Samantha
GitHub
parent
3502e4a971
commit
914e971f15
12
ca/ca.go
12
ca/ca.go
|
|
@ -70,6 +70,7 @@ type certificateAuthorityImpl struct {
|
|||
orphanCount *prometheus.CounterVec
|
||||
adoptedOrphanCount *prometheus.CounterVec
|
||||
signErrorCount *prometheus.CounterVec
|
||||
lintErrorCount prometheus.Counter
|
||||
}
|
||||
|
||||
// makeIssuerMaps processes a list of issuers into a set of maps, mapping
|
||||
|
|
@ -149,6 +150,13 @@ func NewCertificateAuthorityImpl(
|
|||
[]string{"type"})
|
||||
stats.MustRegister(adoptedOrphanCount)
|
||||
|
||||
lintErrorCount := prometheus.NewCounter(
|
||||
prometheus.CounterOpts{
|
||||
Name: "lint_errors",
|
||||
Help: "Number of issuances that were halted by linting errors",
|
||||
})
|
||||
stats.MustRegister(lintErrorCount)
|
||||
|
||||
ca = &certificateAuthorityImpl{
|
||||
sa: sa,
|
||||
pa: pa,
|
||||
|
|
@ -164,6 +172,7 @@ func NewCertificateAuthorityImpl(
|
|||
orphanCount: orphanCount,
|
||||
adoptedOrphanCount: adoptedOrphanCount,
|
||||
signErrorCount: signErrorCount,
|
||||
lintErrorCount: lintErrorCount,
|
||||
clk: clk,
|
||||
ecdsaAllowList: ecdsaAllowList,
|
||||
}
|
||||
|
|
@ -437,6 +446,9 @@ func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context
|
|||
if err != nil {
|
||||
ca.log.AuditErrf("Preparing precert failed: serial=[%s] regID=[%d] names=[%s] err=[%v]",
|
||||
serialHex, issueReq.RegistrationID, strings.Join(csr.DNSNames, ", "), err)
|
||||
if errors.Is(err, issuance.ErrLinting) {
|
||||
ca.lintErrorCount.Inc()
|
||||
}
|
||||
return nil, nil, berrors.InternalServerError("failed to prepare precertificate signing: %s", err)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -36,6 +36,8 @@ import (
|
|||
"github.com/letsencrypt/pkcs11key/v4"
|
||||
)
|
||||
|
||||
var ErrLinting = errors.New("tbsCertificate linting failed")
|
||||
|
||||
// ProfileConfig describes the certificate issuance constraints for all issuers.
|
||||
type ProfileConfig struct {
|
||||
AllowMustStaple bool
|
||||
|
|
@ -666,7 +668,7 @@ func (i *Issuer) Prepare(req *IssuanceRequest) ([]byte, *issuanceToken, error) {
|
|||
// with a throwaway key and then linting it using zlint
|
||||
lintCertBytes, err := i.Linter.Check(template, req.PublicKey)
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("tbsCertificate linting failed: %w", err)
|
||||
return nil, nil, fmt.Errorf("%w: %w", ErrLinting, err)
|
||||
}
|
||||
|
||||
token := &issuanceToken{sync.Mutex{}, template, req.PublicKey, i}
|
||||
|
|
|
|||
|
|
@ -814,6 +814,7 @@ func TestIssueBadLint(t *testing.T) {
|
|||
NotAfter: fc.Now().Add(time.Hour - time.Second),
|
||||
})
|
||||
test.AssertError(t, err, "Prepare didn't fail")
|
||||
test.AssertErrorIs(t, err, ErrLinting)
|
||||
test.AssertContains(t, err.Error(), "tbsCertificate linting failed: failed lints")
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue