letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

RA: Make RevokeAtRA feature standard behavior (#4268) 

Now that it is live in production and is working as intended we can remove
the old ocsp-updater functionality entirely.

Fixes #4048.
This commit is contained in:
Roland Bracewell Shoemaker 2019-06-20 11:32:53 -07:00 committed by Daniel McCarney
parent 4fbb90b2d1
commit acc44498d1
21 changed files with 171 additions and 621 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
cmd/boulder-ra/main.go
View File

@ -79,8 +79,7 @@ type config struct {
InformationalCTLogs []ctconfig.LogDescription
// IssuerCertPath is the path to the intermediate used to issue certificates.
// It is required if the RevokeAtRA feature is enabled and is used to
// generate OCSP URLs to purge at revocation time.
// It is used to generate OCSP URLs to purge at revocation time.
IssuerCertPath string
Features map[string]bool
@ -131,10 +130,6 @@ func main() {
err = pa.SetHostnamePolicyFile(c.RA.HostnamePolicyFile)
cmd.FailOnError(err, "Couldn't load hostname policy file")
if features.Enabled(features.RevokeAtRA) && (c.RA.AkamaiPurgerService == nil || c.RA.IssuerCertPath == "") {
cmd.Fail("If the RevokeAtRA feature is enabled the AkamaiPurgerService and IssuerCertPath config fields must be populated")
}
tlsConfig, err := c.RA.TLS.Load()
cmd.FailOnError(err, "TLS config")
@ -158,14 +153,12 @@ func main() {
var apc akamaipb.AkamaiPurgerClient
var issuerCert *x509.Certificate
if features.Enabled(features.RevokeAtRA) {
apConn, err := bgrpc.ClientSetup(c.RA.AkamaiPurgerService, tlsConfig, clientMetrics, clk)
cmd.FailOnError(err, "Unable to create a Akamai Purger client")
apc = akamaipb.NewAkamaiPurgerClient(apConn)
apConn, err := bgrpc.ClientSetup(c.RA.AkamaiPurgerService, tlsConfig, clientMetrics, clk)
cmd.FailOnError(err, "Unable to create a Akamai Purger client")
apc = akamaipb.NewAkamaiPurgerClient(apConn)
issuerCert, err = core.LoadCert(c.RA.IssuerCertPath)
cmd.FailOnError(err, "Failed to load issuer certificate")
}
issuerCert, err = core.LoadCert(c.RA.IssuerCertPath)
cmd.FailOnError(err, "Failed to load issuer certificate")
// Boulder's components assume that there will always be CT logs configured.
// Issuing a certificate without SCTs embedded is a miss-issuance event in the

