Samantha
GitHub
parent
3502e4a971
commit
914e971f15
12
ca/ca.go
12
ca/ca.go
|
|
@ -70,6 +70,7 @@ type certificateAuthorityImpl struct {
|
||||||
orphanCount *prometheus.CounterVec
|
orphanCount *prometheus.CounterVec
|
||||||
adoptedOrphanCount *prometheus.CounterVec
|
adoptedOrphanCount *prometheus.CounterVec
|
||||||
signErrorCount *prometheus.CounterVec
|
signErrorCount *prometheus.CounterVec
|
||||||
|
lintErrorCount prometheus.Counter
|
||||||
}
|
}
|
||||||
|
|
||||||
// makeIssuerMaps processes a list of issuers into a set of maps, mapping
|
// makeIssuerMaps processes a list of issuers into a set of maps, mapping
|
||||||
|
|
@ -149,6 +150,13 @@ func NewCertificateAuthorityImpl(
|
||||||
[]string{"type"})
|
[]string{"type"})
|
||||||
stats.MustRegister(adoptedOrphanCount)
|
stats.MustRegister(adoptedOrphanCount)
|
||||||
|
|
||||||
|
lintErrorCount := prometheus.NewCounter(
|
||||||
|
prometheus.CounterOpts{
|
||||||
|
Name: "lint_errors",
|
||||||
|
Help: "Number of issuances that were halted by linting errors",
|
||||||
|
})
|
||||||
|
stats.MustRegister(lintErrorCount)
|
||||||
|
|
||||||
ca = &certificateAuthorityImpl{
|
ca = &certificateAuthorityImpl{
|
||||||
sa: sa,
|
sa: sa,
|
||||||
pa: pa,
|
pa: pa,
|
||||||
|
|
@ -164,6 +172,7 @@ func NewCertificateAuthorityImpl(
|
||||||
orphanCount: orphanCount,
|
orphanCount: orphanCount,
|
||||||
adoptedOrphanCount: adoptedOrphanCount,
|
adoptedOrphanCount: adoptedOrphanCount,
|
||||||
signErrorCount: signErrorCount,
|
signErrorCount: signErrorCount,
|
||||||
|
lintErrorCount: lintErrorCount,
|
||||||
clk: clk,
|
clk: clk,
|
||||||
ecdsaAllowList: ecdsaAllowList,
|
ecdsaAllowList: ecdsaAllowList,
|
||||||
}
|
}
|
||||||
|
|
@ -437,6 +446,9 @@ func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ca.log.AuditErrf("Preparing precert failed: serial=[%s] regID=[%d] names=[%s] err=[%v]",
|
ca.log.AuditErrf("Preparing precert failed: serial=[%s] regID=[%d] names=[%s] err=[%v]",
|
||||||
serialHex, issueReq.RegistrationID, strings.Join(csr.DNSNames, ", "), err)
|
serialHex, issueReq.RegistrationID, strings.Join(csr.DNSNames, ", "), err)
|
||||||
|
if errors.Is(err, issuance.ErrLinting) {
|
||||||
|
ca.lintErrorCount.Inc()
|
||||||
|
}
|
||||||
return nil, nil, berrors.InternalServerError("failed to prepare precertificate signing: %s", err)
|
return nil, nil, berrors.InternalServerError("failed to prepare precertificate signing: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,8 @@ import (
|
||||||
"github.com/letsencrypt/pkcs11key/v4"
|
"github.com/letsencrypt/pkcs11key/v4"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var ErrLinting = errors.New("tbsCertificate linting failed")
|
||||||
|
|
||||||
// ProfileConfig describes the certificate issuance constraints for all issuers.
|
// ProfileConfig describes the certificate issuance constraints for all issuers.
|
||||||
type ProfileConfig struct {
|
type ProfileConfig struct {
|
||||||
AllowMustStaple bool
|
AllowMustStaple bool
|
||||||
|
|
@ -666,7 +668,7 @@ func (i *Issuer) Prepare(req *IssuanceRequest) ([]byte, *issuanceToken, error) {
|
||||||
// with a throwaway key and then linting it using zlint
|
// with a throwaway key and then linting it using zlint
|
||||||
lintCertBytes, err := i.Linter.Check(template, req.PublicKey)
|
lintCertBytes, err := i.Linter.Check(template, req.PublicKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, fmt.Errorf("tbsCertificate linting failed: %w", err)
|
return nil, nil, fmt.Errorf("%w: %w", ErrLinting, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
token := &issuanceToken{sync.Mutex{}, template, req.PublicKey, i}
|
token := &issuanceToken{sync.Mutex{}, template, req.PublicKey, i}
|
||||||
|
|
|
||||||
|
|
@ -814,6 +814,7 @@ func TestIssueBadLint(t *testing.T) {
|
||||||
NotAfter: fc.Now().Add(time.Hour - time.Second),
|
NotAfter: fc.Now().Add(time.Hour - time.Second),
|
||||||
})
|
})
|
||||||
test.AssertError(t, err, "Prepare didn't fail")
|
test.AssertError(t, err, "Prepare didn't fail")
|
||||||
|
test.AssertErrorIs(t, err, ErrLinting)
|
||||||
test.AssertContains(t, err.Error(), "tbsCertificate linting failed: failed lints")
|
test.AssertContains(t, err.Error(), "tbsCertificate linting failed: failed lints")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue