStatus struct {
LastExpirationNagSent time.Time `db:"lastExpirationNagSent"`
// The encoded and signed OCSP response.
//
// Deprecated: We are phasing out storing OCSP Response bytes in the database,
// so CertificateStatus objects should not be expected to have a populated
// OCSPResponse field anymore.
OCSPResponse []byte `db:"ocspResponse"`
// NotAfter and IsExpired are convenience columns which allow expensive
// queries to quickly filter out certificates that we don't need to care about
// anymore. These are particularly useful for the expiration mailer and CRL

143
core/proto/core.pb.go
View File

@ -390,7 +390,6 @@ type CertificateStatus struct {
RevokedDate int64 `protobuf:"varint,5,opt,name=revokedDate,proto3" json:"revokedDate,omitempty"`
RevokedReason int64 `protobuf:"varint,6,opt,name=revokedReason,proto3" json:"revokedReason,omitempty"`
LastExpirationNagSent int64 `protobuf:"varint,7,opt,name=lastExpirationNagSent,proto3" json:"lastExpirationNagSent,omitempty"`
OcspResponse []byte `protobuf:"bytes,8,opt,name=ocspResponse,proto3" json:"ocspResponse,omitempty"`
NotAfter int64 `protobuf:"varint,9,opt,name=notAfter,proto3" json:"notAfter,omitempty"`
IsExpired bool `protobuf:"varint,10,opt,name=isExpired,proto3" json:"isExpired,omitempty"`
IssuerID int64 `protobuf:"varint,11,opt,name=issuerID,proto3" json:"issuerID,omitempty"`
@ -470,13 +469,6 @@ func (x *CertificateStatus) GetLastExpirationNagSent() int64 {
return 0
}
func (x *CertificateStatus) GetOcspResponse() []byte {
if x != nil {
return x.OcspResponse
}
return nil
}
func (x *CertificateStatus) GetNotAfter() int64 {
if x != nil {
return x.NotAfter
@ -925,7 +917,7 @@ var file_core_proto_rawDesc = []byte{
0x28, 0x0c, 0x52, 0x03, 0x64, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65,
0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x12,
0x18, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03,
0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x22, 0xeb, 0x02, 0x0a, 0x11, 0x43, 0x65,
0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x22, 0xc7, 0x02, 0x0a, 0x11, 0x43, 0x65,
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12,
0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75,
@ -940,74 +932,71 @@ var file_core_proto_rawDesc = []byte{
0x6e, 0x12, 0x34, 0x0a, 0x15, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x78, 0x70, 0x69, 0x72, 0x61, 0x74,
0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x67, 0x53, 0x65, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03,
0x52, 0x15, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x78, 0x70, 0x69, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
0x4e, 0x61, 0x67, 0x53, 0x65, 0x6e, 0x74, 0x12, 0x22, 0x0a, 0x0c, 0x6f, 0x63, 0x73, 0x70, 0x52,
0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x6f,
0x63, 0x73, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x6e,
0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x6e,
0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x69, 0x73, 0x45, 0x78, 0x70,
0x69, 0x72, 0x65, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x45, 0x78,
0x70, 0x69, 0x72, 0x65, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49,
0x44, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49,
0x44, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x22, 0xe6, 0x01, 0x0a, 0x0c, 0x52, 0x65, 0x67, 0x69,
0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01,
0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f,
0x6e, 0x74, 0x61, 0x63, 0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x63, 0x6f, 0x6e,
0x74, 0x61, 0x63, 0x74, 0x12, 0x28, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x63, 0x74, 0x73,
0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x63,
0x6f, 0x6e, 0x74, 0x61, 0x63, 0x74, 0x73, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x74, 0x12, 0x1c,
0x0a, 0x09, 0x61, 0x67, 0x72, 0x65, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28,
0x09, 0x52, 0x09, 0x61, 0x67, 0x72, 0x65, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x1c, 0x0a, 0x09,
0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x49, 0x50, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0c, 0x52,
0x09, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x49, 0x50, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x72,
0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x63,
0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74,
0x75, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
0x22, 0xd6, 0x01, 0x0a, 0x0d, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69,
0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02,
0x69, 0x64, 0x12, 0x1e, 0x0a, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72,
0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69,
0x65, 0x72, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69,
0x6f, 0x6e, 0x49, 0x44, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69,
0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74,
0x61, 0x74, 0x75, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74,
0x75, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x05, 0x20,
0x01, 0x28, 0x03, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x2f, 0x0a, 0x0a,
0x63, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b,
0x32, 0x0f, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67,
0x65, 0x52, 0x0a, 0x63, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x73, 0x4a, 0x04, 0x08,
0x07, 0x10, 0x08, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x22, 0xd7, 0x02, 0x0a, 0x05, 0x4f, 0x72,
0x64, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52,
0x02, 0x69, 0x64, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74,
0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67,
0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x65,
0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x65, 0x78,
0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x2a, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x04,
0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x62,
0x6c, 0x65, 0x6d, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f,
0x72, 0x12, 0x2c, 0x0a, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x63, 0x65,
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12,
0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52,
0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73,
0x18, 0x08, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x28, 0x0a,
0x0f, 0x62, 0x65, 0x67, 0x61, 0x6e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x69, 0x6e, 0x67,
0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x62, 0x65, 0x67, 0x61, 0x6e, 0x50, 0x72, 0x6f,
0x63, 0x65, 0x73, 0x73, 0x69, 0x6e, 0x67, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x72, 0x65, 0x61, 0x74,
0x65, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65,
0x64, 0x12, 0x2a, 0x0a, 0x10, 0x76, 0x32, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x03, 0x52, 0x10, 0x76, 0x32, 0x41,
0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x4a, 0x04, 0x08,
0x06, 0x10, 0x07, 0x22, 0x58, 0x0a, 0x08, 0x43, 0x52, 0x4c, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12,
0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f,
0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12,
0x1c, 0x0a, 0x09, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x41, 0x74, 0x18, 0x03, 0x20, 0x01,
0x28, 0x03, 0x52, 0x09, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x41, 0x74, 0x42, 0x2b, 0x5a,
0x29, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73,
0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, 0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f,
0x63, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x33,
0x4e, 0x61, 0x67, 0x53, 0x65, 0x6e, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x6e, 0x6f, 0x74, 0x41, 0x66,
0x74, 0x65, 0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x6e, 0x6f, 0x74, 0x41, 0x66,
0x74, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x69, 0x73, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64,
0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65,
0x64, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x18, 0x0b, 0x20,
0x01, 0x28, 0x03, 0x52, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x4a, 0x04, 0x08,
0x02, 0x10, 0x03, 0x22, 0xe6, 0x01, 0x0a, 0x0c, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03,
0x52, 0x02, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28,
0x0c, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x63,
0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x63, 0x74,
0x12, 0x28, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x63, 0x74, 0x73, 0x50, 0x72, 0x65, 0x73,
0x65, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x63, 0x6f, 0x6e, 0x74, 0x61,
0x63, 0x74, 0x73, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x67,
0x72, 0x65, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61,
0x67, 0x72, 0x65, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x69, 0x6e, 0x69, 0x74,
0x69, 0x61, 0x6c, 0x49, 0x50, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x69, 0x6e, 0x69,
0x74, 0x69, 0x61, 0x6c, 0x49, 0x50, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65,
0x64, 0x41, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74,
0x65, 0x64, 0x41, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x08,
0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0xd6, 0x01, 0x0a,
0x0d, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0e,
0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x1e,
0x0a, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01,
0x28, 0x09, 0x52, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x26,
0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44,
0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x18,
0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52,
0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x2f, 0x0a, 0x0a, 0x63, 0x68, 0x61, 0x6c,
0x6c, 0x65, 0x6e, 0x67, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0f, 0x2e, 0x63,
0x6f, 0x72, 0x65, 0x2e, 0x43, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x52, 0x0a, 0x63,
0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x73, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x4a,
0x04, 0x08, 0x08, 0x10, 0x09, 0x22, 0xd7, 0x02, 0x0a, 0x05, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x12,
0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12,
0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49,
0x44, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72,
0x65, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65,
0x73, 0x12, 0x2a, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x14, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x44,
0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x2c, 0x0a,
0x11, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72, 0x69,
0x61, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x73,
0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61,
0x74, 0x75, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x08, 0x20, 0x03,
0x28, 0x09, 0x52, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x62, 0x65, 0x67,
0x61, 0x6e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x69, 0x6e, 0x67, 0x18, 0x09, 0x20, 0x01,
0x28, 0x08, 0x52, 0x0f, 0x62, 0x65, 0x67, 0x61, 0x6e, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73,
0x69, 0x6e, 0x67, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x18, 0x0a,
0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x12, 0x2a, 0x0a,
0x10, 0x76, 0x32, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e,
0x73, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x03, 0x52, 0x10, 0x76, 0x32, 0x41, 0x75, 0x74, 0x68, 0x6f,
0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x4a, 0x04, 0x08, 0x06, 0x10, 0x07, 0x22,
0x58, 0x0a, 0x08, 0x43, 0x52, 0x4c, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x73,
0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72,
0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x02, 0x20,
0x01, 0x28, 0x05, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x1c, 0x0a, 0x09, 0x72,
0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x41, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09,
0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x41, 0x74, 0x42, 0x2b, 0x5a, 0x29, 0x67, 0x69, 0x74,
0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63, 0x72,
0x79, 0x70, 0x74, 0x2f, 0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x72, 0x65,
0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (

1
core/proto/core.proto
View File

@ -52,7 +52,6 @@ message CertificateStatus {
int64 revokedDate = 5;
int64 revokedReason = 6;
int64 lastExpirationNagSent = 7;
bytes ocspResponse = 8;
int64 notAfter = 9;
bool isExpired = 10;
int64 issuerID = 11;

20
features/featureflag_string.go
View File

@ -10,14 +10,14 @@ func _() {
var x [1]struct{}
_ = x[unused-0]
_ = x[StoreRevokerInfo-1]
_ = x[CAAValidationMethods-2]
_ = x[CAAAccountURI-3]
_ = x[EnforceMultiVA-4]
_ = x[MultiVAFullResults-5]
_ = x[ECDSAForAll-6]
_ = x[ServeRenewalInfo-7]
_ = x[AllowUnrecognizedFeatures-8]
_ = x[ROCSPStage6-9]
_ = x[ROCSPStage6-2]
_ = x[CAAValidationMethods-3]
_ = x[CAAAccountURI-4]
_ = x[EnforceMultiVA-5]
_ = x[MultiVAFullResults-6]
_ = x[ECDSAForAll-7]
_ = x[ServeRenewalInfo-8]
_ = x[AllowUnrecognizedFeatures-9]
_ = x[ROCSPStage7-10]
_ = x[ExpirationMailerUsesJoin-11]
_ = x[CertCheckerChecksValidations-12]
@ -26,9 +26,9 @@ func _() {
_ = x[RequireCommonName-15]
}
const _FeatureFlag_name = "unusedStoreRevokerInfoCAAValidationMethodsCAAAccountURIEnforceMultiVAMultiVAFullResultsECDSAForAllServeRenewalInfoAllowUnrecognizedFeaturesROCSPStage6ROCSPStage7ExpirationMailerUsesJoinCertCheckerChecksValidationsCertCheckerRequiresValidationsAsyncFinalizeRequireCommonName"
const _FeatureFlag_name = "unusedStoreRevokerInfoROCSPStage6CAAValidationMethodsCAAAccountURIEnforceMultiVAMultiVAFullResultsECDSAForAllServeRenewalInfoAllowUnrecognizedFeaturesROCSPStage7ExpirationMailerUsesJoinCertCheckerChecksValidationsCertCheckerRequiresValidationsAsyncFinalizeRequireCommonName"
var _FeatureFlag_index = [...]uint16{0, 6, 22, 42, 55, 69, 87, 98, 114, 139, 150, 161, 185, 213, 243, 256, 273}
var _FeatureFlag_index = [...]uint16{0, 6, 22, 33, 53, 66, 80, 98, 109, 125, 150, 161, 185, 213, 243, 256, 273}
func (i FeatureFlag) String() string {
if i < 0 || i >= FeatureFlag(len(_FeatureFlag_index)-1) {

6
features/features.go
View File

@ -14,6 +14,7 @@ const (
unused FeatureFlag = iota // unused is used for testing
// Deprecated features, these can be removed once stripped from production configs
StoreRevokerInfo
ROCSPStage6
// Currently in-use features
// Check CAA and respect validationmethods parameter.
@ -36,11 +37,6 @@ const (
// skip error when unrecognized feature flag names are passed.
AllowUnrecognizedFeatures
// ROCSPStage6 disables writing full OCSP Responses to MariaDB during
// (pre)certificate issuance and during revocation. Because Stage 4 involved
// disabling ocsp-updater, this means that no ocsp response bytes will be
// written to the database anymore.
ROCSPStage6
// ROCSPStage7 disables generating OCSP responses during issuance and
// revocation. This affects codepaths in both the RA (revocation) and the CA
// (precert "birth certificates").