142
cmd/ocsp-updater/main.go
View File

@ -11,7 +11,6 @@ import (
"time"
"github.com/jmhodges/clock"
"github.com/letsencrypt/boulder/akamai"
akamaipb "github.com/letsencrypt/boulder/akamai/proto"
capb "github.com/letsencrypt/boulder/ca/proto"
"github.com/letsencrypt/boulder/cmd"
@ -22,7 +21,6 @@ import (
"github.com/letsencrypt/boulder/metrics"
"github.com/letsencrypt/boulder/sa"
sapb "github.com/letsencrypt/boulder/sa/proto"
"golang.org/x/crypto/ocsp"
)
/*
@ -73,12 +71,10 @@ func newUpdater(
issuerPath string,
log blog.Logger,
) (*OCSPUpdater, error) {
if config.OldOCSPBatchSize == 0 ||
config.RevokedCertificateBatchSize == 0 {
if config.OldOCSPBatchSize == 0 {
return nil, fmt.Errorf("Loop batch sizes must be non-zero")
}
if config.OldOCSPWindow.Duration == 0 ||
config.RevokedCertificateWindow.Duration == 0 {
if config.OldOCSPWindow.Duration == 0 {
return nil, fmt.Errorf("Loop window sizes must be non-zero")
}
if config.OCSPStaleMaxAge.Duration == 0 {
@ -125,20 +121,6 @@ func newUpdater(
},
}
if !features.Enabled(features.RevokeAtRA) {
updater.loops = append(updater.loops,
&looper{
clk: clk,
stats: stats.NewScope("RevokedCertificates"),
batchSize: config.RevokedCertificateBatchSize,
tickDur: config.RevokedCertificateWindow.Duration,
tickFunc: updater.revokedCertificatesTick,
name: "RevokedCertificates",
failureBackoffFactor: config.SignFailureBackoffFactor,
failureBackoffMax: config.SignFailureBackoffMax.Duration,
})
}
return &updater, nil
}
@ -172,11 +154,6 @@ func (updater *OCSPUpdater) findStaleOCSPResponses(oldestLastUpdatedTime time.Ti
return statuses, err
}
type responseMeta struct {
*core.OCSPResponse
*core.CertificateStatus
}
func (updater *OCSPUpdater) generateResponse(ctx context.Context, status core.CertificateStatus) (*core.CertificateStatus, error) {
cert, err := sa.SelectCertificate(
updater.dbMap,
@ -205,48 +182,10 @@ func (updater *OCSPUpdater) generateResponse(ctx context.Context, status core.Ce
return &status, nil
}
// generateRevokedResponse takes a core.CertificateStatus and updates it with a revoked OCSP response
// for the certificate it represents. generateRevokedResponse then returns the updated status and a
// list of OCSP request URLs that should be purged or an error.
func (updater *OCSPUpdater) generateRevokedResponse(ctx context.Context, status core.CertificateStatus) (*core.CertificateStatus, []string, error) {
cert, err := updater.sac.GetCertificate(ctx, status.Serial)
if err != nil {
return nil, nil, err
}
signRequest := core.OCSPSigningRequest{
CertDER: cert.DER,
Status: string(core.OCSPStatusRevoked),
Reason: status.RevokedReason,
RevokedAt: status.RevokedDate,
}
ocspResponse, err := updater.cac.GenerateOCSP(ctx, signRequest)
if err != nil {
return nil, nil, err
}
now := updater.clk.Now()
status.OCSPLastUpdated = now
status.OCSPResponse = ocspResponse
// If cache client is populated generate purge URLs
var purgeURLs []string
if updater.purgerService != nil {
purgeURLs, err = akamai.GeneratePurgeURLs(cert.DER, updater.issuer)
if err != nil {
return nil, nil, err
}
}
return &status, purgeURLs, nil
}
func (updater *OCSPUpdater) storeResponse(status *core.CertificateStatus) error {
// Update the certificateStatus table with the new OCSP response, the status
// WHERE is used make sure we don't overwrite a revoked response with a one
// containing a 'good' status and that we don't do the inverse when the OCSP
// status should be 'good'.
// containing a 'good' status.
_, err := updater.dbMap.Exec(
`UPDATE certificateStatus
SET ocspResponse=?,ocspLastUpdated=?
@ -271,75 +210,6 @@ func (updater *OCSPUpdater) markExpired(status core.CertificateStatus) error {
return err
}
func (updater *OCSPUpdater) findRevokedCertificatesToUpdate(batchSize int) ([]core.CertificateStatus, error) {
const query = "WHERE NOT isExpired AND status = ? AND ocspLastUpdated <= revokedDate LIMIT ?"
statuses, err := sa.SelectCertificateStatuses(
updater.dbMap,
query,
string(core.OCSPStatusRevoked),
batchSize,
)
return statuses, err
}
func (updater *OCSPUpdater) revokedCertificatesTick(ctx context.Context, batchSize int) error {
statuses, err := updater.findRevokedCertificatesToUpdate(batchSize)
if err != nil {
updater.stats.Inc("Errors.FindRevokedCertificates", 1)
updater.log.AuditErrf("Failed to find revoked certificates: %s", err)
return err
}
if len(statuses) == batchSize {
updater.stats.Inc("revokedCertificatesTick.FullTick", 1)
}
var allPurgeURLs []string
for _, status := range statuses {
// It's possible that, if our ticks are fast enough (mainly in tests), we
// will get a certificate status where the ocspLastUpdated == revokedDate
// and the certificate has already been revoked. In order to avoid
// generating a new response and purging the existing response, quickly
// check the actual response in this rare case.
if status.OCSPLastUpdated.Equal(status.RevokedDate) {
resp, err := ocsp.ParseResponse(status.OCSPResponse, nil)
if err != nil {
updater.log.AuditErrf("Failed to parse OCSP response: %s", err)
return err
}
if resp.Status == ocsp.Revoked {
// We already generated a revoked response, don't bother doing it again
continue
}
}
meta, purgeURLs, err := updater.generateRevokedResponse(ctx, status)
if err != nil {
updater.log.AuditErrf("Failed to generate revoked OCSP response: %s", err)
updater.stats.Inc("Errors.RevokedResponseGeneration", 1)
return err
}
allPurgeURLs = append(allPurgeURLs, purgeURLs...)
err = updater.storeResponse(meta)
if err != nil {
updater.stats.Inc("Errors.StoreRevokedResponse", 1)
updater.log.AuditErrf("Failed to store OCSP response: %s", err)
continue
}
}
if len(allPurgeURLs) > 0 && updater.purgerService != nil {
go func() {
_, err = updater.purgerService.Purge(context.Background(), &akamaipb.PurgeRequest{
Urls: allPurgeURLs,
})
if err != nil {
updater.log.Errf("Request to Akamai purger service failed: %s", err)
}
}()
}
return nil
}
func (updater *OCSPUpdater) generateOCSPResponses(ctx context.Context, statuses []core.CertificateStatus, stats metrics.Scope) error {
// Use the semaphore pattern from
// https://github.com/golang/go/wiki/BoundingResourceUse to send a number of
@ -478,11 +348,9 @@ type OCSPUpdaterConfig struct {
cmd.ServiceConfig
cmd.DBConfig
OldOCSPWindow cmd.ConfigDuration
RevokedCertificateWindow cmd.ConfigDuration
OldOCSPWindow cmd.ConfigDuration
OldOCSPBatchSize int
RevokedCertificateBatchSize int
OldOCSPBatchSize int
OCSPMinTimeToExpiry cmd.ConfigDuration
OCSPStaleMaxAge cmd.ConfigDuration

84
cmd/ocsp-updater/main_test.go
View File

@ -14,8 +14,8 @@ import (
"github.com/letsencrypt/boulder/core"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/metrics"
"github.com/letsencrypt/boulder/revocation"
"github.com/letsencrypt/boulder/sa"
sapb "github.com/letsencrypt/boulder/sa/proto"
"github.com/letsencrypt/boulder/sa/satest"
"github.com/letsencrypt/boulder/test"
"github.com/letsencrypt/boulder/test/vars"
@ -80,10 +80,8 @@ func setup(t *testing.T) (*OCSPUpdater, core.StorageAuthority, *gorp.DbMap, cloc
sa,
nil,
OCSPUpdaterConfig{
OldOCSPBatchSize: 1,
RevokedCertificateBatchSize: 1,
OldOCSPWindow: cmd.ConfigDuration{Duration: time.Second},
RevokedCertificateWindow: cmd.ConfigDuration{Duration: time.Second},
OldOCSPBatchSize: 1,
OldOCSPWindow: cmd.ConfigDuration{Duration: time.Second},
},
"",
blog.NewMock(),
@ -115,23 +113,6 @@ func TestGenerateAndStoreOCSPResponse(t *testing.T) {
test.AssertNotError(t, err, "Couldn't generate OCSP response")
err = updater.storeResponse(meta)
test.AssertNotError(t, err, "Couldn't store certificate status")
secondMeta, purgeURLs, err := updater.generateRevokedResponse(ctx, status)
test.AssertNotError(t, err, "Couldn't generate revoked OCSP response")
err = updater.storeResponse(secondMeta)
test.AssertNotError(t, err, "Couldn't store certificate status")
test.AssertDeepEquals(t, purgeURLs, []string{
// akamai magic POST format
"http://127.0.0.1:4002/?body-md5=1f00f751a981b76c",
// GET format with // replaced with /
"http://127.0.0.1:4002/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRBJaTET3lGgf1uVfnmEsA5Rr8viQQU+3hPEvlgFYMsnxd/NBmzLjbqQYkCEwD/ajxemKXeOt+gQo15uy0YcQs=",
// GET format with url-encoding
"http://127.0.0.1:4002/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRBJaTET3lGgf1uVfnmEsA5Rr8viQQU%2B3hPEvlgFYMsnxd%2FNBmzLjbqQYkCEwD%2FajxemKXeOt%2BgQo15uy0YcQs%3D",
})
newStatus, err := sa.GetCertificateStatus(ctx, status.Serial)
test.AssertNotError(t, err, "Couldn't retrieve certificate status")
test.AssertByteEquals(t, meta.OCSPResponse, newStatus.OCSPResponse)
}
func TestGenerateOCSPResponses(t *testing.T) {
@ -263,29 +244,6 @@ func TestFindStaleOCSPResponsesStaleMaxAge(t *testing.T) {
test.AssertEquals(t, certs[0].Serial, core.SerialToString(parsedCertA.SerialNumber))
}
func TestFindRevokedCertificatesToUpdate(t *testing.T) {
updater, sa, _, fc, cleanUp := setup(t)
defer cleanUp()
reg := satest.CreateWorkingRegistration(t, sa)
cert, err := core.LoadCert("test-cert.pem")
test.AssertNotError(t, err, "Couldn't read test certificate")
issued := fc.Now()
_, err = sa.AddCertificate(ctx, cert.Raw, reg.ID, nil, &issued)
test.AssertNotError(t, err, "Couldn't add test-cert.pem")
statuses, err := updater.findRevokedCertificatesToUpdate(10)
test.AssertNotError(t, err, "Failed to find revoked certificates")
test.AssertEquals(t, len(statuses), 0)
err = sa.MarkCertificateRevoked(ctx, core.SerialToString(cert.SerialNumber), revocation.KeyCompromise)
test.AssertNotError(t, err, "Failed to revoke certificate")
statuses, err = updater.findRevokedCertificatesToUpdate(10)
test.AssertNotError(t, err, "Failed to find revoked certificates")
test.AssertEquals(t, len(statuses), 1)
}
func TestOldOCSPResponsesTick(t *testing.T) {
updater, sa, _, fc, cleanUp := setup(t)
defer cleanUp()
@ -356,33 +314,6 @@ func TestOldOCSPResponsesTickIsExpired(t *testing.T) {
test.AssertEquals(t, cs.IsExpired, true)
}
func TestRevokedCertificatesTick(t *testing.T) {
updater, sa, _, fc, cleanUp := setup(t)
defer cleanUp()
reg := satest.CreateWorkingRegistration(t, sa)
parsedCert, err := core.LoadCert("test-cert.pem")
test.AssertNotError(t, err, "Couldn't read test certificate")
issued := fc.Now()
_, err = sa.AddCertificate(ctx, parsedCert.Raw, reg.ID, nil, &issued)
test.AssertNotError(t, err, "Couldn't add test-cert.pem")
err = sa.MarkCertificateRevoked(ctx, core.SerialToString(parsedCert.SerialNumber), revocation.KeyCompromise)
test.AssertNotError(t, err, "Failed to revoke certificate")
statuses, err := updater.findRevokedCertificatesToUpdate(10)
test.AssertNotError(t, err, "Failed to find revoked certificates")
test.AssertEquals(t, len(statuses), 1)
err = updater.revokedCertificatesTick(ctx, 10)
test.AssertNotError(t, err, "Failed to run revokedCertificatesTick")
status, err := sa.GetCertificateStatus(ctx, core.SerialToString(parsedCert.SerialNumber))
test.AssertNotError(t, err, "Failed to get certificate status")
test.AssertEquals(t, status.Status, core.OCSPStatusRevoked)
test.Assert(t, len(status.OCSPResponse) != 0, "Certificate status doesn't contain OCSP response")
}
func TestStoreResponseGuard(t *testing.T) {
updater, sa, _, fc, cleanUp := setup(t)
defer cleanUp()
@ -397,7 +328,14 @@ func TestStoreResponseGuard(t *testing.T) {
status, err := sa.GetCertificateStatus(ctx, core.SerialToString(parsedCert.SerialNumber))
test.AssertNotError(t, err, "Failed to get certificate status")
err = sa.MarkCertificateRevoked(ctx, core.SerialToString(parsedCert.SerialNumber), 0)
serialStr := core.SerialToString(parsedCert.SerialNumber)
reason := int64(0)
revokedDate := fc.Now().UnixNano()
err = sa.RevokeCertificate(context.Background(), &sapb.RevokeCertificateRequest{
Serial: &serialStr,
Reason: &reason,
Date: &revokedDate,
})
test.AssertNotError(t, err, "Failed to revoked certificate")
// Attempt to update OCSP response where status.Status is good but stored status

