letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Generate and store OCSP at precertificate signing time (#4420) 

This change adds two tables and two methods in the SA, to store precertificates
and serial numbers.

In the CA, when the feature flag is turned on, we generate a serial number, store it,
sign a precertificate and OCSP, store them, and then return the precertificate. Storing
the serial as an additional step before signing the certificate adds an extra layer of
insurance against duplicate serials, and also serves as a check on database availability.
Since an error storing the serial prevents going on to sign the precertificate, this decreases
the chance of signing something while the database is down.

Right now, neither table has read operations available in the SA.

To make this work, I needed to remove the check for duplicate certificateStatus entry
when inserting a final certificate and its OCSP response. I also needed to remove
an error that can occur when expiration-mailer processes a precertificate that lacks
a final certificate. That error would otherwise have prevented further processing of
expiration warnings.

Fixes #4412

This change builds on #4417, please review that first for ease of review.
This commit is contained in:
Jacob Hoffman-Andrews 2019-09-09 12:21:20 -07:00 committed by GitHub
parent 9df9c21ddc
commit 9906c93217
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 573 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
ca/ca.go
View File

@ -27,6 +27,9 @@ import (
"github.com/google/certificate-transparency-go"
cttls "github.com/google/certificate-transparency-go/tls"
"github.com/jmhodges/clock"
corepb "github.com/letsencrypt/boulder/core/proto"
"github.com/letsencrypt/boulder/features"
sapb "github.com/letsencrypt/boulder/sa/proto"
"github.com/miekg/pkcs11"
"github.com/letsencrypt/boulder/ca/config"
@ -99,6 +102,8 @@ const (
type certificateStorage interface {
AddCertificate(context.Context, []byte, int64, []byte, *time.Time) (string, error)
AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*corepb.Empty, error)
AddSerial(ctx context.Context, req *sapb.AddSerialRequest) (*corepb.Empty, error)
}
type certificateType string
@ -427,13 +432,61 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
return nil, err
}
precertDER, err := ca.issuePrecertificateInner(ctx, issueReq, serialBigInt, validity, precertType)
if err != nil {
return nil, err
if features.Enabled(features.PrecertificateOCSP) {
serialHex := core.SerialToString(serialBigInt)
nowNanos := ca.clk.Now().UnixNano()
expiresNanos := validity.NotAfter.UnixNano()
_, err = ca.sa.AddSerial(ctx, &sapb.AddSerialRequest{
Serial: &serialHex,
RegID: issueReq.RegistrationID,
Created: &nowNanos,
Expires: &expiresNanos,
})
if err != nil {
return nil, err
}
precertDER, err := ca.issuePrecertificateInner(ctx, issueReq, serialBigInt, validity, precertType)
if err != nil {
return nil, err
}
ocspResp, err := ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
CertDER: precertDER,
Status: string(core.OCSPStatusGood),
})
if err != nil {
err = berrors.InternalServerError(err.Error())
ca.log.AuditInfof("OCSP Signing failure: serial=[%s] err=[%s]", serialHex, err)
}
_, err = ca.sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
Der: precertDER,
RegID: issueReq.RegistrationID,
Ocsp: ocspResp,
Issued: &nowNanos,
})
if err != nil {
err = berrors.InternalServerError(err.Error())
// TODO(#4425): Extend orphanQueue support to precertificates.
ca.log.AuditErrf("Failed RPC to store at SA, orphaning precertificate: serial=[%s] cert=[%s] err=[%v], regID=[%d], orderID=[%d]",
serialHex, hex.EncodeToString(precertDER), err, issueReq.RegistrationID, issueReq.OrderID)
return nil, err
}
return &caPB.IssuePrecertificateResponse{
DER: precertDER,
}, nil
} else {
precertDER, err := ca.issuePrecertificateInner(ctx, issueReq, serialBigInt, validity, precertType)
if err != nil {
return nil, err
}
return &caPB.IssuePrecertificateResponse{
DER: precertDER,
}, nil
}
return &caPB.IssuePrecertificateResponse{
DER: precertDER,
}, nil
}
// IssueCertificateForPrecertificate takes a precertificate and a set of SCTs for that precertificate
@ -626,16 +679,20 @@ func (ca *CertificateAuthorityImpl) generateOCSPAndStoreCertificate(
orderID int64,
serialBigInt *big.Int,
certDER []byte) (core.Certificate, error) {
ocspResp, err := ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
CertDER: certDER,
Status: "good",
})
if err != nil {
err = berrors.InternalServerError(err.Error())
ca.log.AuditInfof("OCSP Signing failure: serial=[%s] err=[%s]", core.SerialToString(serialBigInt), err)
// Ignore errors here to avoid orphaning the certificate. The
// ocsp-updater will look for certs with a zero ocspLastUpdated
// and generate the initial response in this case.
var err error
var ocspResp []byte
if !features.Enabled(features.PrecertificateOCSP) {
ocspResp, err = ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
CertDER: certDER,
Status: string(core.OCSPStatusGood),
})
if err != nil {
err = berrors.InternalServerError(err.Error())
ca.log.AuditInfof("OCSP Signing failure: serial=[%s] err=[%s]", core.SerialToString(serialBigInt), err)
// Ignore errors here to avoid orphaning the certificate. The
// ocsp-updater will look for certs with a zero ocspLastUpdated
// and generate the initial response in this case.
}
}
now := ca.clk.Now()

18
ca/ca_test.go
View File

@ -34,11 +34,13 @@ import (
caPB "github.com/letsencrypt/boulder/ca/proto"
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/core"
corepb "github.com/letsencrypt/boulder/core/proto"
berrors "github.com/letsencrypt/boulder/errors"
"github.com/letsencrypt/boulder/goodkey"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/metrics"
"github.com/letsencrypt/boulder/policy"
sapb "github.com/letsencrypt/boulder/sa/proto"
"github.com/letsencrypt/boulder/test"
)
@ -175,6 +177,14 @@ func (m *mockSA) AddCertificate(ctx context.Context, der []byte, _ int64, _ []by
return "", nil
}
func (m *mockSA) AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*corepb.Empty, error) {
return &corepb.Empty{}, nil
}
func (m *mockSA) AddSerial(ctx context.Context, req *sapb.AddSerialRequest) (*corepb.Empty, error) {
return &corepb.Empty{}, nil
}
var caKey crypto.Signer
var caCert *x509.Certificate
var ctx = context.Background()
@ -901,6 +911,14 @@ func (qsa *queueSA) AddCertificate(_ context.Context, _ []byte, _ int64, _ []byt
return "", nil
}
func (qsa *queueSA) AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*corepb.Empty, error) {
return &corepb.Empty{}, nil
}
func (qsa *queueSA) AddSerial(ctx context.Context, req *sapb.AddSerialRequest) (*corepb.Empty, error) {
return &corepb.Empty{}, nil
}
func TestOrphanQueue(t *testing.T) {
tmpDir, err := ioutil.TempDir("", "orphan-queue-tmp")
defer os.Remove(tmpDir)

8
cmd/expiration-mailer/main.go
View File

@ -4,6 +4,7 @@ import (
"bytes"
"context"
"crypto/x509"
"database/sql"
"errors"
"flag"
"fmt"
@ -302,6 +303,13 @@ func (m *mailer) findExpiringCertificates() error {
var cert core.Certificate
cert, err := sa.SelectCertificate(m.dbMap, "WHERE serial = ?", serial)
if err != nil {
// We can get an ErrNoRows when processing a serial number corresponding
// to a precertificate with no final certificate. Since this certificate
// is not being used by a subscriber, we don't send expiration email about
// it.
if err == sql.ErrNoRows {
continue
}
m.log.AuditErrf("expiration-mailer: Error loading cert %q: %s", cert.Serial, err)
return err
}

2
core/interfaces.go
View File

@ -149,6 +149,8 @@ type StorageAdder interface {
NewPendingAuthorization(ctx context.Context, authz Authorization) (Authorization, error)
FinalizeAuthorization(ctx context.Context, authz Authorization) error
AddCertificate(ctx context.Context, der []byte, regID int64, ocsp []byte, issued *time.Time) (digest string, err error)
AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*corepb.Empty, error)
AddSerial(ctx context.Context, req *sapb.AddSerialRequest) (*corepb.Empty, error)
DeactivateRegistration(ctx context.Context, id int64) error
DeactivateAuthorization(ctx context.Context, id string) error
NewOrder(ctx context.Context, order *corepb.Order) (*corepb.Order, error)

5
features/featureflag_string.go
View File

@ -34,11 +34,12 @@ func _() {
_ = x[ParallelCheckFailedValidation-23]
_ = x[DeleteUnusedChallenges-24]
_ = x[V1DisableNewValidations-25]
_ = x[PrecertificateOCSP-26]
}
const _FeatureFlag_name = "unusedPerformValidationRPCACME13KeyRolloverSimplifiedVAHTTPTLSSNIRevalidationAllowRenewalFirstRLSetIssuedNamesRenewalBitFasterRateLimitProbeCTLogsRevokeAtRACAAValidationMethodsCAAAccountURIHeadNonceStatusOKNewAuthorizationSchemaDisableAuthz2OrdersEarlyOrderRateLimitEnforceMultiVAMultiVAFullResultsRemoveWFE2AccountIDCheckRenewalFirstMandatoryPOSTAsGETFasterGetOrderForNamesAllowV1RegistrationParallelCheckFailedValidationDeleteUnusedChallengesV1DisableNewValidations"
const _FeatureFlag_name = "unusedPerformValidationRPCACME13KeyRolloverSimplifiedVAHTTPTLSSNIRevalidationAllowRenewalFirstRLSetIssuedNamesRenewalBitFasterRateLimitProbeCTLogsRevokeAtRACAAValidationMethodsCAAAccountURIHeadNonceStatusOKNewAuthorizationSchemaDisableAuthz2OrdersEarlyOrderRateLimitEnforceMultiVAMultiVAFullResultsRemoveWFE2AccountIDCheckRenewalFirstMandatoryPOSTAsGETFasterGetOrderForNamesAllowV1RegistrationParallelCheckFailedValidationDeleteUnusedChallengesV1DisableNewValidationsPrecertificateOCSP"
var _FeatureFlag_index = [...]uint16{0, 6, 26, 43, 59, 77, 96, 120, 135, 146, 156, 176, 189, 206, 228, 247, 266, 280, 298, 317, 334, 352, 374, 393, 422, 444, 467}
var _FeatureFlag_index = [...]uint16{0, 6, 26, 43, 59, 77, 96, 120, 135, 146, 156, 176, 189, 206, 228, 247, 266, 280, 298, 317, 334, 352, 374, 393, 422, 444, 467, 485}
func (i FeatureFlag) String() string {
if i < 0 || i >= FeatureFlag(len(_FeatureFlag_index)-1) {

