letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update CA RPC interface to proto3 (#4983)

This commit is contained in:
Aaron Gable 2020-07-31 13:23:55 -07:00 committed by GitHub
parent 46d7ed0a29
commit 82e9e41597
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 110 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
ca/ca.go
View File

@ -443,16 +443,16 @@ func (ca *CertificateAuthorityImpl) GenerateOCSP(ctx context.Context, req *capb.
// that didn't have an IssuerID set when they were created. Once this feature
// has been enabled for a full OCSP lifetime cycle we can remove this
// functionality.
if features.Enabled(features.StoreIssuerInfo) && req.IssuerID != nil {
serialInt, err := core.StringToSerial(*req.Serial)
if features.Enabled(features.StoreIssuerInfo) && req.IssuerID != 0 {
serialInt, err := core.StringToSerial(req.Serial)
if err != nil {
return nil, err
}
serial = serialInt
var ok bool
issuer, ok = ca.idToIssuer[*req.IssuerID]
issuer, ok = ca.idToIssuer[req.IssuerID]
if !ok {
return nil, fmt.Errorf("This CA doesn't have an issuer cert with ID %d", *req.IssuerID)
return nil, fmt.Errorf("This CA doesn't have an issuer cert with ID %d", req.IssuerID)
}
} else {
cert, err := x509.ParseCertificate(req.CertDER)
@ -477,14 +477,14 @@ func (ca *CertificateAuthorityImpl) GenerateOCSP(ctx context.Context, req *capb.
now := ca.clk.Now().Truncate(time.Hour)
tbsResponse := ocsp.Response{
Status: ocspStatusToCode[*req.Status],
Status: ocspStatusToCode[req.Status],
SerialNumber: serial,
ThisUpdate: now,
NextUpdate: now.Add(ca.ocspLifetime),
}
if tbsResponse.Status == ocsp.Revoked {
tbsResponse.RevokedAt = time.Unix(0, *req.RevokedAt)
tbsResponse.RevocationReason = int(*req.Reason)
tbsResponse.RevokedAt = time.Unix(0, req.RevokedAt)
tbsResponse.RevocationReason = int(req.Reason)
}
ocspResponse, err := ocsp.CreateResponse(issuer.cert, issuer.cert, tbsResponse, issuer.ocspSigner)
@ -506,9 +506,8 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
return nil, err
}
regID := *issueReq.RegistrationID
serialHex := core.SerialToString(serialBigInt)
regID := issueReq.RegistrationID
nowNanos := ca.clk.Now().UnixNano()
expiresNanos := validity.NotAfter.UnixNano()
_, err = ca.sa.AddSerial(ctx, &sapb.AddSerialRequest{
@ -526,10 +525,9 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
return nil, err
}
status := string(core.OCSPStatusGood)
ocspResp, err := ca.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
CertDER: precertDER,
Status: &status,
Status: string(core.OCSPStatusGood),
})
if err != nil {
err = berrors.InternalServerError(err.Error())
@ -556,7 +554,7 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
// Note: This log line is parsed by cmd/orphan-finder. If you make any
// changes here, you should make sure they are reflected in orphan-finder.
ca.log.AuditErrf("Failed RPC to store at SA, orphaning precertificate: serial=[%s] cert=[%s] err=[%v], regID=[%d], orderID=[%d]",
serialHex, hex.EncodeToString(precertDER), err, *issueReq.RegistrationID, *issueReq.OrderID)
serialHex, hex.EncodeToString(precertDER), err, issueReq.RegistrationID, issueReq.OrderID)
if ca.orphanQueue != nil {
ca.queueOrphan(&orphanedCert{
DER: precertDER,
@ -638,7 +636,7 @@ func (ca *CertificateAuthorityImpl) IssueCertificateForPrecertificate(ctx contex
ca.log.AuditInfof("Signing success: serial=[%s] names=[%s] certificate=[%s]",
serialHex, strings.Join(precert.DNSNames, ", "), hex.EncodeToString(req.DER),
hex.EncodeToString(certDER))
err = ca.storeCertificate(ctx, *req.RegistrationID, *req.OrderID, precert.SerialNumber, certDER)
err = ca.storeCertificate(ctx, req.RegistrationID, req.OrderID, precert.SerialNumber, certDER)
if err != nil {
return nil, err
}
@ -647,7 +645,7 @@ func (ca *CertificateAuthorityImpl) IssueCertificateForPrecertificate(ctx contex
issued := precert.NotBefore.UnixNano()
expires := precert.NotAfter.UnixNano()
return &corepb.Certificate{
RegistrationID: req.RegistrationID,
RegistrationID: &req.RegistrationID,
Serial: &serialString,
Der: certDER,
Digest: &digest,
@ -697,7 +695,7 @@ func (ca *CertificateAuthorityImpl) issuePrecertificateInner(ctx context.Context
&ca.keyPolicy,
ca.pa,
ca.forceCNFromSAN,
*issueReq.RegistrationID,
issueReq.RegistrationID,
); err != nil {
ca.log.AuditErr(err.Error())
// VerifyCSR returns berror instances that can be passed through as-is

68
ca/ca_test.go
View File

@ -102,9 +102,6 @@ var (
// * DNSNames = example.com, example2.com
ECDSACSR = mustRead("./testdata/ecdsa.der.csr")
// This is never modified, but it must be a var instead of a const so we can make references to it.
arbitraryRegID int64 = 1001
// OIDExtensionCTPoison is defined in RFC 6962 s3.1.
OIDExtensionCTPoison = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3}
@ -125,6 +122,8 @@ var (
}
)
const arbitraryRegID int64 = 1001
// CFSSL config
const rsaProfileName = "rsaEE"
const ecdsaProfileName = "ecdsaEE"
@ -348,7 +347,7 @@ func TestIssuePrecertificate(t *testing.T) {
req, err := x509.ParseCertificateRequest(testCase.csr)
test.AssertNotError(t, err, "Certificate request failed to parse")
issueReq := &capb.IssueCertificateRequest{Csr: testCase.csr, RegistrationID: &arbitraryRegID}
issueReq := &capb.IssueCertificateRequest{Csr: testCase.csr, RegistrationID: arbitraryRegID}
var certDER []byte
response, err := ca.IssuePrecertificate(ctx, issueReq)
@ -456,7 +455,7 @@ func TestMultipleIssuers(t *testing.T) {
nil)
test.AssertNotError(t, err, "Failed to remake CA")
issuedCert, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID})
issuedCert, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID})
test.AssertNotError(t, err, "Failed to issue certificate")
cert, err := x509.ParseCertificate(issuedCert.DER)
@ -481,7 +480,7 @@ func TestOCSP(t *testing.T) {
nil)
test.AssertNotError(t, err, "Failed to create CA")
issueReq := capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID}
issueReq := capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID}
cert, err := ca.IssuePrecertificate(ctx, &issueReq)
test.AssertNotError(t, err, "Failed to issue")
@ -490,7 +489,7 @@ func TestOCSP(t *testing.T) {
status := string(core.OCSPStatusGood)
ocspResp, err := ca.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
CertDER: cert.DER,
Status: &status,
Status: status,
})
test.AssertNotError(t, err, "Failed to generate OCSP")
parsed, err := ocsp.ParseResponse(ocspResp.Response, caCert)
@ -502,7 +501,7 @@ func TestOCSP(t *testing.T) {
// Test that signatures are checked.
_, err = ca.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
CertDER: append(cert.DER, byte(0)),
Status: &status,
Status: status,
})
test.AssertError(t, err, "Generated OCSP for cert with bad signature")
@ -545,7 +544,7 @@ func TestOCSP(t *testing.T) {
// should be signed by caCert.
ocspResp2, err := ca.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
CertDER: append([]byte(nil), cert.DER...),
Status: &status,
Status: status,
})
test.AssertNotError(t, err, "Failed to sign second OCSP response")
_, err = ocsp.ParseResponse(ocspResp2.Response, caCert)
@ -555,7 +554,7 @@ func TestOCSP(t *testing.T) {
// and should be signed by newIssuer.
newCertOcspResp, err := ca.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
CertDER: newCert.DER,
Status: &status,
Status: status,
})
test.AssertNotError(t, err, "Failed to generate OCSP")
parsedNewCertOcspResp, err := ocsp.ParseResponse(newCertOcspResp.Response, newIssuerCert)
@ -631,7 +630,7 @@ func TestInvalidCSRs(t *testing.T) {
t.Run(testCase.name, func(t *testing.T) {
serializedCSR := mustRead(testCase.csrPath)
issueReq := &capb.IssueCertificateRequest{Csr: serializedCSR, RegistrationID: &arbitraryRegID}
issueReq := &capb.IssueCertificateRequest{Csr: serializedCSR, RegistrationID: arbitraryRegID}
_, err = ca.IssuePrecertificate(ctx, issueReq)
test.Assert(t, berrors.Is(err, testCase.errorType), "Incorrect error type returned")
@ -666,7 +665,7 @@ func TestRejectValidityTooLong(t *testing.T) {
test.AssertNotError(t, err, "Failed to parse time")
testCtx.fc.Set(future)
// Test that the CA rejects CSRs that would expire after the intermediate cert
_, err = ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: NoCNCSR, RegistrationID: &arbitraryRegID})
_, err = ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: NoCNCSR, RegistrationID: arbitraryRegID})
test.AssertError(t, err, "Cannot issue a certificate that expires after the intermediate certificate")
test.Assert(t, berrors.Is(err, berrors.InternalServer), "Incorrect error type returned")
}
@ -841,8 +840,7 @@ func TestIssueCertificateForPrecertificate(t *testing.T) {