2
grpc/pb-marshalling.go
View File

@ -377,7 +377,6 @@ func CertStatusToPB(certStatus core.CertificateStatus) *corepb.CertificateStatus
RevokedDate: certStatus.RevokedDate.UnixNano(),
RevokedReason: int64(certStatus.RevokedReason),
LastExpirationNagSent: certStatus.LastExpirationNagSent.UnixNano(),
OcspResponse: certStatus.OCSPResponse,
NotAfter: certStatus.NotAfter.UnixNano(),
IsExpired: certStatus.IsExpired,
IssuerID: certStatus.IssuerNameID,
@ -392,7 +391,6 @@ func PBToCertStatus(pb *corepb.CertificateStatus) (core.CertificateStatus, error
RevokedDate: time.Unix(0, pb.RevokedDate),
RevokedReason: revocation.Reason(pb.RevokedReason),
LastExpirationNagSent: time.Unix(0, pb.LastExpirationNagSent),
OCSPResponse: pb.OcspResponse,
NotAfter: time.Unix(0, pb.NotAfter),
IsExpired: pb.IsExpired,
IssuerNameID: pb.IssuerID,

80
ocsp/responder/db_source.go
View File

@ -1,80 +0,0 @@
package responder
import (
"context"
"fmt"
"github.com/go-gorp/gorp/v3"
"github.com/letsencrypt/boulder/core"
"github.com/letsencrypt/boulder/db"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/sa"
"github.com/prometheus/client_golang/prometheus"
"golang.org/x/crypto/ocsp"
)
type dbSource struct {
dbMap dbSelector
counter *prometheus.CounterVec
log blog.Logger
}
// dbSelector is a limited subset of the db.WrappedMap interface to allow for
// easier mocking of mysql operations in tests.
type dbSelector interface {
SelectOne(holder interface{}, query string, args ...interface{}) error
WithContext(ctx context.Context) gorp.SqlExecutor
}
// NewDbSource returns a dbSource which will look up OCSP responses in a SQL
// database.
func NewDbSource(dbMap dbSelector, stats prometheus.Registerer, log blog.Logger) (*dbSource, error) {
counter := prometheus.NewCounterVec(prometheus.CounterOpts{
Name: "ocsp_db_responses",
Help: "Count of OCSP requests/responses by action taken by the dbSource",
}, []string{"result"})
stats.MustRegister(counter)
return &dbSource{
dbMap: dbMap,
counter: counter,
log: log,
}, nil
}
// Response implements the Source interface. It looks up the requested OCSP
// response in the sql database. If the certificate status row that it finds
// indicates that the cert is expired or this cert has never had an OCSP
// response generated for it, it returns an error.
func (src *dbSource) Response(ctx context.Context, req *ocsp.Request) (*Response, error) {
serialString := core.SerialToString(req.SerialNumber)
certStatus, err := sa.SelectCertificateStatus(src.dbMap.WithContext(ctx), serialString)
if err != nil {
if db.IsNoRows(err) {
src.counter.WithLabelValues("not_found").Inc()
return nil, ErrNotFound
}
src.log.AuditErrf("Looking up OCSP response in DB: %s", err)
src.counter.WithLabelValues("lookup_error").Inc()
return nil, err
}
if certStatus.IsExpired {
src.counter.WithLabelValues("expired").Inc()
return nil, fmt.Errorf("certificate is expired: %w", ErrNotFound)
} else if certStatus.OCSPLastUpdated.IsZero() {
src.counter.WithLabelValues("never_updated").Inc()
return nil, fmt.Errorf("certificate has a zero OCSPLastUpdated: %w", ErrNotFound)
}
resp, err := ocsp.ParseResponse(certStatus.OCSPResponse, nil)
if err != nil {
src.counter.WithLabelValues("parse_error").Inc()
return nil, err
}
src.counter.WithLabelValues("success").Inc()
return &Response{Response: resp, Raw: certStatus.OCSPResponse}, nil
}

121
ocsp/responder/db_source_test.go
View File

@ -1,121 +0,0 @@
package responder
import (
"context"
"database/sql"
"errors"
"fmt"
"os"
"testing"
"time"
"github.com/go-gorp/gorp/v3"
"github.com/letsencrypt/boulder/core"
"github.com/letsencrypt/boulder/db"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/metrics"
"github.com/letsencrypt/boulder/test"
"golang.org/x/crypto/ocsp"
)
// echoSelector always returns the given certificateStatus.
type echoSelector struct {
db.MockSqlExecutor
status core.CertificateStatus
}
func (s echoSelector) WithContext(context.Context) gorp.SqlExecutor {
return s
}
func (s echoSelector) SelectOne(output interface{}, _ string, _ ...interface{}) error {
outputPtr, ok := output.(*core.CertificateStatus)
if !ok {
return fmt.Errorf("incorrect output type %T", output)
}
*outputPtr = s.status
return nil
}
// errorSelector always returns the given error.
type errorSelector struct {
db.MockSqlExecutor
err error
}
func (s errorSelector) SelectOne(_ interface{}, _ string, _ ...interface{}) error {
return s.err
}
func (s errorSelector) WithContext(context.Context) gorp.SqlExecutor {
return s
}
func TestDbSource(t *testing.T) {
reqBytes, err := os.ReadFile("./testdata/ocsp.req")
test.AssertNotError(t, err, "failed to read OCSP request")
req, err := ocsp.ParseRequest(reqBytes)
test.AssertNotError(t, err, "failed to parse OCSP request")
respBytes, err := os.ReadFile("./testdata/ocsp.resp")
test.AssertNotError(t, err, "failed to read OCSP response")
// Test for failure when the database lookup fails.
dbErr := errors.New("something went wrong")
src, err := NewDbSource(errorSelector{err: dbErr}, metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "failed to create dbSource")
_, err = src.Response(context.Background(), req)
test.AssertEquals(t, err, dbErr)
// Test for graceful recovery when the database returns no results.
dbErr = db.ErrDatabaseOp{
Op: "test",
Table: "certificateStatus",
Err: sql.ErrNoRows,
}
src, err = NewDbSource(errorSelector{err: dbErr}, metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "failed to create dbSource")
_, err = src.Response(context.Background(), req)
test.AssertErrorIs(t, err, ErrNotFound)
// Test for converting expired results into no results.
status := core.CertificateStatus{
IsExpired: true,
}
src, err = NewDbSource(echoSelector{status: status}, metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "failed to create dbSource")
_, err = src.Response(context.Background(), req)
test.AssertErrorIs(t, err, ErrNotFound)
// Test for converting never-updated results into no results.
status = core.CertificateStatus{
IsExpired: false,
OCSPLastUpdated: time.Time{},
}
src, err = NewDbSource(echoSelector{status: status}, metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "failed to create dbSource")
_, err = src.Response(context.Background(), req)
test.AssertErrorIs(t, err, ErrNotFound)
// Test for reporting parse errors.
status = core.CertificateStatus{
IsExpired: false,
OCSPLastUpdated: time.Now(),
OCSPResponse: respBytes[1:],
}
src, err = NewDbSource(echoSelector{status: status}, metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "failed to create dbSource")
_, err = src.Response(context.Background(), req)
test.AssertError(t, err, "expected failure")
// Test the happy path.
status = core.CertificateStatus{
IsExpired: false,
OCSPLastUpdated: time.Now(),
OCSPResponse: respBytes,
}
src, err = NewDbSource(echoSelector{status: status}, metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "failed to create dbSource")
_, err = src.Response(context.Background(), req)
test.AssertNotError(t, err, "unexpected failure")
}

2
sa/model.go
View File

@ -139,7 +139,7 @@ type CertStatusMetadata struct {
IssuerID int64 `db:"issuerID"`
}
const certStatusFields = "id, serial, status, ocspLastUpdated, revokedDate, revokedReason, lastExpirationNagSent, ocspResponse, notAfter, isExpired, issuerID"
const certStatusFields = "id, serial, status, ocspLastUpdated, revokedDate, revokedReason, lastExpirationNagSent, notAfter, isExpired, issuerID"
// SelectCertificateStatus selects all fields of one certificate status model
// identified by serial

26
sa/sa.go
View File

@ -18,7 +18,6 @@ import (
corepb "github.com/letsencrypt/boulder/core/proto"
"github.com/letsencrypt/boulder/db"
berrors "github.com/letsencrypt/boulder/errors"
"github.com/letsencrypt/boulder/features"
bgrpc "github.com/letsencrypt/boulder/grpc"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/revocation"
@ -227,9 +226,6 @@ func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb
IsExpired: false,
IssuerNameID: req.IssuerNameID,
}
if !features.Enabled(features.ROCSPStage6) {
cs.OCSPResponse = req.Ocsp
}
err = ssa.dbMap.WithContext(ctx).Insert(cs)
if err != nil {
return nil, err
@ -761,29 +757,20 @@ func (ssa *SQLStorageAuthority) RevokeCertificate(ctx context.Context, req *sapb
if req.Serial == "" || req.Date == 0 {
return nil, errIncompleteRequest
}
if req.Response == nil && !features.Enabled(features.ROCSPStage6) {
return nil, errIncompleteRequest
}
revokedDate := time.Unix(0, req.Date)
ocspResponse := req.Response
if features.Enabled(features.ROCSPStage6) {
ocspResponse = nil
}
res, err := ssa.dbMap.Exec(
`UPDATE certificateStatus SET
status = ?,
revokedReason = ?,
revokedDate = ?,
ocspLastUpdated = ?,
ocspResponse = ?
ocspLastUpdated = ?
WHERE serial = ? AND status != ?`,
string(core.OCSPStatusRevoked),
revocation.Reason(req.Reason),
revokedDate,
revokedDate,
ocspResponse,
req.Serial,
string(core.OCSPStatusRevoked),
)
@ -809,29 +796,20 @@ func (ssa *SQLStorageAuthority) UpdateRevokedCertificate(ctx context.Context, re
if req.Serial == "" || req.Date == 0 || req.Backdate == 0 {
return nil, errIncompleteRequest
}
if req.Response == nil && !features.Enabled(features.ROCSPStage6) {
return nil, errIncompleteRequest
}
if req.Reason != ocsp.KeyCompromise {
return nil, fmt.Errorf("cannot update revocation for any reason other than keyCompromise (1); got: %d", req.Reason)
}
thisUpdate := time.Unix(0, req.Date)
revokedDate := time.Unix(0, req.Backdate)
ocspResponse := req.Response
if features.Enabled(features.ROCSPStage6) {
ocspResponse = nil
}
res, err := ssa.dbMap.Exec(
`UPDATE certificateStatus SET
revokedReason = ?,
ocspLastUpdated = ?,
ocspResponse = ?
ocspLastUpdated = ?
WHERE serial = ? AND status = ? AND revokedReason != ? AND revokedDate = ?`,
revocation.Reason(ocsp.KeyCompromise),
thisUpdate,
ocspResponse,
req.Serial,
string(core.OCSPStatusRevoked),
revocation.Reason(ocsp.KeyCompromise),