1
core/interfaces.go
View File

@ -149,7 +149,6 @@ type StorageAdder interface {
UpdateRegistration(ctx context.Context, reg Registration) error
NewPendingAuthorization(ctx context.Context, authz Authorization) (Authorization, error)
FinalizeAuthorization(ctx context.Context, authz Authorization) error
MarkCertificateRevoked(ctx context.Context, serial string, reasonCode revocation.Reason) error
AddCertificate(ctx context.Context, der []byte, regID int64, ocsp []byte, issued *time.Time) (digest string, err error)
RevokeAuthorizationsByDomain(ctx context.Context, domain identifier.ACMEIdentifier) (finalized, pending int64, err error)
DeactivateRegistration(ctx context.Context, id int64) error

14
features/featureflag_string.go
View File

@ -17,11 +17,11 @@ func _() {
_ = x[SetIssuedNamesRenewalBit-6]
_ = x[FasterRateLimit-7]
_ = x[ProbeCTLogs-8]
_ = x[CAAValidationMethods-9]
_ = x[CAAAccountURI-10]
_ = x[HeadNonceStatusOK-11]
_ = x[NewAuthorizationSchema-12]
_ = x[RevokeAtRA-13]
_ = x[RevokeAtRA-9]
_ = x[CAAValidationMethods-10]
_ = x[CAAAccountURI-11]
_ = x[HeadNonceStatusOK-12]
_ = x[NewAuthorizationSchema-13]
_ = x[EarlyOrderRateLimit-14]
_ = x[EnforceMultiVA-15]
_ = x[MultiVAFullResults-16]
@ -30,9 +30,9 @@ func _() {
_ = x[MandatoryPOSTAsGET-19]
}
const _FeatureFlag_name = "unusedPerformValidationRPCACME13KeyRolloverSimplifiedVAHTTPTLSSNIRevalidationAllowRenewalFirstRLSetIssuedNamesRenewalBitFasterRateLimitProbeCTLogsCAAValidationMethodsCAAAccountURIHeadNonceStatusOKNewAuthorizationSchemaRevokeAtRAEarlyOrderRateLimitEnforceMultiVAMultiVAFullResultsRemoveWFE2AccountIDCheckRenewalFirstMandatoryPOSTAsGET"
const _FeatureFlag_name = "unusedPerformValidationRPCACME13KeyRolloverSimplifiedVAHTTPTLSSNIRevalidationAllowRenewalFirstRLSetIssuedNamesRenewalBitFasterRateLimitProbeCTLogsRevokeAtRACAAValidationMethodsCAAAccountURIHeadNonceStatusOKNewAuthorizationSchemaEarlyOrderRateLimitEnforceMultiVAMultiVAFullResultsRemoveWFE2AccountIDCheckRenewalFirstMandatoryPOSTAsGET"
var _FeatureFlag_index = [...]uint16{0, 6, 26, 43, 59, 77, 96, 120, 135, 146, 166, 179, 196, 218, 228, 247, 261, 279, 298, 315, 333}
var _FeatureFlag_index = [...]uint16{0, 6, 26, 43, 59, 77, 96, 120, 135, 146, 156, 176, 189, 206, 228, 247, 261, 279, 298, 315, 333}
func (i FeatureFlag) String() string {
if i < 0 || i >= FeatureFlag(len(_FeatureFlag_index)-1) {

3
features/features.go
View File

@ -20,6 +20,7 @@ const (
SetIssuedNamesRenewalBit
FasterRateLimit
ProbeCTLogs
RevokeAtRA
// Currently in-use features
// Check CAA and respect validationmethods parameter.
@ -32,8 +33,6 @@ const (
// NewAuthorizationSchema enables usage of the new authorization storage schema
// and associated RPCs.
NewAuthorizationSchema
// RevokeAtRA enables revocation in the RA instead of ocsp-updater
RevokeAtRA
// EarlyOrderRateLimit enables the RA applying certificate per name/per FQDN
// set rate limits in NewOrder in addition to FinalizeOrder.
EarlyOrderRateLimit