nil)
test.AssertNotError(t, err, "Failed to create CA")
orderID := int64(0)
issueReq := capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID, OrderID: &orderID}
issueReq := capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID, OrderID: 0}
precert, err := ca.IssuePrecertificate(ctx, &issueReq)
test.AssertNotError(t, err, "Failed to issue precert")
parsedPrecert, err := x509.ParseCertificate(precert.DER)
@ -866,8 +864,8 @@ func TestIssueCertificateForPrecertificate(t *testing.T) {
cert, err := ca.IssueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
DER: precert.DER,
SCTs: sctBytes,
RegistrationID: &arbitraryRegID,
OrderID: new(int64),
RegistrationID: arbitraryRegID,
OrderID: 0,
})
test.AssertNotError(t, err, "Failed to issue cert from precert")
parsedCert, err := x509.ParseCertificate(cert.Der)
@ -928,15 +926,14 @@ func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {
t.Fatal(err)
}
orderID := int64(0)
issueReq := capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID, OrderID: &orderID}
issueReq := capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID, OrderID: 0}
precert, err := ca.IssuePrecertificate(ctx, &issueReq)
test.AssertNotError(t, err, "Failed to issue precert")
_, err = ca.IssueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
DER: precert.DER,
SCTs: sctBytes,
RegistrationID: &arbitraryRegID,
OrderID: new(int64),
RegistrationID: arbitraryRegID,
OrderID: 0,
})
if err == nil {
t.Error("Expected error issuing duplicate serial but got none.")
@ -963,8 +960,8 @@ func TestIssueCertificateForPrecertificateDuplicateSerial(t *testing.T) {
_, err = errorca.IssueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
DER: precert.DER,
SCTs: sctBytes,
RegistrationID: &arbitraryRegID,
OrderID: new(int64),
RegistrationID: arbitraryRegID,
OrderID: 0,
})
if err == nil {
t.Fatal("Expected error issuing duplicate serial but got none.")
@ -1038,10 +1035,9 @@ func TestPrecertOrphanQueue(t *testing.T) {
t.Fatalf("Unexpected error, wanted %q, got %q", goque.ErrEmpty, err)
}
var one int64 = 1
_, err = ca.IssuePrecertificate(context.Background(), &capb.IssueCertificateRequest{
RegistrationID: &one,
OrderID: &one,
RegistrationID: 1,
OrderID: 1,
Csr: CNandSANCSR,
})
test.AssertError(t, err, "Expected IssuePrecertificate to fail with `failSA`")
@ -1229,7 +1225,7 @@ func TestIssuePrecertificateLinting(t *testing.T) {
// Attempt to issue a pre-certificate
_, err = ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{
Csr: CNandSANCSR,
RegistrationID: &arbitraryRegID,
RegistrationID: arbitraryRegID,
})
// It should error
test.AssertError(t, err, "expected err from IssuePrecertificate with linttrapSigner")
@ -1262,32 +1258,28 @@ func TestGenerateOCSPWithIssuerID(t *testing.T) {
test.AssertNotError(t, err, "Failed to create CA")
// GenerateOCSP with feature enabled + req contains bad IssuerID
issuerID := int64(666)
serial := "DEADDEADDEADDEADDEADDEADDEADDEADDEAD"
status := string(core.OCSPStatusGood)
_, err = ca.GenerateOCSP(context.Background(), &capb.GenerateOCSPRequest{
IssuerID: &issuerID,
Serial: &serial,
Status: &status,
IssuerID: int64(666),
Serial: "DEADDEADDEADDEADDEADDEADDEADDEADDEAD",
Status: string(core.OCSPStatusGood),
})
test.AssertError(t, err, "GenerateOCSP didn't fail with invalid IssuerID")
// GenerateOCSP with feature enabled + req contains good IssuerID
issuerID = idForIssuer(ca.defaultIssuer.cert)
_, err = ca.GenerateOCSP(context.Background(), &capb.GenerateOCSPRequest{
IssuerID: &issuerID,
Serial: &serial,
Status: &status,
IssuerID: idForIssuer(ca.defaultIssuer.cert),
Serial: "DEADDEADDEADDEADDEADDEADDEADDEADDEAD",
Status: string(core.OCSPStatusGood),
})
test.AssertNotError(t, err, "GenerateOCSP failed")
// GenerateOCSP with feature enabled + req doesn't contain IssuerID
issueReq := capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID}
issueReq := capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID}
cert, err := ca.IssuePrecertificate(ctx, &issueReq)
test.AssertNotError(t, err, "Failed to issue")
_, err = ca.GenerateOCSP(context.Background(), &capb.GenerateOCSPRequest{
CertDER: cert.DER,
Status: &status,
Status: string(core.OCSPStatusGood),
})
test.AssertNotError(t, err, "GenerateOCSP failed")
}