5
features/features.go
View File

@ -68,6 +68,10 @@ const (
// V1DisableNewValidations disables validations for new domain names in the V1
// API.
V1DisableNewValidations
// PrecertificateOCSP ensures that we write an OCSP response immediately upon
// generating a precertificate. This also changes the issuance / storage flow,
// adding two new calls from CA to SA: AddSerial and AddPrecertificate.
PrecertificateOCSP
)
// List of features and their default value, protected by fMu
@ -98,6 +102,7 @@ var features = map[FeatureFlag]bool{
ParallelCheckFailedValidation: false,
DeleteUnusedChallenges: false,
V1DisableNewValidations: false,
PrecertificateOCSP: false,
}
var fMu = new(sync.RWMutex)

31
grpc/sa-wrappers.go
View File

@ -283,6 +283,34 @@ func (sac StorageAuthorityClientWrapper) PreviousCertificateExists(
return exists, err
}
func (sac StorageAuthorityClientWrapper) AddPrecertificate(
ctx context.Context,
req *sapb.AddCertificateRequest,
) (*corepb.Empty, error) {
empty, err := sac.inner.AddPrecertificate(ctx, req)
if err != nil {
return nil, err
}
if empty == nil {
return nil, errIncompleteResponse
}
return empty, nil
}
func (sac StorageAuthorityClientWrapper) AddSerial(
ctx context.Context,
req *sapb.AddSerialRequest,
) (*corepb.Empty, error) {
empty, err := sac.inner.AddSerial(ctx, req)
if err != nil {
return nil, err
}
if empty == nil {
return nil, errIncompleteResponse
}
return empty, nil
}
func (sac StorageAuthorityClientWrapper) FQDNSetExists(ctx context.Context, domains []string) (bool, error) {
response, err := sac.inner.FQDNSetExists(ctx, &sapb.FQDNSetExistsRequest{Domains: domains})
if err != nil {
@ -615,10 +643,11 @@ func (sas StorageAuthorityClientWrapper) DeactivateAuthorization2(ctx context.Co
type StorageAuthorityServerWrapper struct {
// TODO(#3119): Don't use core.StorageAuthority
inner core.StorageAuthority
core.StorageAuthority
}
func NewStorageAuthorityServer(inner core.StorageAuthority) *StorageAuthorityServerWrapper {
return &StorageAuthorityServerWrapper{inner}
return &StorageAuthorityServerWrapper{inner, inner}
}
func (sas StorageAuthorityServerWrapper) GetRegistration(ctx context.Context, request *sapb.RegistrationID) (*corepb.Registration, error) {

10
mocks/mocks.go
View File

@ -319,6 +319,16 @@ func (sa *StorageAuthority) GetCertificateStatus(_ context.Context, serial strin
}
}
// AddPrecertificate is a mock
func (sa *StorageAuthority) AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (empty *corepb.Empty, err error) {
return
}
// AddSerial is a mock
func (sa *StorageAuthority) AddSerial(ctx context.Context, req *sapb.AddSerialRequest) (empty *corepb.Empty, err error) {
return
}
// AddCertificate is a mock
func (sa *StorageAuthority) AddCertificate(_ context.Context, certDER []byte, regID int64, _ []byte, _ *time.Time) (digest string, err error) {
return

10
ra/mock_test.go
View File

@ -115,6 +115,16 @@ func (sa *mockInvalidAuthorizationsAuthority) FinalizeAuthorization(ctx context.
return nil, nil
}
// AddPrecertificate is a mock
func (sa *mockInvalidAuthorizationsAuthority) AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest, opts ...grpc.CallOption) (empty *corepb.Empty, err error) {
return
}
// AddSerial is a mock
func (sa *mockInvalidAuthorizationsAuthority) AddSerial(ctx context.Context, req *sapb.AddSerialRequest, opts ...grpc.CallOption) (empty *corepb.Empty, err error) {
return
}
func (sa *mockInvalidAuthorizationsAuthority) AddCertificate(ctx context.Context, in *sapb.AddCertificateRequest, opts ...grpc.CallOption) (*sapb.AddCertificateResponse, error) {
return nil, nil
}

34
sa/_db-next/migrations/20190902000000_AddPrecertificatesTable.sql Normal file
View File

@ -0,0 +1,34 @@
-- +goose Up
-- SQL in section 'Up' is executed when this migration is applied
CREATE TABLE `serials` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`registrationID` bigint(20) NOT NULL,
`serial` varchar(255) NOT NULL,
`created` datetime NOT NULL,
`expires` datetime NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `serial` (`serial`),
KEY `regId_serials_idx` (`registrationID`),
CONSTRAINT `regId_serials` FOREIGN KEY (`registrationID`) REFERENCES `registrations` (`id`) ON DELETE NO ACTION ON UPDATE NO ACTION
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `precertificates` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`registrationID` bigint(20) NOT NULL,
`serial` varchar(255) NOT NULL,
`der` mediumblob NOT NULL,
`issued` datetime NOT NULL,
`expires` datetime NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `serial` (`serial`),
KEY `regId_precertificates_idx` (`registrationID`),
KEY `issued_precertificates_idx` (`issued`),
CONSTRAINT `regId_precertificates` FOREIGN KEY (`registrationID`) REFERENCES `registrations` (`id`) ON DELETE NO ACTION ON UPDATE NO ACTION
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-- +goose Down
-- SQL section 'Down' is executed when this migration is rolled back
DROP TABLE serials;
DROP TABLE precertificates;

2
sa/database.go
View File

@ -138,4 +138,6 @@ func initTables(dbMap *gorp.DbMap) {
dbMap.AddTableWithName(orderFQDNSet{}, "orderFqdnSets").SetKeys(true, "ID")
dbMap.AddTableWithName(authz2Model{}, "authz2").SetKeys(true, "ID")
dbMap.AddTableWithName(orderToAuthz2Model{}, "orderToAuthz2").SetKeys(false, "OrderID", "AuthzID")
dbMap.AddTableWithName(recordedSerialModel{}, "serials").SetKeys(true, "ID")
dbMap.AddTableWithName(precertificateModel{}, "precertificates").SetKeys(true, "ID")
}

17
sa/model.go
View File

@ -361,6 +361,23 @@ func modelToChallenge(cm *challModel) (core.Challenge, error) {
return c, nil
}
type recordedSerialModel struct {
ID int64
Serial string
RegistrationID int64
Created time.Time
Expires time.Time
}
type precertificateModel struct {
ID int64
Serial string
RegistrationID int64
DER []byte
Issued time.Time
Expires time.Time
}
type orderModel struct {
ID int64
RegistrationID int64

71
sa/precertificates.go Normal file
View File

@ -0,0 +1,71 @@
package sa
import (
"crypto/x509"
"errors"
"time"
"golang.org/x/net/context"
"github.com/letsencrypt/boulder/core"
corepb "github.com/letsencrypt/boulder/core/proto"
sapb "github.com/letsencrypt/boulder/sa/proto"
)
var errIncompleteRequest = errors.New("Incomplete gRPC request message")
// AddSerial writes a record of a serial number generation to the DB.
func (ssa *SQLStorageAuthority) AddSerial(ctx context.Context, req *sapb.AddSerialRequest) (*corepb.Empty, error) {
if req == nil || req.Created == nil || req.Expires == nil || req.Serial == nil || req.RegID == nil {
return nil, errIncompleteRequest
}
created := time.Unix(0, *req.Created)
expires := time.Unix(0, *req.Expires)
err := ssa.dbMap.WithContext(ctx).Insert(&recordedSerialModel{
Serial: *req.Serial,
RegistrationID: *req.RegID,
Created: created,
Expires: expires,
})
if err != nil {
return nil, err
}
return &corepb.Empty{}, nil
}
// AddPrecertificate writes a record of a precertificate generation to the DB.
func (ssa *SQLStorageAuthority) AddPrecertificate(ctx context.Context, req *sapb.AddCertificateRequest) (*corepb.Empty, error) {
if req == nil || req.Der == nil || req.Issued == nil || req.RegID == nil {
return nil, errIncompleteRequest
}
parsed, err := x509.ParseCertificate(req.Der)
if err != nil {
return nil, err
}
issued := time.Unix(0, *req.Issued)
serialHex := core.SerialToString(parsed.SerialNumber)
err = ssa.dbMap.WithContext(ctx).Insert(&precertificateModel{
Serial: serialHex,
RegistrationID: *req.RegID,
DER: req.Der,
Issued: issued,
Expires: parsed.NotAfter,
})
if err != nil {
return nil, err
}
err = ssa.dbMap.WithContext(ctx).Insert(&certStatusModel{
Status: core.OCSPStatusGood,
OCSPLastUpdated: ssa.clk.Now(),
OCSPResponse: req.Ocsp,
Serial: serialHex,
RevokedDate: time.Time{},
RevokedReason: 0,
NotAfter: parsed.NotAfter,
})
if err != nil {
return nil, err
}
return &corepb.Empty{}, nil
}