77
sa/sa_test.go
View File

@ -371,13 +371,11 @@ func TestAddPrecertificate(t *testing.T) {
serial, testCert := test.ThrowAwayCert(t, 1)
// Add the cert as a precertificate
ocspResp := []byte{0, 0, 1}
regID := reg.Id
issuedTime := time.Date(2018, 4, 1, 7, 0, 0, 0, time.UTC)
_, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
Der: testCert.Raw,
RegID: regID,
Ocsp: ocspResp,
Issued: issuedTime.UnixNano(),
IssuerNameID: 1,
})
@ -386,11 +384,7 @@ func TestAddPrecertificate(t *testing.T) {
// It should have the expected certificate status
certStatus, err := sa.GetCertificateStatus(ctx, &sapb.Serial{Serial: serial})
test.AssertNotError(t, err, "Couldn't get status for test cert")
test.Assert(
t,
bytes.Equal(certStatus.OcspResponse, ocspResp),
fmt.Sprintf("OCSP responses don't match, expected: %x, got %x", certStatus.OcspResponse, ocspResp),
)
test.AssertEquals(t, certStatus.Status, string(core.OCSPStatusGood))
test.AssertEquals(t, clk.Now().UnixNano(), certStatus.OcspLastUpdated)
// It should show up in the issued names table
@ -463,12 +457,10 @@ func TestAddPrecertificateIncomplete(t *testing.T) {
_, testCert := test.ThrowAwayCert(t, 1)
// Add the cert as a precertificate
ocspResp := []byte{0, 0, 1}
regID := reg.Id
_, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
Der: testCert.Raw,
RegID: regID,
Ocsp: ocspResp,
Issued: time.Date(2018, 4, 1, 7, 0, 0, 0, time.UTC).UnixNano(),
// Leaving out IssuerNameID
})
@ -547,18 +539,6 @@ func TestAddCertificate(t *testing.T) {
// The cert should have been added with the specific issued time we provided
// as the issued field.
test.AssertEquals(t, retrievedCert2.Issued, issuedTime.UnixNano())
// Test adding OCSP response with cert
certDER3, err := os.ReadFile("test-cert2.der")
test.AssertNotError(t, err, "Couldn't read example cert DER")
ocspResp := []byte{0, 0, 1}
_, err = sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
Der: certDER3,
RegID: reg.Id,
Ocsp: ocspResp,
Issued: issuedTime.UnixNano(),
})
test.AssertNotError(t, err, "Couldn't add test-cert2.der")
}
func TestAddCertificateDuplicate(t *testing.T) {
@ -2034,16 +2014,7 @@ func TestRevokeCertificate(t *testing.T) {
Date: now.UnixNano(),
Reason: reason,
})
test.AssertError(t, err, "RevokeCertificate should fail with no response")
response := []byte{1, 2, 3}
_, err = sa.RevokeCertificate(context.Background(), &sapb.RevokeCertificateRequest{
Serial: serial,
Date: now.UnixNano(),
Reason: reason,
Response: response,
})
test.AssertNotError(t, err, "RevokeCertificate should have succeeded")
test.AssertNotError(t, err, "RevokeCertificate with no OCSP response should succeed")
status, err = sa.GetCertificateStatus(ctx, &sapb.Serial{Serial: serial})
test.AssertNotError(t, err, "GetCertificateStatus failed")
@ -2051,55 +2022,13 @@ func TestRevokeCertificate(t *testing.T) {
test.AssertEquals(t, status.RevokedReason, reason)
test.AssertEquals(t, status.RevokedDate, now.UnixNano())
test.AssertEquals(t, status.OcspLastUpdated, now.UnixNano())
test.AssertDeepEquals(t, status.OcspResponse, response)
_, err = sa.RevokeCertificate(context.Background(), &sapb.RevokeCertificateRequest{
Serial: serial,
Date: now.UnixNano(),
Reason: reason,
Response: response,
})
test.AssertError(t, err, "RevokeCertificate should've failed when certificate already revoked")
}
func TestRevokeCertificateNoResponse(t *testing.T) {
sa, fc, cleanUp := initSA(t)
defer cleanUp()
err := features.Set(map[string]bool{features.ROCSPStage6.String(): true})
test.AssertNotError(t, err, "failed to set features")
defer features.Reset()
reg := createWorkingRegistration(t, sa)
// Add a cert to the DB to test with.
certDER, err := os.ReadFile("www.eff.org.der")
test.AssertNotError(t, err, "Couldn't read example cert DER")
_, err = sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
Der: certDER,
RegID: reg.Id,
Ocsp: nil,
Issued: sa.clk.Now().UnixNano(),
IssuerNameID: 1,
})
test.AssertNotError(t, err, "Couldn't add www.eff.org.der")
serial := "000000000000000000000000000000021bd4"
status, err := sa.GetCertificateStatus(ctx, &sapb.Serial{Serial: serial})
test.AssertNotError(t, err, "GetCertificateStatus failed")
test.AssertEquals(t, core.OCSPStatus(status.Status), core.OCSPStatusGood)
fc.Add(1 * time.Hour)
now := fc.Now()
reason := int64(1)
_, err = sa.RevokeCertificate(context.Background(), &sapb.RevokeCertificateRequest{
Serial: serial,
Date: now.UnixNano(),
Reason: reason,
})
test.AssertNotError(t, err, "RevokeCertificate should succeed with no response when ROCSPStage6 is enabled")
test.AssertError(t, err, "RevokeCertificate should've failed when certificate already revoked")
}
func TestUpdateRevokedCertificate(t *testing.T) {

3
test/config-next/sa.json
View File

@ -54,8 +54,7 @@
".hierarchy/intermediate-cert-rsa-b.pem": 4
},
"features": {
"StoreRevokerInfo": true,
"ROCSPStage6": true
"StoreRevokerInfo": true
}
},
"syslog": {

3
test/config/sa.json
View File

@ -46,7 +46,8 @@
}
},
"features": {
"StoreRevokerInfo": true
"StoreRevokerInfo": true,
"ROCSPStage6": true
}
},
"syslog": {