68
ca/proto/ca.pb.go
View File

@ -35,9 +35,9 @@ type IssueCertificateRequest struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Csr []byte `protobuf:"bytes,1,opt,name=csr" json:"csr,omitempty"`
RegistrationID *int64 `protobuf:"varint,2,opt,name=registrationID" json:"registrationID,omitempty"`
OrderID *int64 `protobuf:"varint,3,opt,name=orderID" json:"orderID,omitempty"`
Csr []byte `protobuf:"bytes,1,opt,name=csr,proto3" json:"csr,omitempty"`
RegistrationID int64 `protobuf:"varint,2,opt,name=registrationID,proto3" json:"registrationID,omitempty"`
OrderID int64 `protobuf:"varint,3,opt,name=orderID,proto3" json:"orderID,omitempty"`
}
func (x *IssueCertificateRequest) Reset() {
@ -80,15 +80,15 @@ func (x *IssueCertificateRequest) GetCsr() []byte {
}
func (x *IssueCertificateRequest) GetRegistrationID() int64 {
if x != nil && x.RegistrationID != nil {
return *x.RegistrationID
if x != nil {
return x.RegistrationID
}
return 0
}
func (x *IssueCertificateRequest) GetOrderID() int64 {
if x != nil && x.OrderID != nil {
return *x.OrderID
if x != nil {
return x.OrderID
}
return 0
}
@ -98,7 +98,7 @@ type IssuePrecertificateResponse struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
DER []byte `protobuf:"bytes,1,opt,name=DER" json:"DER,omitempty"`
DER []byte `protobuf:"bytes,1,opt,name=DER,proto3" json:"DER,omitempty"`
}
func (x *IssuePrecertificateResponse) Reset() {
@ -145,10 +145,10 @@ type IssueCertificateForPrecertificateRequest struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
DER []byte `protobuf:"bytes,1,opt,name=DER" json:"DER,omitempty"`
SCTs [][]byte `protobuf:"bytes,2,rep,name=SCTs" json:"SCTs,omitempty"`
RegistrationID *int64 `protobuf:"varint,3,opt,name=registrationID" json:"registrationID,omitempty"`
OrderID *int64 `protobuf:"varint,4,opt,name=orderID" json:"orderID,omitempty"`
DER []byte `protobuf:"bytes,1,opt,name=DER,proto3" json:"DER,omitempty"`
SCTs [][]byte `protobuf:"bytes,2,rep,name=SCTs,proto3" json:"SCTs,omitempty"`
RegistrationID int64 `protobuf:"varint,3,opt,name=registrationID,proto3" json:"registrationID,omitempty"`
OrderID int64 `protobuf:"varint,4,opt,name=orderID,proto3" json:"orderID,omitempty"`
}
func (x *IssueCertificateForPrecertificateRequest) Reset() {
@ -198,15 +198,15 @@ func (x *IssueCertificateForPrecertificateRequest) GetSCTs() [][]byte {
}
func (x *IssueCertificateForPrecertificateRequest) GetRegistrationID() int64 {
if x != nil && x.RegistrationID != nil {
return *x.RegistrationID
if x != nil {
return x.RegistrationID
}
return 0
}
func (x *IssueCertificateForPrecertificateRequest) GetOrderID() int64 {