392
sa/proto/sa.pb.go
View File

@ -1030,6 +1030,69 @@ func (m *Exists) GetExists() bool {
return false
}
type AddSerialRequest struct {
RegID *int64 `protobuf:"varint,1,opt,name=regID" json:"regID,omitempty"`
Serial *string `protobuf:"bytes,2,opt,name=serial" json:"serial,omitempty"`
Created *int64 `protobuf:"varint,3,opt,name=created" json:"created,omitempty"`
Expires *int64 `protobuf:"varint,4,opt,name=expires" json:"expires,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
func (m *AddSerialRequest) Reset() { *m = AddSerialRequest{} }
func (m *AddSerialRequest) String() string { return proto.CompactTextString(m) }
func (*AddSerialRequest) ProtoMessage() {}
func (*AddSerialRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{19}
}
func (m *AddSerialRequest) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_AddSerialRequest.Unmarshal(m, b)
}
func (m *AddSerialRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
return xxx_messageInfo_AddSerialRequest.Marshal(b, m, deterministic)
}
func (m *AddSerialRequest) XXX_Merge(src proto.Message) {
xxx_messageInfo_AddSerialRequest.Merge(m, src)
}
func (m *AddSerialRequest) XXX_Size() int {
return xxx_messageInfo_AddSerialRequest.Size(m)
}
func (m *AddSerialRequest) XXX_DiscardUnknown() {
xxx_messageInfo_AddSerialRequest.DiscardUnknown(m)
}
var xxx_messageInfo_AddSerialRequest proto.InternalMessageInfo
func (m *AddSerialRequest) GetRegID() int64 {
if m != nil && m.RegID != nil {
return *m.RegID
}
return 0
}
func (m *AddSerialRequest) GetSerial() string {
if m != nil && m.Serial != nil {
return *m.Serial
}
return ""
}
func (m *AddSerialRequest) GetCreated() int64 {
if m != nil && m.Created != nil {
return *m.Created
}
return 0
}
func (m *AddSerialRequest) GetExpires() int64 {
if m != nil && m.Expires != nil {
return *m.Expires
}
return 0
}
type AddCertificateRequest struct {
Der []byte `protobuf:"bytes,1,opt,name=der" json:"der,omitempty"`
RegID *int64 `protobuf:"varint,2,opt,name=regID" json:"regID,omitempty"`
@ -1049,7 +1112,7 @@ func (m *AddCertificateRequest) Reset() { *m = AddCertificateRequest{} }
func (m *AddCertificateRequest) String() string { return proto.CompactTextString(m) }
func (*AddCertificateRequest) ProtoMessage() {}
func (*AddCertificateRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{19}
return fileDescriptor_099fb35e782a48a6, []int{20}
}
func (m *AddCertificateRequest) XXX_Unmarshal(b []byte) error {
@ -1109,7 +1172,7 @@ func (m *AddCertificateResponse) Reset() { *m = AddCertificateResponse{}
func (m *AddCertificateResponse) String() string { return proto.CompactTextString(m) }
func (*AddCertificateResponse) ProtoMessage() {}
func (*AddCertificateResponse) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{20}
return fileDescriptor_099fb35e782a48a6, []int{21}
}
func (m *AddCertificateResponse) XXX_Unmarshal(b []byte) error {
@ -1149,7 +1212,7 @@ func (m *OrderRequest) Reset() { *m = OrderRequest{} }
func (m *OrderRequest) String() string { return proto.CompactTextString(m) }
func (*OrderRequest) ProtoMessage() {}
func (*OrderRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{21}
return fileDescriptor_099fb35e782a48a6, []int{22}
}
func (m *OrderRequest) XXX_Unmarshal(b []byte) error {
@ -1196,7 +1259,7 @@ func (m *GetValidOrderAuthorizationsRequest) Reset() { *m = GetValidOrde
func (m *GetValidOrderAuthorizationsRequest) String() string { return proto.CompactTextString(m) }
func (*GetValidOrderAuthorizationsRequest) ProtoMessage() {}
func (*GetValidOrderAuthorizationsRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{22}
return fileDescriptor_099fb35e782a48a6, []int{23}
}
func (m *GetValidOrderAuthorizationsRequest) XXX_Unmarshal(b []byte) error {
@ -1244,7 +1307,7 @@ func (m *GetOrderForNamesRequest) Reset() { *m = GetOrderForNamesRequest
func (m *GetOrderForNamesRequest) String() string { return proto.CompactTextString(m) }
func (*GetOrderForNamesRequest) ProtoMessage() {}
func (*GetOrderForNamesRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{23}
return fileDescriptor_099fb35e782a48a6, []int{24}
}
func (m *GetOrderForNamesRequest) XXX_Unmarshal(b []byte) error {
@ -1300,7 +1363,7 @@ func (m *GetAuthorizationsRequest) Reset() { *m = GetAuthorizationsReque
func (m *GetAuthorizationsRequest) String() string { return proto.CompactTextString(m) }
func (*GetAuthorizationsRequest) ProtoMessage() {}
func (*GetAuthorizationsRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{24}
return fileDescriptor_099fb35e782a48a6, []int{25}
}
func (m *GetAuthorizationsRequest) XXX_Unmarshal(b []byte) error {
@ -1360,7 +1423,7 @@ func (m *Authorizations) Reset() { *m = Authorizations{} }
func (m *Authorizations) String() string { return proto.CompactTextString(m) }
func (*Authorizations) ProtoMessage() {}
func (*Authorizations) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{25}
return fileDescriptor_099fb35e782a48a6, []int{26}
}
func (m *Authorizations) XXX_Unmarshal(b []byte) error {
@ -1400,7 +1463,7 @@ func (m *Authorizations_MapElement) Reset() { *m = Authorizations_MapEle
func (m *Authorizations_MapElement) String() string { return proto.CompactTextString(m) }
func (*Authorizations_MapElement) ProtoMessage() {}
func (*Authorizations_MapElement) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{25, 0}
return fileDescriptor_099fb35e782a48a6, []int{26, 0}
}
func (m *Authorizations_MapElement) XXX_Unmarshal(b []byte) error {
@ -1446,7 +1509,7 @@ func (m *AddPendingAuthorizationsRequest) Reset() { *m = AddPendingAutho
func (m *AddPendingAuthorizationsRequest) String() string { return proto.CompactTextString(m) }
func (*AddPendingAuthorizationsRequest) ProtoMessage() {}
func (*AddPendingAuthorizationsRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{26}
return fileDescriptor_099fb35e782a48a6, []int{27}
}
func (m *AddPendingAuthorizationsRequest) XXX_Unmarshal(b []byte) error {
@ -1485,7 +1548,7 @@ func (m *AuthorizationIDs) Reset() { *m = AuthorizationIDs{} }
func (m *AuthorizationIDs) String() string { return proto.CompactTextString(m) }
func (*AuthorizationIDs) ProtoMessage() {}
func (*AuthorizationIDs) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{27}
return fileDescriptor_099fb35e782a48a6, []int{28}
}
func (m *AuthorizationIDs) XXX_Unmarshal(b []byte) error {
@ -1524,7 +1587,7 @@ func (m *AuthorizationID2) Reset() { *m = AuthorizationID2{} }
func (m *AuthorizationID2) String() string { return proto.CompactTextString(m) }
func (*AuthorizationID2) ProtoMessage() {}
func (*AuthorizationID2) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{28}
return fileDescriptor_099fb35e782a48a6, []int{29}
}
func (m *AuthorizationID2) XXX_Unmarshal(b []byte) error {
@ -1563,7 +1626,7 @@ func (m *Authorization2IDs) Reset() { *m = Authorization2IDs{} }
func (m *Authorization2IDs) String() string { return proto.CompactTextString(m) }
func (*Authorization2IDs) ProtoMessage() {}
func (*Authorization2IDs) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{29}
return fileDescriptor_099fb35e782a48a6, []int{30}
}
func (m *Authorization2IDs) XXX_Unmarshal(b []byte) error {
@ -1605,7 +1668,7 @@ func (m *RevokeCertificateRequest) Reset() { *m = RevokeCertificateReque
func (m *RevokeCertificateRequest) String() string { return proto.CompactTextString(m) }
func (*RevokeCertificateRequest) ProtoMessage() {}
func (*RevokeCertificateRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{30}
return fileDescriptor_099fb35e782a48a6, []int{31}
}
func (m *RevokeCertificateRequest) XXX_Unmarshal(b []byte) error {
@ -1670,7 +1733,7 @@ func (m *FinalizeAuthorizationRequest) Reset() { *m = FinalizeAuthorizat
func (m *FinalizeAuthorizationRequest) String() string { return proto.CompactTextString(m) }
func (*FinalizeAuthorizationRequest) ProtoMessage() {}
func (*FinalizeAuthorizationRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{31}
return fileDescriptor_099fb35e782a48a6, []int{32}
}
func (m *FinalizeAuthorizationRequest) XXX_Unmarshal(b []byte) error {
@ -1755,6 +1818,7 @@ func init() {
proto.RegisterType((*FQDNSetExistsRequest)(nil), "sa.FQDNSetExistsRequest")
proto.RegisterType((*PreviousCertificateExistsRequest)(nil), "sa.PreviousCertificateExistsRequest")
proto.RegisterType((*Exists)(nil), "sa.Exists")
proto.RegisterType((*AddSerialRequest)(nil), "sa.AddSerialRequest")
proto.RegisterType((*AddCertificateRequest)(nil), "sa.AddCertificateRequest")
proto.RegisterType((*AddCertificateResponse)(nil), "sa.AddCertificateResponse")
proto.RegisterType((*OrderRequest)(nil), "sa.OrderRequest")
@ -1774,118 +1838,122 @@ func init() {
func init() { proto.RegisterFile("sa/proto/sa.proto", fileDescriptor_099fb35e782a48a6) }
var fileDescriptor_099fb35e782a48a6 = []byte{
// 1765 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x58, 0x5b, 0x73, 0xdb, 0xc6,
0x15, 0xe6, 0xc5, 0x94, 0xc9, 0x23, 0x59, 0x97, 0x95, 0x44, 0x21, 0x90, 0x64, 0xd3, 0x5b, 0xc7,
0xa3, 0x4c, 0x67, 0x14, 0x15, 0xed, 0x24, 0x9d, 0x51, 0xe3, 0x54, 0x0a, 0x65, 0x59, 0xa9, 0x43,
0x31, 0x60, 0xac, 0x74, 0xda, 0xbe, 0x20, 0xc4, 0x86, 0x46, 0x4d, 0x01, 0x0c, 0x76, 0x29, 0x86,
0x7a, 0xee, 0x4c, 0x3b, 0xd3, 0xf7, 0x4e, 0x1f, 0xfb, 0x3b, 0xfa, 0x27, 0xfa, 0x97, 0x3a, 0x7b,
0xb0, 0x00, 0x01, 0x70, 0x41, 0x39, 0x76, 0xa7, 0x6f, 0x38, 0x67, 0xcf, 0x6d, 0x77, 0xcf, 0xe5,
0x5b, 0xc0, 0x06, 0x77, 0x3e, 0x1e, 0x85, 0x81, 0x08, 0x3e, 0xe6, 0xce, 0x21, 0x7e, 0x90, 0x0a,
0x77, 0xcc, 0xed, 0x7e, 0x10, 0x32, 0xb5, 0x20, 0x3f, 0xa3, 0x25, 0xda, 0x82, 0x55, 0x9b, 0x0d,
0x3c, 0x2e, 0x42, 0x47, 0x78, 0x81, 0x7f, 0xd1, 0x26, 0xab, 0x50, 0xf1, 0x5c, 0xa3, 0xdc, 0x2a,
0x1f, 0x54, 0xed, 0x8a, 0xe7, 0xd2, 0x87, 0x00, 0x5f, 0xf6, 0x2e, 0x3b, 0xdf, 0xb2, 0xef, 0x7e,
0xc7, 0xa6, 0x64, 0x1d, 0xaa, 0x7f, 0x9e, 0xbc, 0xc1, 0xe5, 0x15, 0x5b, 0x7e, 0xd2, 0xc7, 0xb0,
0x76, 0x32, 0x16, 0xaf, 0x83, 0xd0, 0xbb, 0x9d, 0x37, 0xd1, 0x40, 0x13, 0xff, 0x2e, 0xc3, 0xc3,
0x73, 0x26, 0xba, 0xcc, 0x77, 0x3d, 0x7f, 0x90, 0x91, 0xb6, 0xd9, 0x0f, 0x63, 0xc6, 0x05, 0x79,
0x0a, 0xab, 0x61, 0x26, 0x0e, 0x15, 0x41, 0x8e, 0x2b, 0xe5, 0x3c, 0x97, 0xf9, 0xc2, 0xfb, 0xde,
0x63, 0xe1, 0x37, 0xd3, 0x11, 0x33, 0x2a, 0xe8, 0x26, 0xc7, 0x25, 0x07, 0xb0, 0x36, 0xe3, 0x5c,
0x39, 0xc3, 0x31, 0x33, 0xaa, 0x28, 0x98, 0x67, 0x93, 0x87, 0x00, 0x37, 0xce, 0xd0, 0x73, 0x5f,
0xf9, 0xc2, 0x1b, 0x1a, 0xf7, 0xd0, 0x6b, 0x8a, 0x43, 0x39, 0xec, 0x9f, 0x33, 0x71, 0x25, 0x19,
0x99, 0xc8, 0xf9, 0x4f, 0x0d, 0xdd, 0x80, 0xfb, 0x6e, 0x70, 0xed, 0x78, 0x3e, 0x37, 0x2a, 0xad,
0xea, 0x41, 0xc3, 0x8e, 0x49, 0x79, 0xa8, 0x7e, 0x30, 0xc1, 0x00, 0xab, 0xb6, 0xfc, 0xa4, 0xff,
0x2a, 0xc3, 0xa6, 0xc6, 0x25, 0xf9, 0x35, 0xd4, 0x30, 0x34, 0xa3, 0xdc, 0xaa, 0x1e, 0x2c, 0x5b,
0xf4, 0x90, 0x3b, 0x87, 0x1a, 0xb9, 0xc3, 0xaf, 0x9c, 0xd1, 0xd9, 0x90, 0x5d, 0x33, 0x5f, 0xd8,
0x91, 0x82, 0x79, 0x09, 0x30, 0x63, 0x92, 0x26, 0x2c, 0x45, 0xce, 0xd5, 0x2d, 0x29, 0x8a, 0x7c,
0x04, 0x35, 0x67, 0x2c, 0x5e, 0xdf, 0xe2, 0xa9, 0x2e, 0x5b, 0x9b, 0x87, 0x98, 0x2a, 0xd9, 0x1b,
0x8b, 0x24, 0xe8, 0x7f, 0x2a, 0xb0, 0xf1, 0x05, 0x0b, 0xe5, 0x51, 0xf6, 0x1d, 0xc1, 0x7a, 0xc2,
0x11, 0x63, 0x2e, 0x0d, 0x73, 0x16, 0x7a, 0xce, 0x30, 0x36, 0x1c, 0x51, 0xc8, 0x47, 0x09, 0x75,
0x0d, 0x8a, 0x92, 0xf7, 0x14, 0xf4, 0xf9, 0xe8, 0xa5, 0xc3, 0xc5, 0xab, 0x91, 0xeb, 0x08, 0xe6,
0xaa, 0x2b, 0xc8, 0xb3, 0x49, 0x0b, 0x96, 0x43, 0x76, 0x13, 0xbc, 0x61, 0x6e, 0xdb, 0x11, 0xcc,
0xa8, 0xa1, 0x54, 0x9a, 0x45, 0x9e, 0xc0, 0x03, 0x45, 0xda, 0xcc, 0xe1, 0x81, 0x6f, 0x2c, 0xa1,
0x4c, 0x96, 0x49, 0x7e, 0x05, 0xdb, 0x43, 0x87, 0x8b, 0xb3, 0x1f, 0x47, 0x5e, 0x74, 0x35, 0x1d,
0x67, 0xd0, 0x63, 0xbe, 0x30, 0xee, 0xa3, 0xb4, 0x7e, 0x91, 0x50, 0x58, 0x91, 0x01, 0xd9, 0x8c,
0x8f, 0x02, 0x9f, 0x33, 0xa3, 0x8e, 0x05, 0x90, 0xe1, 0x11, 0x13, 0xea, 0x7e, 0x20, 0x4e, 0xbe,
0x17, 0x2c, 0x34, 0x1a, 0x68, 0x2c, 0xa1, 0xc9, 0x1e, 0x34, 0x3c, 0x8e, 0x66, 0x99, 0x6b, 0x40,
0xab, 0x7c, 0x50, 0xb7, 0x67, 0x8c, 0x2f, 0xef, 0xd5, 0x2b, 0xeb, 0x55, 0xda, 0x82, 0xa5, 0xde,
0xec, 0xb4, 0x34, 0xa7, 0x48, 0x8f, 0xa1, 0x66, 0x3b, 0xfe, 0x00, 0x5d, 0x31, 0x27, 0x1c, 0x7a,
0x8c, 0x0b, 0x95, 0x6d, 0x09, 0x2d, 0x95, 0x87, 0x8e, 0x90, 0x2b, 0x15, 0x5c, 0x51, 0x14, 0xdd,
0x87, 0xda, 0x17, 0xc1, 0xd8, 0x17, 0x64, 0x0b, 0x6a, 0x7d, 0xf9, 0xa1, 0x34, 0x23, 0x82, 0xfe,
0x1e, 0x1e, 0xe1, 0x72, 0xea, 0x4e, 0xf9, 0xe9, 0xb4, 0xe3, 0x5c, 0xb3, 0x24, 0xd3, 0x1f, 0x41,
0x2d, 0x94, 0xee, 0x51, 0x71, 0xd9, 0x6a, 0xc8, 0xec, 0xc3, 0x78, 0xec, 0x88, 0x2f, 0x2d, 0xfb,
0x52, 0x41, 0x25, 0x78, 0x44, 0xd0, 0xbf, 0x96, 0x61, 0x05, 0x4d, 0x2b, 0x73, 0xe4, 0x73, 0x58,
0xe9, 0xa7, 0x68, 0x95, 0xcc, 0xbb, 0xd2, 0x5c, 0x5a, 0x2e, 0x9d, 0xc5, 0x19, 0x05, 0xf3, 0x93,
0x4c, 0x32, 0x13, 0xb8, 0x27, 0x1d, 0xa9, 0xb3, 0xc2, 0xef, 0xd9, 0x1e, 0x2b, 0xe9, 0x3d, 0x76,
0x61, 0x1f, 0x1d, 0xa4, 0x5b, 0x1e, 0x3f, 0x9d, 0x5e, 0x74, 0xe3, 0x1d, 0xca, 0xce, 0x35, 0x52,
0xdd, 0xad, 0xe2, 0x8d, 0x66, 0x3b, 0xae, 0xe8, 0x77, 0x4c, 0xff, 0x56, 0x86, 0xc7, 0x68, 0xf2,
0xc2, 0xbf, 0x79, 0xff, 0x16, 0x61, 0x42, 0xfd, 0x75, 0xc0, 0x05, 0xee, 0x26, 0xea, 0x6b, 0x09,
0x3d, 0x0b, 0xa5, 0x5a, 0x10, 0x4a, 0x0f, 0x08, 0x46, 0x72, 0x19, 0xba, 0x2c, 0x4c, 0x5c, 0xef,
0x41, 0xc3, 0xe9, 0xe3, 0xee, 0x13, 0xaf, 0x33, 0xc6, 0xdd, 0xfb, 0x7b, 0x01, 0x5b, 0x68, 0xf4,
0xf9, 0xd7, 0xed, 0x4e, 0x8f, 0x89, 0xc4, 0x6c, 0x13, 0x96, 0x26, 0x9e, 0xef, 0x06, 0x13, 0x65,
0x53, 0x51, 0xc5, 0x4d, 0x8e, 0x1e, 0xc1, 0x96, 0x32, 0x72, 0xf6, 0xa3, 0xc7, 0x67, 0x96, 0x52,
0x1a, 0xe5, 0xac, 0x46, 0x17, 0x5a, 0xdd, 0x90, 0xdd, 0x78, 0xc1, 0x98, 0xa7, 0x92, 0x32, 0xab,
0x5d, 0xd4, 0xc8, 0xb6, 0xa0, 0x16, 0xb2, 0xc1, 0x45, 0x3b, 0xbe, 0x7f, 0x24, 0x64, 0x85, 0x45,
0xea, 0x52, 0x8f, 0xe1, 0x17, 0xea, 0xd5, 0x6d, 0x45, 0xd1, 0x37, 0xb0, 0x7d, 0xe2, 0xba, 0x29,
0x77, 0xb1, 0xa3, 0x75, 0xa8, 0xba, 0x2c, 0x8c, 0x07, 0x9f, 0xcb, 0x42, 0xbd, 0x0b, 0x99, 0x8c,
0xb2, 0x29, 0xe0, 0x2d, 0xad, 0xd8, 0xf8, 0x2d, 0x9d, 0x79, 0x9c, 0x8f, 0x93, 0xde, 0xa6, 0x28,
0x7a, 0x04, 0xcd, 0xbc, 0x33, 0xd5, 0x4a, 0xe4, 0xb6, 0xbc, 0x41, 0x5c, 0xdd, 0x72, 0x5b, 0x48,
0xd1, 0x2e, 0xac, 0xe0, 0xf5, 0xa6, 0xf3, 0x35, 0x35, 0xac, 0xc9, 0x11, 0x6c, 0x8e, 0x39, 0xbb,
0xb2, 0xb2, 0x69, 0x88, 0x11, 0xd6, 0x6d, 0xdd, 0x12, 0x7d, 0x09, 0x34, 0x1e, 0x6f, 0x68, 0x59,
0x9f, 0xc0, 0x79, 0x3f, 0x4d, 0x58, 0x72, 0xfa, 0x7d, 0x91, 0x6c, 0x5e, 0x51, 0x74, 0x0a, 0x3b,
0xe7, 0x2c, 0xca, 0xc0, 0xe7, 0x41, 0x98, 0x69, 0x1e, 0x33, 0x95, 0x72, 0x5a, 0x45, 0xdf, 0x33,
0x8a, 0x36, 0x52, 0x2d, 0xde, 0xc8, 0x3f, 0xcb, 0x60, 0x9c, 0x33, 0xf1, 0x7f, 0x9b, 0xd1, 0x72,
0x74, 0x85, 0xec, 0x87, 0xb1, 0x17, 0xaa, 0x58, 0x6e, 0x39, 0x5e, 0x6f, 0xdd, 0xce, 0xb3, 0xe9,
0x3f, 0xca, 0xb0, 0x9a, 0x1b, 0xe4, 0xbf, 0x8c, 0x07, 0x6d, 0xd4, 0xfb, 0xf6, 0x65, 0xe1, 0x2d,
0x98, 0xe1, 0x28, 0xfb, 0xbf, 0x9f, 0xe1, 0x2f, 0xe1, 0xd1, 0x89, 0xeb, 0xea, 0x70, 0x59, 0x72,
0x72, 0x1f, 0x65, 0x03, 0x5d, 0x64, 0xed, 0x09, 0xac, 0xe7, 0x90, 0x20, 0x1e, 0x9b, 0xe7, 0xc6,
0x95, 0x2d, 0x3f, 0x29, 0x9d, 0x93, 0xb2, 0xe6, 0x30, 0xe7, 0x87, 0xb0, 0x91, 0x91, 0xb1, 0x72,
0xa6, 0xaa, 0x91, 0xa9, 0x5b, 0x30, 0x6c, 0x9c, 0xed, 0x9a, 0x7a, 0x5d, 0x00, 0x44, 0xc2, 0x08,
0x1d, 0xa8, 0xcc, 0x8d, 0x28, 0x59, 0xb7, 0x12, 0x67, 0xa8, 0x0b, 0xc6, 0x6f, 0xd9, 0x8e, 0xc3,
0x78, 0xe0, 0xdf, 0xc3, 0x7a, 0x4e, 0x68, 0xfa, 0x97, 0x0a, 0xec, 0x3d, 0xf7, 0x7c, 0x67, 0xe8,
0xdd, 0x32, 0x2d, 0xa2, 0xd5, 0x94, 0x8c, 0x42, 0x40, 0x95, 0x0c, 0x02, 0x32, 0xe0, 0x3e, 0x43,
0x18, 0xc0, 0x95, 0xef, 0x98, 0xc4, 0xd6, 0x2d, 0x04, 0xbb, 0x1e, 0xc5, 0xa8, 0xa8, 0x61, 0xcf,
0x18, 0xa4, 0x0d, 0x1b, 0x38, 0x71, 0x94, 0xd3, 0x7e, 0x10, 0xba, 0xdc, 0xa8, 0xe1, 0x25, 0x35,
0xa3, 0x4b, 0xba, 0xca, 0x2d, 0xdb, 0xf3, 0x0a, 0xe4, 0x19, 0xac, 0xcd, 0x98, 0x67, 0x61, 0x18,
0x84, 0x88, 0x9a, 0x96, 0xad, 0xad, 0xc8, 0x46, 0x37, 0x0c, 0xbe, 0x1b, 0xb2, 0xeb, 0x36, 0x13,
0x8e, 0x37, 0xe4, 0x76, 0x5e, 0xd8, 0xfa, 0xfb, 0x0e, 0xac, 0xf7, 0x44, 0x10, 0x3a, 0x83, 0xf8,
0x14, 0xc4, 0x94, 0x1c, 0xc3, 0xda, 0x39, 0xcb, 0x0c, 0x59, 0x42, 0x70, 0xb2, 0x64, 0x8a, 0xcd,
0x24, 0x91, 0x8b, 0x34, 0x97, 0x96, 0xc8, 0x6f, 0x60, 0x2b, 0xa7, 0x7c, 0x3a, 0x95, 0x2f, 0x8f,
0x55, 0x69, 0x61, 0xf6, 0x12, 0x29, 0xd0, 0x7e, 0x06, 0xeb, 0xf9, 0x26, 0x40, 0x36, 0xe7, 0x8a,
0xeb, 0xa2, 0x6d, 0xea, 0x12, 0x99, 0x96, 0xc8, 0x37, 0xd8, 0xc0, 0x74, 0x15, 0x41, 0x10, 0x6c,
0x2f, 0x7e, 0xc6, 0x14, 0x59, 0xbd, 0x82, 0xa6, 0xfe, 0x0d, 0x41, 0x1e, 0x2b, 0xa3, 0xc5, 0xef,
0x0b, 0x73, 0xa7, 0x00, 0xe4, 0xd3, 0x12, 0xf9, 0x05, 0xac, 0x9e, 0xb3, 0x34, 0x62, 0x23, 0x20,
0x85, 0x23, 0x14, 0x69, 0x6e, 0x44, 0xc1, 0xa4, 0x96, 0x69, 0x89, 0x1c, 0xe3, 0xf1, 0xce, 0x03,
0xf7, 0xb4, 0xe2, 0x36, 0x22, 0xb1, 0xbc, 0x08, 0x2d, 0x91, 0x1e, 0x18, 0x45, 0x18, 0x91, 0xfc,
0x2c, 0x81, 0x6f, 0xc5, 0x08, 0xd2, 0x5c, 0xcf, 0x63, 0x3c, 0x5a, 0x22, 0x2f, 0xa0, 0xa9, 0x07,
0x65, 0xd1, 0xe1, 0x2c, 0x04, 0x6c, 0x66, 0x23, 0x11, 0xa1, 0x25, 0xf2, 0x15, 0xec, 0x16, 0x48,
0x23, 0x3a, 0xfd, 0xa9, 0xe6, 0x3e, 0x03, 0x13, 0x3f, 0xb5, 0xfd, 0x51, 0x9b, 0xd1, 0x19, 0x75,
0x0b, 0x96, 0x53, 0x78, 0x8c, 0x34, 0x93, 0xb5, 0x0c, 0x40, 0xcb, 0xea, 0x74, 0x95, 0x4b, 0x2d,
0x9a, 0x24, 0x1f, 0x26, 0xa2, 0x8b, 0xd0, 0x66, 0xd6, 0xe2, 0x27, 0xf0, 0x20, 0x03, 0xe0, 0x88,
0x91, 0xac, 0xe6, 0x30, 0x5d, 0x56, 0xef, 0x53, 0x78, 0x90, 0x81, 0x6b, 0x91, 0x9e, 0x0e, 0xc1,
0x99, 0x98, 0x3a, 0x11, 0x8b, 0x96, 0xc8, 0x25, 0x7c, 0x50, 0x88, 0xda, 0xc8, 0x13, 0x29, 0x7a,
0x17, 0xa8, 0xcb, 0x19, 0xfc, 0x2d, 0x6c, 0xe4, 0x4b, 0xda, 0x22, 0x5b, 0x9a, 0x9a, 0xb6, 0x8a,
0xca, 0xef, 0x05, 0x90, 0x39, 0x64, 0x60, 0x91, 0x3d, 0x55, 0x7a, 0xfa, 0x43, 0x24, 0xf3, 0x13,
0x99, 0x96, 0xc8, 0x2b, 0xc4, 0x18, 0xba, 0x84, 0xb0, 0xde, 0xa7, 0x3f, 0x3c, 0x53, 0x89, 0xab,
0xcd, 0x34, 0xeb, 0xee, 0x54, 0xfb, 0x13, 0xec, 0x2d, 0x00, 0x71, 0x16, 0x79, 0x9a, 0xee, 0x32,
0xc5, 0x30, 0xaf, 0x60, 0xd3, 0x5f, 0xab, 0xe8, 0xb4, 0x49, 0x67, 0xbd, 0x53, 0x56, 0xda, 0xd8,
0x66, 0xaf, 0x74, 0xe6, 0xde, 0xa2, 0x23, 0xea, 0xc3, 0x3c, 0x86, 0xb5, 0x0e, 0x9b, 0xe4, 0xa6,
0xce, 0xdc, 0x8c, 0x28, 0x98, 0x1b, 0x9f, 0x02, 0x89, 0x7e, 0x34, 0xdc, 0xa9, 0xbf, 0x1c, 0xf1,
0xce, 0xae, 0x47, 0x62, 0x4a, 0x4b, 0xe4, 0x0c, 0x76, 0x3a, 0x6c, 0xa2, 0x1d, 0x18, 0xba, 0xcb,
0x2e, 0xca, 0x80, 0x63, 0xd8, 0xd6, 0xa2, 0x09, 0xbd, 0x91, 0x5c, 0x0c, 0x17, 0xb0, 0x9a, 0x7d,
0x47, 0x90, 0x0f, 0xf0, 0x84, 0x74, 0x0f, 0x19, 0xd3, 0xd4, 0x2d, 0x29, 0x50, 0x23, 0xe3, 0x68,
0xb6, 0x99, 0xd3, 0x17, 0xde, 0xcd, 0xfc, 0x59, 0xcc, 0x27, 0x61, 0x2e, 0x8e, 0xcf, 0x60, 0x67,
0xa6, 0xfc, 0x16, 0x33, 0x38, 0xa7, 0xfe, 0x14, 0xea, 0x1d, 0x36, 0xc1, 0xf4, 0x24, 0x6a, 0x09,
0x09, 0x33, 0x4d, 0xd0, 0x12, 0x39, 0x02, 0xd2, 0x53, 0x8f, 0x8c, 0x6e, 0x18, 0xf4, 0x19, 0xe7,
0x9e, 0x3f, 0xd0, 0x6a, 0xc4, 0x96, 0x7f, 0x0e, 0x0f, 0x62, 0x0d, 0x84, 0x2d, 0x77, 0x09, 0xc7,
0x57, 0x51, 0x1c, 0xcb, 0x4c, 0xb8, 0x1e, 0x3f, 0x78, 0x08, 0x0e, 0xb7, 0xf4, 0xf3, 0x2c, 0x1f,
0xf8, 0x1f, 0x61, 0x77, 0x41, 0x11, 0xbe, 0x67, 0x95, 0x46, 0xc8, 0x27, 0xf3, 0xf4, 0x22, 0xbb,
0xca, 0xa2, 0xee, 0x41, 0x96, 0x0f, 0xee, 0x7c, 0xbe, 0xcd, 0xf2, 0x77, 0xea, 0x91, 0xdf, 0x82,
0x51, 0xf4, 0xa8, 0x88, 0x40, 0xc2, 0x1d, 0x4f, 0x0e, 0x53, 0xd7, 0xdb, 0xd5, 0x20, 0x98, 0x83,
0xfb, 0x51, 0x84, 0x45, 0xaf, 0x80, 0xfc, 0x6d, 0xd9, 0x40, 0x3a, 0x6c, 0x92, 0xef, 0x38, 0x6f,
0x15, 0xd4, 0xf6, 0x5c, 0x50, 0x56, 0x14, 0xd5, 0x05, 0x34, 0xb5, 0x95, 0x6b, 0x91, 0x16, 0x4e,
0xcc, 0x05, 0x6f, 0x84, 0x7c, 0x78, 0x9f, 0x83, 0x51, 0x50, 0x3f, 0x45, 0x03, 0x2f, 0x6b, 0xe0,
0xf4, 0xfe, 0x1f, 0x6a, 0xf8, 0x5b, 0xff, 0xbf, 0x01, 0x00, 0x00, 0xff, 0xff, 0x6d, 0x53, 0xd9,
0x8e, 0x05, 0x18, 0x00, 0x00,
// 1826 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x59, 0x5f, 0x73, 0xdb, 0xc6,
0x11, 0xe7, 0x1f, 0x53, 0x26, 0x57, 0xb2, 0xfe, 0x9c, 0x25, 0x0a, 0x81, 0x65, 0x9b, 0xbe, 0x3a,
0x1e, 0x65, 0x3a, 0xa3, 0xb8, 0x68, 0x27, 0xe9, 0x8c, 0x1a, 0xa7, 0x72, 0x24, 0xcb, 0x4a, 0x1d,
0x99, 0x01, 0x63, 0xa5, 0xd3, 0xf6, 0x05, 0x21, 0x2e, 0x32, 0x6a, 0x0a, 0x60, 0xee, 0x8e, 0x52,
0xa4, 0xe7, 0xce, 0xb4, 0x9f, 0xa0, 0xd3, 0xc7, 0x7e, 0x8e, 0x7e, 0x89, 0x7e, 0xa1, 0x3e, 0x74,
0x6e, 0xef, 0x00, 0x02, 0xe0, 0x81, 0x72, 0xec, 0x4e, 0xdf, 0xb0, 0x7b, 0xbb, 0x7b, 0x7b, 0x77,
0xfb, 0xe7, 0xb7, 0x24, 0xac, 0x89, 0xe0, 0xe3, 0x31, 0x4f, 0x64, 0xf2, 0xb1, 0x08, 0x76, 0xf0,
0x83, 0x34, 0x44, 0xe0, 0x6e, 0x0c, 0x13, 0xce, 0xcc, 0x82, 0xfa, 0xd4, 0x4b, 0xb4, 0x07, 0xcb,
0x3e, 0x3b, 0x8d, 0x84, 0xe4, 0x81, 0x8c, 0x92, 0xf8, 0x68, 0x9f, 0x2c, 0x43, 0x23, 0x0a, 0x9d,
0x7a, 0xaf, 0xbe, 0xdd, 0xf4, 0x1b, 0x51, 0x48, 0xef, 0x01, 0x7c, 0x39, 0x78, 0x79, 0xfc, 0x2d,
0xfb, 0xee, 0x77, 0xec, 0x92, 0xac, 0x42, 0xf3, 0xcf, 0x17, 0x6f, 0x70, 0x79, 0xc9, 0x57, 0x9f,
0xf4, 0x01, 0xac, 0xec, 0x4d, 0xe4, 0xeb, 0x84, 0x47, 0x57, 0xb3, 0x26, 0x3a, 0x68, 0xe2, 0x5f,
0x75, 0xb8, 0x77, 0xc8, 0x64, 0x9f, 0xc5, 0x61, 0x14, 0x9f, 0x16, 0xa4, 0x7d, 0xf6, 0xc3, 0x84,
0x09, 0x49, 0x1e, 0xc1, 0x32, 0x2f, 0xf8, 0x61, 0x3c, 0x28, 0x71, 0x95, 0x5c, 0x14, 0xb2, 0x58,
0x46, 0xdf, 0x47, 0x8c, 0x7f, 0x73, 0x39, 0x66, 0x4e, 0x03, 0xb7, 0x29, 0x71, 0xc9, 0x36, 0xac,
0x4c, 0x39, 0x27, 0xc1, 0x68, 0xc2, 0x9c, 0x26, 0x0a, 0x96, 0xd9, 0xe4, 0x1e, 0xc0, 0x79, 0x30,
0x8a, 0xc2, 0x57, 0xb1, 0x8c, 0x46, 0xce, 0x0d, 0xdc, 0x35, 0xc7, 0xa1, 0x02, 0xee, 0x1e, 0x32,
0x79, 0xa2, 0x18, 0x05, 0xcf, 0xc5, 0x4f, 0x75, 0xdd, 0x81, 0x9b, 0x61, 0x72, 0x16, 0x44, 0xb1,
0x70, 0x1a, 0xbd, 0xe6, 0x76, 0xc7, 0x4f, 0x49, 0x75, 0xa9, 0x71, 0x72, 0x81, 0x0e, 0x36, 0x7d,
0xf5, 0x49, 0xff, 0x59, 0x87, 0xdb, 0x96, 0x2d, 0xc9, 0xaf, 0xa1, 0x85, 0xae, 0x39, 0xf5, 0x5e,
0x73, 0x7b, 0xd1, 0xa3, 0x3b, 0x22, 0xd8, 0xb1, 0xc8, 0xed, 0x7c, 0x15, 0x8c, 0x0f, 0x46, 0xec,
0x8c, 0xc5, 0xd2, 0xd7, 0x0a, 0xee, 0x4b, 0x80, 0x29, 0x93, 0x74, 0x61, 0x41, 0x6f, 0x6e, 0x5e,
0xc9, 0x50, 0xe4, 0x23, 0x68, 0x05, 0x13, 0xf9, 0xfa, 0x0a, 0x6f, 0x75, 0xd1, 0xbb, 0xbd, 0x83,
0xa1, 0x52, 0x7c, 0x31, 0x2d, 0x41, 0xff, 0xdd, 0x80, 0xb5, 0x2f, 0x18, 0x57, 0x57, 0x39, 0x0c,
0x24, 0x1b, 0xc8, 0x40, 0x4e, 0x84, 0x32, 0x2c, 0x18, 0x8f, 0x82, 0x51, 0x6a, 0x58, 0x53, 0xc8,
0x47, 0x09, 0xf3, 0x0c, 0x86, 0x52, 0xef, 0x94, 0x0c, 0xc5, 0xf8, 0x45, 0x20, 0xe4, 0xab, 0x71,
0x18, 0x48, 0x16, 0x9a, 0x27, 0x28, 0xb3, 0x49, 0x0f, 0x16, 0x39, 0x3b, 0x4f, 0xde, 0xb0, 0x70,
0x3f, 0x90, 0xcc, 0x69, 0xa1, 0x54, 0x9e, 0x45, 0x1e, 0xc2, 0x2d, 0x43, 0xfa, 0x2c, 0x10, 0x49,
0xec, 0x2c, 0xa0, 0x4c, 0x91, 0x49, 0x7e, 0x05, 0x1b, 0xa3, 0x40, 0xc8, 0x83, 0x1f, 0xc7, 0x91,
0x7e, 0x9a, 0xe3, 0xe0, 0x74, 0xc0, 0x62, 0xe9, 0xdc, 0x44, 0x69, 0xfb, 0x22, 0xa1, 0xb0, 0xa4,
0x1c, 0xf2, 0x99, 0x18, 0x27, 0xb1, 0x60, 0x4e, 0x1b, 0x13, 0xa0, 0xc0, 0x23, 0x2e, 0xb4, 0xe3,
0x44, 0xee, 0x7d, 0x2f, 0x19, 0x77, 0x3a, 0x68, 0x2c, 0xa3, 0xc9, 0x16, 0x74, 0x22, 0x81, 0x66,
0x59, 0xe8, 0x40, 0xaf, 0xbe, 0xdd, 0xf6, 0xa7, 0x8c, 0x2f, 0x6f, 0xb4, 0x1b, 0xab, 0x4d, 0xda,
0x83, 0x85, 0xc1, 0xf4, 0xb6, 0x2c, 0xb7, 0x48, 0x77, 0xa1, 0xe5, 0x07, 0xf1, 0x29, 0x6e, 0xc5,
0x02, 0x3e, 0x8a, 0x98, 0x90, 0x26, 0xda, 0x32, 0x5a, 0x29, 0x8f, 0x02, 0xa9, 0x56, 0x1a, 0xb8,
0x62, 0x28, 0x7a, 0x17, 0x5a, 0x5f, 0x24, 0x93, 0x58, 0x92, 0x75, 0x68, 0x0d, 0xd5, 0x87, 0xd1,
0xd4, 0x04, 0xfd, 0x3d, 0xdc, 0xc7, 0xe5, 0xdc, 0x9b, 0x8a, 0xa7, 0x97, 0xc7, 0xc1, 0x19, 0xcb,
0x22, 0xfd, 0x3e, 0xb4, 0xb8, 0xda, 0x1e, 0x15, 0x17, 0xbd, 0x8e, 0x8a, 0x3e, 0xf4, 0xc7, 0xd7,
0x7c, 0x65, 0x39, 0x56, 0x0a, 0x26, 0xc0, 0x35, 0x41, 0xff, 0x5a, 0x87, 0x25, 0x34, 0x6d, 0xcc,
0x91, 0xcf, 0x61, 0x69, 0x98, 0xa3, 0x4d, 0x30, 0xdf, 0x51, 0xe6, 0xf2, 0x72, 0xf9, 0x28, 0x2e,
0x28, 0xb8, 0x9f, 0x14, 0x82, 0x99, 0xc0, 0x0d, 0xb5, 0x91, 0xb9, 0x2b, 0xfc, 0x9e, 0x9e, 0xb1,
0x91, 0x3f, 0x63, 0x1f, 0xee, 0xe2, 0x06, 0xf9, 0x92, 0x27, 0x9e, 0x5e, 0x1e, 0xf5, 0xd3, 0x13,
0xaa, 0xca, 0x35, 0x36, 0xd5, 0xad, 0x11, 0x8d, 0xa7, 0x27, 0x6e, 0xd8, 0x4f, 0x4c, 0xff, 0x56,
0x87, 0x07, 0x68, 0xf2, 0x28, 0x3e, 0x7f, 0xff, 0x12, 0xe1, 0x42, 0xfb, 0x75, 0x22, 0x24, 0x9e,
0x46, 0xd7, 0xb5, 0x8c, 0x9e, 0xba, 0xd2, 0xac, 0x70, 0x65, 0x00, 0x04, 0x3d, 0x79, 0xc9, 0x43,
0xc6, 0xb3, 0xad, 0xb7, 0xa0, 0x13, 0x0c, 0xf1, 0xf4, 0xd9, 0xae, 0x53, 0xc6, 0xf5, 0xe7, 0x7b,
0x0e, 0xeb, 0x68, 0xf4, 0xd9, 0xd7, 0xfb, 0xc7, 0x03, 0x26, 0x33, 0xb3, 0x5d, 0x58, 0xb8, 0x88,
0xe2, 0x30, 0xb9, 0x30, 0x36, 0x0d, 0x55, 0x5d, 0xe4, 0xe8, 0x63, 0x58, 0x37, 0x46, 0x0e, 0x7e,
0x8c, 0xc4, 0xd4, 0x52, 0x4e, 0xa3, 0x5e, 0xd4, 0xe8, 0x43, 0xaf, 0xcf, 0xd9, 0x79, 0x94, 0x4c,
0x44, 0x2e, 0x28, 0x8b, 0xda, 0x55, 0x85, 0x6c, 0x1d, 0x5a, 0x9c, 0x9d, 0x1e, 0xed, 0xa7, 0xef,
0x8f, 0x84, 0xca, 0x30, 0xad, 0xae, 0xf4, 0x18, 0x7e, 0xa1, 0x5e, 0xdb, 0x37, 0x14, 0x95, 0xb0,
0xba, 0x17, 0x86, 0x3a, 0x0d, 0xd3, 0x3d, 0x32, 0x5b, 0xf5, 0x9c, 0xad, 0x5c, 0x8e, 0x36, 0x0a,
0x95, 0xce, 0x81, 0x9b, 0x43, 0xce, 0xb0, 0x92, 0xe9, 0x82, 0x9e, 0x92, 0x6a, 0x85, 0x61, 0xc2,
0x0b, 0x53, 0xe3, 0x52, 0x92, 0xbe, 0x81, 0x8d, 0xbd, 0x30, 0xcc, 0x1d, 0x32, 0xdd, 0x7a, 0x15,
0x9a, 0x21, 0xe3, 0x69, 0xbb, 0x0d, 0x19, 0xb7, 0x1f, 0x4c, 0xa5, 0x80, 0x2a, 0x45, 0xb8, 0xe3,
0x92, 0x8f, 0xdf, 0xca, 0xc1, 0x48, 0x88, 0x49, 0x56, 0x51, 0x0d, 0x45, 0x1f, 0x43, 0xb7, 0xbc,
0x99, 0x29, 0x60, 0xea, 0x32, 0xa3, 0xd3, 0xb4, 0xa6, 0xa8, 0xcb, 0x44, 0x8a, 0xf6, 0x61, 0x09,
0x83, 0x2a, 0x9f, 0x25, 0x39, 0x88, 0x40, 0x1e, 0xc3, 0xed, 0x89, 0x60, 0x27, 0x5e, 0x31, 0xf8,
0xd1, 0xc3, 0xb6, 0x6f, 0x5b, 0xa2, 0x2f, 0x80, 0xa6, 0x4d, 0x15, 0x2d, 0xdb, 0xd3, 0xa6, 0xbc,
0x4f, 0x17, 0x16, 0x82, 0xe1, 0x50, 0x66, 0x87, 0x37, 0x14, 0xbd, 0x84, 0xcd, 0x43, 0xa6, 0xe3,
0xfe, 0x59, 0xc2, 0x0b, 0x25, 0x6b, 0xaa, 0x52, 0xcf, 0xab, 0xd8, 0x2b, 0x55, 0xd5, 0x41, 0x9a,
0xd5, 0x07, 0xf9, 0x47, 0x1d, 0x9c, 0x43, 0x26, 0xff, 0x6f, 0xc8, 0x40, 0x35, 0x4c, 0xce, 0x7e,
0x98, 0x44, 0xdc, 0xf8, 0x72, 0xa5, 0x83, 0xa9, 0xed, 0x97, 0xd9, 0xf4, 0xef, 0x75, 0x58, 0x2e,
0xc1, 0x87, 0x5f, 0xa6, 0xed, 0x5d, 0x57, 0xdc, 0xbb, 0x2a, 0xdd, 0xe7, 0x20, 0x07, 0x94, 0xfd,
0xdf, 0x23, 0x87, 0x17, 0x70, 0x7f, 0x2f, 0x0c, 0x6d, 0x68, 0x30, 0xbb, 0xb9, 0x8f, 0x8a, 0x8e,
0xce, 0xb3, 0xf6, 0x10, 0x56, 0x4b, 0xf8, 0x13, 0xaf, 0x2d, 0x0a, 0xd3, 0x7a, 0xa2, 0x3e, 0x29,
0x9d, 0x91, 0xf2, 0x66, 0x90, 0xee, 0x87, 0xb0, 0x56, 0x90, 0xf1, 0x4a, 0xa6, 0x9a, 0xda, 0xd4,
0x15, 0x38, 0x3e, 0x22, 0x0a, 0x4b, 0xbe, 0xce, 0x81, 0x3f, 0x5c, 0x63, 0x12, 0x13, 0xb9, 0x9a,
0x52, 0x79, 0xab, 0xd0, 0x8d, 0x79, 0x60, 0xfc, 0x56, 0x4d, 0x80, 0xa7, 0x30, 0xe3, 0x06, 0xe6,
0x73, 0x46, 0xd3, 0xbf, 0x34, 0x60, 0xeb, 0x59, 0x14, 0x07, 0xa3, 0xe8, 0x8a, 0x59, 0x71, 0xb4,
0x25, 0x65, 0x0c, 0xee, 0x6a, 0x14, 0x70, 0x57, 0xae, 0x16, 0x35, 0x0b, 0xb5, 0x08, 0x1b, 0x86,
0x94, 0xec, 0x6c, 0x9c, 0x62, 0xb1, 0x8e, 0x3f, 0x65, 0x90, 0x7d, 0x58, 0xc3, 0x3e, 0x67, 0x36,
0x1d, 0x26, 0x3c, 0x14, 0x4e, 0x0b, 0x1f, 0xa9, 0xab, 0x1f, 0xe9, 0xa4, 0xb4, 0xec, 0xcf, 0x2a,
0x90, 0x27, 0xb0, 0x32, 0x65, 0x1e, 0x70, 0x9e, 0x70, 0xc4, 0x6a, 0x8b, 0xde, 0xba, 0xb6, 0xd1,
0xe7, 0xc9, 0x77, 0x23, 0x76, 0xb6, 0xcf, 0x64, 0x10, 0x8d, 0x84, 0x5f, 0x16, 0xf6, 0xfe, 0xb3,
0x09, 0xab, 0x03, 0x99, 0xf0, 0xe0, 0x34, 0xbd, 0x05, 0x79, 0x49, 0x76, 0x61, 0xe5, 0x90, 0x15,
0x5a, 0x3b, 0x21, 0xd8, 0xcf, 0x0a, 0xc9, 0xe6, 0x12, 0xbd, 0x45, 0x9e, 0x4b, 0x6b, 0xe4, 0x37,
0xb0, 0x5e, 0x52, 0x7e, 0x7a, 0xa9, 0xe6, 0x9d, 0x65, 0x65, 0x61, 0x3a, 0xff, 0x54, 0x68, 0x3f,
0x81, 0xd5, 0x72, 0x11, 0x20, 0xb7, 0x67, 0x92, 0xeb, 0x68, 0xdf, 0xb5, 0x05, 0x32, 0xad, 0x91,
0x6f, 0xb0, 0x80, 0xd9, 0x32, 0x82, 0x20, 0xc4, 0x9f, 0x3f, 0x3c, 0x55, 0x59, 0x3d, 0x81, 0xae,
0x7d, 0x72, 0x21, 0x0f, 0x8c, 0xd1, 0xea, 0xa9, 0xc6, 0xdd, 0xac, 0x18, 0x2d, 0x68, 0x8d, 0xfc,
0x02, 0x96, 0x0f, 0x59, 0x1e, 0x27, 0x12, 0x50, 0xc2, 0xba, 0x69, 0xba, 0x6b, 0xda, 0x99, 0xdc,
0x32, 0xad, 0x91, 0x5d, 0xbc, 0xde, 0xd9, 0x71, 0x21, 0xaf, 0xb8, 0x81, 0xf8, 0xaf, 0x2c, 0x42,
0x6b, 0x64, 0x00, 0x4e, 0x15, 0x32, 0x25, 0x3f, 0xcb, 0x40, 0x63, 0x35, 0x6e, 0x75, 0x57, 0xcb,
0xc8, 0x92, 0xd6, 0xc8, 0x73, 0xe8, 0xda, 0xa1, 0xa0, 0xbe, 0x9c, 0xb9, 0x30, 0xd1, 0xed, 0x64,
0x22, 0xb4, 0x46, 0xbe, 0x82, 0x3b, 0x15, 0xd2, 0x88, 0x89, 0x7f, 0xaa, 0xb9, 0xcf, 0xc0, 0xc5,
0x4f, 0x6b, 0x7d, 0xb4, 0x46, 0x74, 0x41, 0xdd, 0x83, 0xc5, 0x1c, 0x0a, 0x24, 0xdd, 0x6c, 0xad,
0x00, 0x0b, 0x8b, 0x3a, 0x7d, 0xb3, 0xa5, 0x15, 0xc3, 0x92, 0x0f, 0x33, 0xd1, 0x79, 0x18, 0xb7,
0x68, 0xf1, 0x13, 0xb8, 0x55, 0x80, 0x8d, 0xc4, 0xc9, 0x56, 0x4b, 0x48, 0xb2, 0xa8, 0xf7, 0x29,
0xdc, 0x2a, 0x80, 0x44, 0xad, 0x67, 0xc3, 0x8d, 0x2e, 0x86, 0x8e, 0x66, 0xd1, 0x1a, 0x79, 0x09,
0x1f, 0x54, 0x62, 0x45, 0xf2, 0x50, 0x89, 0x5e, 0x07, 0x25, 0x4b, 0x06, 0x7f, 0x0b, 0x6b, 0xe5,
0x94, 0xf6, 0xc8, 0xba, 0x25, 0xa7, 0xbd, 0xaa, 0xf4, 0x7b, 0x0e, 0x64, 0x06, 0x19, 0x78, 0x64,
0xcb, 0xa4, 0x9e, 0xfd, 0x12, 0xc9, 0x6c, 0x47, 0xa6, 0x35, 0xf2, 0x0a, 0x31, 0x86, 0x2d, 0x20,
0xbc, 0xf7, 0xa9, 0x0f, 0x4f, 0x4c, 0xe0, 0x5a, 0x23, 0xcd, 0xbb, 0x3e, 0xd4, 0xfe, 0x04, 0x5b,
0x73, 0x40, 0x9c, 0x47, 0x1e, 0xe5, 0xab, 0x4c, 0x35, 0xcc, 0xab, 0x38, 0xf4, 0xd7, 0xc6, 0x3b,