if x != nil && x.OrderID != nil {
return *x.OrderID
if x != nil {
return x.OrderID
}
return 0
}
@ -217,12 +217,12 @@ type GenerateOCSPRequest struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
CertDER []byte `protobuf:"bytes,1,opt,name=certDER" json:"certDER,omitempty"`
Status *string `protobuf:"bytes,2,opt,name=status" json:"status,omitempty"`
Reason *int32 `protobuf:"varint,3,opt,name=reason" json:"reason,omitempty"`
RevokedAt *int64 `protobuf:"varint,4,opt,name=revokedAt" json:"revokedAt,omitempty"`
Serial *string `protobuf:"bytes,5,opt,name=serial" json:"serial,omitempty"`
IssuerID *int64 `protobuf:"varint,6,opt,name=issuerID" json:"issuerID,omitempty"`
CertDER []byte `protobuf:"bytes,1,opt,name=certDER,proto3" json:"certDER,omitempty"`
Status string `protobuf:"bytes,2,opt,name=status,proto3" json:"status,omitempty"`
Reason int32 `protobuf:"varint,3,opt,name=reason,proto3" json:"reason,omitempty"`
RevokedAt int64 `protobuf:"varint,4,opt,name=revokedAt,proto3" json:"revokedAt,omitempty"`
Serial string `protobuf:"bytes,5,opt,name=serial,proto3" json:"serial,omitempty"`
IssuerID int64 `protobuf:"varint,6,opt,name=issuerID,proto3" json:"issuerID,omitempty"`
}
func (x *GenerateOCSPRequest) Reset() {
@ -265,36 +265,36 @@ func (x *GenerateOCSPRequest) GetCertDER() []byte {
}
func (x *GenerateOCSPRequest) GetStatus() string {
if x != nil && x.Status != nil {
return *x.Status
if x != nil {
return x.Status
}
return ""
}
func (x *GenerateOCSPRequest) GetReason() int32 {
if x != nil && x.Reason != nil {
return *x.Reason
if x != nil {
return x.Reason
}
return 0
}
func (x *GenerateOCSPRequest) GetRevokedAt() int64 {
if x != nil && x.RevokedAt != nil {
return *x.RevokedAt
if x != nil {
return x.RevokedAt
}
return 0
}
func (x *GenerateOCSPRequest) GetSerial() string {
if x != nil && x.Serial != nil {
return *x.Serial
if x != nil {
return x.Serial
}
return ""
}
func (x *GenerateOCSPRequest) GetIssuerID() int64 {
if x != nil && x.IssuerID != nil {
return *x.IssuerID
if x != nil {
return x.IssuerID
}
return 0
}
@ -304,7 +304,7 @@ type OCSPResponse struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Response []byte `protobuf:"bytes,1,opt,name=response" json:"response,omitempty"`
Response []byte `protobuf:"bytes,1,opt,name=response,proto3" json:"response,omitempty"`
}
func (x *OCSPResponse) Reset() {
@ -410,7 +410,7 @@ var file_ca_proto_ca_proto_rawDesc = []byte{
0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
0x2f, 0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x63, 0x61, 0x2f, 0x70, 0x72, 0x6f, 0x74,
0x6f,
0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (

30
ca/proto/ca.proto
View File

@ -1,4 +1,4 @@
syntax = "proto2";
syntax = "proto3";
package ca;
option go_package = "github.com/letsencrypt/boulder/ca/proto";
@ -21,32 +21,32 @@ service OCSPGenerator {
}
message IssueCertificateRequest {
optional bytes csr = 1;
optional int64 registrationID = 2;
optional int64 orderID = 3;
bytes csr = 1;
int64 registrationID = 2;
int64 orderID = 3;
}
message IssuePrecertificateResponse {
optional bytes DER = 1;
bytes DER = 1;
}
message IssueCertificateForPrecertificateRequest {
optional bytes DER = 1;
bytes DER = 1;
repeated bytes SCTs = 2;
optional int64 registrationID = 3;
optional int64 orderID = 4;
int64 registrationID = 3;
int64 orderID = 4;
}
// Exactly one of certDER or [serial and issuerID] must be set.
message GenerateOCSPRequest {
optional bytes certDER = 1;
optional string status = 2;
optional int32 reason = 3;
optional int64 revokedAt = 4;
optional string serial = 5;
optional int64 issuerID = 6;
bytes certDER = 1;
string status = 2;
int32 reason = 3;
int64 revokedAt = 4;
string serial = 5;
int64 issuerID = 6;
}
message OCSPResponse {
optional bytes response = 1;
bytes response = 1;
}

13
cmd/ocsp-updater/main.go
View File

@ -174,17 +174,14 @@ func getCertDER(selector ocspDB, serial string) ([]byte, error) {
}
func (updater *OCSPUpdater) generateResponse(ctx context.Context, status core.CertificateStatus) (*core.CertificateStatus, error) {
reason := int32(status.RevokedReason)
statusStr := string(status.Status)
revokedAt := status.RevokedDate.UnixNano()
ocspReq := capb.GenerateOCSPRequest{
Reason: &reason,
Status: &statusStr,
RevokedAt: &revokedAt,
Reason: int32(status.RevokedReason),
Status: string(status.Status),
RevokedAt: status.RevokedDate.UnixNano(),
}
if status.IssuerID != nil {
ocspReq.Serial = &status.Serial
ocspReq.IssuerID = status.IssuerID
ocspReq.Serial = status.Serial
ocspReq.IssuerID = *status.IssuerID
} else {
certDER, err := getCertDER(updater.dbMap, status.Serial)
if err != nil {

2
cmd/ocsp-updater/main_test.go
View File

@ -416,7 +416,7 @@ type mockOCSPRecordIssuer struct {
}
func (ca *mockOCSPRecordIssuer) GenerateOCSP(_ context.Context, req *capb.GenerateOCSPRequest, _ ...grpc.CallOption) (*capb.OCSPResponse, error) {
ca.gotIssuer = req.IssuerID != nil && req.Serial != nil
ca.gotIssuer = req.IssuerID != 0 && req.Serial != ""
return &capb.OCSPResponse{Response: []byte{1, 2, 3}}, nil
}

9
cmd/orphan-finder/main.go
View File

@ -234,14 +234,11 @@ func storeParsedLogLine(sa certificateStorage, ca ocspGenerator, logger blog.Log
func generateOCSP(ctx context.Context, ca ocspGenerator, certDER []byte) ([]byte, error) {
// generate a fresh OCSP response
statusGood := string(core.OCSPStatusGood)
zeroInt32 := int32(0)
zeroInt64 := int64(0)
ocspResponse, err := ca.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
CertDER: certDER,
Status: &statusGood,
Reason: &zeroInt32,
RevokedAt: &zeroInt64,
Status: string(core.OCSPStatusGood),
Reason: 0,
RevokedAt: 0,
})
if err != nil {
return nil, err

21
ra/ra.go
View File

@ -720,7 +720,7 @@ func (ra *RegistrationAuthorityImpl) checkOrderAuthorizations(
// Ensure the names from the CSR are free of duplicates & lowercased.
names = core.UniqueLowerNames(names)
// Check the authorizations to ensure validity for the names required.
if err = ra.checkAuthorizationsCAA(ctx, names, authzs, acctIDInt, ra.clk.Now()); err != nil {
if err = ra.checkAuthorizationsCAA(ctx, names, authzs, int64(acctID), ra.clk.Now()); err != nil {
return nil, err
}
@ -1184,12 +1184,10 @@ func (ra *RegistrationAuthorityImpl) issueCertificateInner(
logEvent.VerifiedFields = []string{"subject.commonName", "subjectAltName"}
// Create the certificate and log the result
acctIDInt := int64(acctID)
orderIDInt := int64(oID)
issueReq := &capb.IssueCertificateRequest{
Csr: csr.Raw,
RegistrationID: &acctIDInt,
OrderID: &orderIDInt,
RegistrationID: int64(acctID),
OrderID: int64(oID),
}
// wrapError adds a prefix to an error. If the error is a boulder error then
@ -1218,8 +1216,8 @@ func (ra *RegistrationAuthorityImpl) issueCertificateInner(
cert, err := ra.CA.IssueCertificateForPrecertificate(ctx, &capb.IssueCertificateForPrecertificateRequest{
DER: precert.DER,
SCTs: scts,
RegistrationID: &acctIDInt,
OrderID: &orderIDInt,
RegistrationID: int64(acctID),
OrderID: int64(oID),
})
if err != nil {
return emptyCert, wrapError(err, "issuing certificate for precertificate")
@ -1663,14 +1661,13 @@ func revokeEvent(state, serial, cn string, names []string, revocationCode revoca
// revokeCertificate generates a revoked OCSP response for the given certificate, stores
// the revocation information, and purges OCSP request URLs from Akamai.
func (ra *RegistrationAuthorityImpl) revokeCertificate(ctx context.Context, cert x509.Certificate, code revocation.Reason, revokedBy int64, source string, comment string) error {
status := string(core.OCSPStatusRevoked)
reason := int32(code)
revokedAt := ra.clk.Now().UnixNano()
ocspResponse, err := ra.CA.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
CertDER: cert.Raw,
Status: &status,
Reason: &reason,
RevokedAt: &revokedAt,
Status: string(core.OCSPStatusRevoked),
Reason: reason,
RevokedAt: revokedAt,
})
if err != nil {
return err
@ -1678,7 +1675,7 @@ func (ra *RegistrationAuthorityImpl) revokeCertificate(ctx context.Context, cert
serial := core.SerialToString(cert.SerialNumber)
// for some reason we use int32 and int64 for the reason in different
// protobuf messages, so we have to re-cast it here.
reason64 := int64(reason)
reason64 := int64(code)
err = ra.SA.RevokeCertificate(ctx, &sapb.RevokeCertificateRequest{
Serial: &serial,
Reason: &reason64,