0x6b, 0xd0, 0x79, 0xef, 0x14, 0x95, 0x3e, 0x96, 0xd9, 0x13, 0x9b, 0xb9, 0xb7, 0xa8, 0x88, 0x76,
0x37, 0x77, 0x61, 0xe5, 0x98, 0x5d, 0x94, 0xba, 0xce, 0x4c, 0x8f, 0xa8, 0xe8, 0x1b, 0x9f, 0x02,
0xd1, 0x3f, 0x6f, 0x5c, 0xab, 0xbf, 0xa8, 0x79, 0x07, 0x67, 0x63, 0x79, 0x49, 0x6b, 0xe4, 0x00,
0x36, 0x8f, 0xd9, 0x85, 0xb5, 0x61, 0xd8, 0x1e, 0xbb, 0x2a, 0x02, 0x76, 0x61, 0xc3, 0x8a, 0x26,
0xec, 0x46, 0x4a, 0x3e, 0x1c, 0xc1, 0x72, 0x71, 0x8e, 0x20, 0x1f, 0xe0, 0x0d, 0xd9, 0x06, 0x19,
0xd7, 0xb5, 0x2d, 0x19, 0x50, 0xa3, 0x6a, 0xde, 0x9a, 0x42, 0x84, 0x9c, 0x0d, 0xdf, 0xce, 0x5a,
0xc9, 0x93, 0xc7, 0xd0, 0xc9, 0x86, 0x36, 0x93, 0xa3, 0xa5, 0x19, 0xae, 0xac, 0xb1, 0x0b, 0xdd,
0x7d, 0x16, 0x0c, 0x65, 0x74, 0x3e, 0x7b, 0xf9, 0xb3, 0x51, 0x5f, 0x52, 0xfe, 0x0c, 0x36, 0xa7,
0xca, 0x6f, 0xd1, 0xf4, 0x4b, 0xea, 0x8f, 0xa0, 0x7d, 0xcc, 0x2e, 0x30, 0x1f, 0x88, 0x59, 0x42,
0xc2, 0xcd, 0x13, 0x78, 0x2a, 0x32, 0x30, 0x53, 0x4d, 0x9f, 0x27, 0x43, 0x26, 0x44, 0x14, 0x9f,
0x5a, 0x35, 0x52, 0xcb, 0x3f, 0x87, 0x5b, 0xa9, 0x06, 0xe2, 0xa4, 0xeb, 0x84, 0xd3, 0xb7, 0xaf,
0xf6, 0x65, 0x2a, 0xdc, 0x4e, 0x27, 0x2c, 0x82, 0xdd, 0x34, 0x3f, 0x0f, 0x96, 0x1d, 0xff, 0x23,
0xdc, 0x99, 0x93, 0xf5, 0xef, 0x59, 0x16, 0x34, 0xd4, 0x2a, 0xcc, 0x7a, 0xe4, 0x8e, 0xb1, 0x68,
0x9b, 0x00, 0xcb, 0xce, 0x1d, 0xce, 0xd6, 0x75, 0xf1, 0x4e, 0x45, 0xf9, 0x5b, 0x70, 0xaa, 0xa6,
0x18, 0x8d, 0x4a, 0xae, 0x99, 0x71, 0x5c, 0x5b, 0x33, 0x31, 0x9d, 0x67, 0x66, 0xbe, 0xd0, 0x1e,
0x56, 0x8d, 0x1d, 0xe5, 0xd7, 0xf2, 0x81, 0x1c, 0xb3, 0x8b, 0x72, 0x89, 0x7b, 0x2b, 0xa7, 0x36,
0x66, 0x9c, 0xf2, 0xb4, 0x57, 0x47, 0xd0, 0xb5, 0x96, 0x0a, 0x8f, 0xf4, 0xb0, 0x45, 0xcf, 0x19,
0x4a, 0xca, 0xee, 0x7d, 0x0e, 0x4e, 0x45, 0xfe, 0x54, 0x75, 0xd8, 0xa2, 0x81, 0xa7, 0x37, 0xff,
0xd0, 0xc2, 0x7f, 0x2f, 0xfe, 0x1b, 0x00, 0x00, 0xff, 0xff, 0x6f, 0x39, 0x5a, 0x2e, 0xec, 0x18,
0x00, 0x00,
}
// Reference imports to suppress errors if they are not otherwise used.
@ -1932,6 +2000,8 @@ type StorageAuthorityClient interface {
NewPendingAuthorization(ctx context.Context, in *proto1.Authorization, opts ...grpc.CallOption) (*proto1.Authorization, error)
FinalizeAuthorization(ctx context.Context, in *proto1.Authorization, opts ...grpc.CallOption) (*proto1.Empty, error)
AddCertificate(ctx context.Context, in *AddCertificateRequest, opts ...grpc.CallOption) (*AddCertificateResponse, error)
AddPrecertificate(ctx context.Context, in *AddCertificateRequest, opts ...grpc.CallOption) (*proto1.Empty, error)
AddSerial(ctx context.Context, in *AddSerialRequest, opts ...grpc.CallOption) (*proto1.Empty, error)
DeactivateRegistration(ctx context.Context, in *RegistrationID, opts ...grpc.CallOption) (*proto1.Empty, error)
DeactivateAuthorization(ctx context.Context, in *AuthorizationID, opts ...grpc.CallOption) (*proto1.Empty, error)
NewOrder(ctx context.Context, in *proto1.Order, opts ...grpc.CallOption) (*proto1.Order, error)
@ -2209,6 +2279,24 @@ func (c *storageAuthorityClient) AddCertificate(ctx context.Context, in *AddCert
return out, nil
}
func (c *storageAuthorityClient) AddPrecertificate(ctx context.Context, in *AddCertificateRequest, opts ...grpc.CallOption) (*proto1.Empty, error) {
out := new(proto1.Empty)
err := c.cc.Invoke(ctx, "/sa.StorageAuthority/AddPrecertificate", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *storageAuthorityClient) AddSerial(ctx context.Context, in *AddSerialRequest, opts ...grpc.CallOption) (*proto1.Empty, error) {
out := new(proto1.Empty)
err := c.cc.Invoke(ctx, "/sa.StorageAuthority/AddSerial", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *storageAuthorityClient) DeactivateRegistration(ctx context.Context, in *RegistrationID, opts ...grpc.CallOption) (*proto1.Empty, error) {
out := new(proto1.Empty)
err := c.cc.Invoke(ctx, "/sa.StorageAuthority/DeactivateRegistration", in, out, opts...)
@ -2378,6 +2466,8 @@ type StorageAuthorityServer interface {
NewPendingAuthorization(context.Context, *proto1.Authorization) (*proto1.Authorization, error)
FinalizeAuthorization(context.Context, *proto1.Authorization) (*proto1.Empty, error)
AddCertificate(context.Context, *AddCertificateRequest) (*AddCertificateResponse, error)
AddPrecertificate(context.Context, *AddCertificateRequest) (*proto1.Empty, error)
AddSerial(context.Context, *AddSerialRequest) (*proto1.Empty, error)
DeactivateRegistration(context.Context, *RegistrationID) (*proto1.Empty, error)
DeactivateAuthorization(context.Context, *AuthorizationID) (*proto1.Empty, error)
NewOrder(context.Context, *proto1.Order) (*proto1.Order, error)
@ -2483,6 +2573,12 @@ func (*UnimplementedStorageAuthorityServer) FinalizeAuthorization(ctx context.Co
func (*UnimplementedStorageAuthorityServer) AddCertificate(ctx context.Context, req *AddCertificateRequest) (*AddCertificateResponse, error) {
return nil, status.Errorf(codes.Unimplemented, "method AddCertificate not implemented")
}
func (*UnimplementedStorageAuthorityServer) AddPrecertificate(ctx context.Context, req *AddCertificateRequest) (*proto1.Empty, error) {
return nil, status.Errorf(codes.Unimplemented, "method AddPrecertificate not implemented")
}
func (*UnimplementedStorageAuthorityServer) AddSerial(ctx context.Context, req *AddSerialRequest) (*proto1.Empty, error) {
return nil, status.Errorf(codes.Unimplemented, "method AddSerial not implemented")
}
func (*UnimplementedStorageAuthorityServer) DeactivateRegistration(ctx context.Context, req *RegistrationID) (*proto1.Empty, error) {
return nil, status.Errorf(codes.Unimplemented, "method DeactivateRegistration not implemented")
}
@ -3037,6 +3133,42 @@ func _StorageAuthority_AddCertificate_Handler(srv interface{}, ctx context.Conte
return interceptor(ctx, in, info, handler)
}
func _StorageAuthority_AddPrecertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(AddCertificateRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(StorageAuthorityServer).AddPrecertificate(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/sa.StorageAuthority/AddPrecertificate",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(StorageAuthorityServer).AddPrecertificate(ctx, req.(*AddCertificateRequest))
}
return interceptor(ctx, in, info, handler)
}
func _StorageAuthority_AddSerial_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(AddSerialRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(StorageAuthorityServer).AddSerial(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/sa.StorageAuthority/AddSerial",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(StorageAuthorityServer).AddSerial(ctx, req.(*AddSerialRequest))
}
return interceptor(ctx, in, info, handler)
}
func _StorageAuthority_DeactivateRegistration_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(RegistrationID)
if err := dec(in); err != nil {
@ -3423,6 +3555,14 @@ var _StorageAuthority_serviceDesc = grpc.ServiceDesc{
MethodName: "AddCertificate",
Handler: _StorageAuthority_AddCertificate_Handler,
},
{
MethodName: "AddPrecertificate",
Handler: _StorageAuthority_AddPrecertificate_Handler,
},
{
MethodName: "AddSerial",
Handler: _StorageAuthority_AddSerial_Handler,
},
{
MethodName: "DeactivateRegistration",
Handler: _StorageAuthority_DeactivateRegistration_Handler,

9
sa/proto/sa.proto
View File

@ -38,6 +38,8 @@ service StorageAuthority {
rpc NewPendingAuthorization(core.Authorization) returns (core.Authorization) {}
rpc FinalizeAuthorization(core.Authorization) returns (core.Empty) {}
rpc AddCertificate(AddCertificateRequest) returns (AddCertificateResponse) {}
rpc AddPrecertificate(AddCertificateRequest) returns (core.Empty) {}
rpc AddSerial(AddSerialRequest) returns (core.Empty) {}
rpc DeactivateRegistration(RegistrationID) returns (core.Empty) {}
rpc DeactivateAuthorization(AuthorizationID) returns (core.Empty) {}
rpc NewOrder(core.Order) returns (core.Order) {}
@ -163,6 +165,13 @@ message Exists {
optional bool exists = 1;
}
message AddSerialRequest {
optional int64 regID = 1;
optional string serial = 2;
optional int64 created = 3; // Unix timestamp (nanoseconds)
optional int64 expires = 4; // Unix timestamp (nanoseconds)
}
message AddCertificateRequest {
optional bytes der = 1;
optional int64 regID = 2;

11
sa/sa.go
View File

@ -748,9 +748,6 @@ func (ssa *SQLStorageAuthority) AddCertificate(
}
_, overallError := withTransaction(ctx, ssa.dbMap, func(txWithCtx transaction) (interface{}, error) {
// Note: will fail on duplicate serials. Extremely unlikely to happen and soon
// to be fixed by redesign. Reference issue
// https://github.com/letsencrypt/boulder/issues/2265 for more
err = txWithCtx.Insert(cert)
if err != nil {
if strings.HasPrefix(err.Error(), "Error 1062: Duplicate entry") {
@ -761,10 +758,12 @@ func (ssa *SQLStorageAuthority) AddCertificate(
err = txWithCtx.Insert(certStatus)
if err != nil {
if strings.HasPrefix(err.Error(), "Error 1062: Duplicate entry") {
return nil, berrors.DuplicateError("cannot add a duplicate cert status")
// We ignore "duplicate entry" on insert to the certificateStatus table
// because we may be inserting a certificate after a call to
// AddPrecertificate, which also adds a certificateStatus entry.
if !strings.HasPrefix(err.Error(), "Error 1062: Duplicate entry") {
return nil, err
}
return nil, err
}
// NOTE(@cpu): When we collect up names to check if an FQDN set exists (e.g.

1
test/config-next/ca-a.json
View File

@ -136,6 +136,7 @@
"maxConcurrentRPCServerRequests": 100000,
"orphanQueueDir": "/tmp/orphaned-certificates-a",
"features": {
"PrecertificateOCSP": true
}
},

1
test/config-next/ca-b.json
View File

@ -137,6 +137,7 @@
"maxConcurrentRPCServerRequests": 100000,
"orphanQueueDir": "/tmp/orphaned-certificates-b",
"features": {
"PrecertificateOCSP": true
}
},

7
test/integration/ocsp_test.go
View File

@ -16,6 +16,10 @@ import (
)
func TestPrecertificateOCSP(t *testing.T) {
// This test is gated on the PrecertificateOCSP feature flag.
if !strings.Contains(os.Getenv("BOULDER_CONFIG_DIR"), "test/config-next") {
return
}
domain := random_domain()
for _, port := range []int{4500, 4501, 4510, 4511} {
url := fmt.Sprintf("http://boulder:%d/add-reject-host", port)
@ -64,8 +68,7 @@ func TestPrecertificateOCSP(t *testing.T) {
}
_, err = ocsp_helper.ReqDER(rejectedCertBytes)
if err != nil {
// TODO(#4412): This should become a `t.Errorf`
t.Logf("requesting OCSP for rejected precertificate: %s", err)
t.Errorf("requesting OCSP for rejected precertificate: %s", err)
}
}
}

2
test/sa_db_users.sql
View File

@ -31,6 +31,8 @@ GRANT SELECT,INSERT ON requestedNames TO 'sa'@'localhost';
GRANT SELECT,INSERT,DELETE ON orderFqdnSets TO 'sa'@'localhost';
GRANT SELECT,INSERT,UPDATE ON authz2 TO 'sa'@'localhost';
GRANT SELECT,INSERT ON orderToAuthz2 TO 'sa'@'localhost';
GRANT INSERT ON serials TO 'sa'@'localhost';
GRANT INSERT ON precertificates TO 'sa'@'localhost';
-- OCSP Responder
GRANT SELECT ON certificateStatus TO 'ocsp_resp'@'localhost';

2
vendor/modules.txt vendored
View File

@ -111,10 +111,10 @@ golang.org/x/crypto/ed25519/internal/edwards25519
golang.org/x/crypto/pkcs12/internal/rc2
# golang.org/x/net v0.0.0-20190415214537-1da14a5a36f2
golang.org/x/net/idna
golang.org/x/net/context
golang.org/x/net/trace
golang.org/x/net/ipv4
golang.org/x/net/ipv6
golang.org/x/net/context
golang.org/x/net/context/ctxhttp
golang.org/x/net/internal/timeseries
golang.org/x/net/http2