27
grpc/sa-wrappers.go
View File

@ -383,20 +383,6 @@ func (sac StorageAuthorityClientWrapper) FinalizeAuthorization(ctx context.Conte
return nil
}
func (sac StorageAuthorityClientWrapper) MarkCertificateRevoked(ctx context.Context, serial string, reasonCode revocation.Reason) error {
reason := int64(reasonCode)
_, err := sac.inner.MarkCertificateRevoked(ctx, &sapb.MarkCertificateRevokedRequest{
Serial: &serial,
Code: &reason,
})
if err != nil {
return err
}
return nil
}
func (sac StorageAuthorityClientWrapper) AddCertificate(
ctx context.Context,
der []byte,
@ -1008,19 +994,6 @@ func (sas StorageAuthorityServerWrapper) FinalizeAuthorization(ctx context.Conte
return &corepb.Empty{}, nil
}
func (sas StorageAuthorityServerWrapper) MarkCertificateRevoked(ctx context.Context, request *sapb.MarkCertificateRevokedRequest) (*corepb.Empty, error) {
if request == nil || request.Serial == nil || request.Code == nil {
return nil, errIncompleteRequest
}
err := sas.inner.MarkCertificateRevoked(ctx, *request.Serial, revocation.Reason(*request.Code))
if err != nil {
return nil, err
}
return &corepb.Empty{}, nil
}
func (sas StorageAuthorityServerWrapper) AddCertificate(ctx context.Context, request *sapb.AddCertificateRequest) (*sapb.AddCertificateResponse, error) {
if request == nil || request.Der == nil || request.RegID == nil || request.Issued == nil {
return nil, errIncompleteRequest

6
mocks/mocks.go
View File

@ -21,7 +21,6 @@ import (
"github.com/letsencrypt/boulder/identifier"
"github.com/letsencrypt/boulder/probs"
pubpb "github.com/letsencrypt/boulder/publisher/proto"
"github.com/letsencrypt/boulder/revocation"
sapb "github.com/letsencrypt/boulder/sa/proto"
)
@ -335,11 +334,6 @@ func (sa *StorageAuthority) FinalizeAuthorization(_ context.Context, authz core.
return
}
// MarkCertificateRevoked is a mock
func (sa *StorageAuthority) MarkCertificateRevoked(_ context.Context, serial string, reasonCode revocation.Reason) (err error) {
return
}
// NewPendingAuthorization is a mock
func (sa *StorageAuthority) NewPendingAuthorization(_ context.Context, authz core.Authorization) (core.Authorization, error) {
return authz, nil

4
ra/mock_test.go
View File

@ -115,10 +115,6 @@ func (sa *mockInvalidAuthorizationsAuthority) FinalizeAuthorization(ctx context.
return nil, nil
}
func (sa *mockInvalidAuthorizationsAuthority) MarkCertificateRevoked(ctx context.Context, in *sapb.MarkCertificateRevokedRequest, opts ...grpc.CallOption) (*core.Empty, error) {
return nil, nil
}
func (sa *mockInvalidAuthorizationsAuthority) AddCertificate(ctx context.Context, in *sapb.AddCertificateRequest, opts ...grpc.CallOption) (*sapb.AddCertificateResponse, error) {
return nil, nil
}

14
ra/ra.go
View File

@ -1777,12 +1777,7 @@ func (ra *RegistrationAuthorityImpl) revokeCertificate(ctx context.Context, cert
// RevokeCertificateWithReg terminates trust in the certificate provided.
func (ra *RegistrationAuthorityImpl) RevokeCertificateWithReg(ctx context.Context, cert x509.Certificate, revocationCode revocation.Reason, regID int64) error {
serialString := core.SerialToString(cert.SerialNumber)
var err error
if features.Enabled(features.RevokeAtRA) {
err = ra.revokeCertificate(ctx, cert, revocationCode)
} else {
err = ra.SA.MarkCertificateRevoked(ctx, serialString, revocationCode)
}
err := ra.revokeCertificate(ctx, cert, revocationCode)
state := "Failure"
defer func() {
@ -1813,12 +1808,7 @@ func (ra *RegistrationAuthorityImpl) RevokeCertificateWithReg(ctx context.Contex
// called from the admin-revoker tool.
func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(ctx context.Context, cert x509.Certificate, revocationCode revocation.Reason, user string) error {
serialString := core.SerialToString(cert.SerialNumber)
var err error
if features.Enabled(features.RevokeAtRA) {
err = ra.revokeCertificate(ctx, cert, revocationCode)
} else {
err = ra.SA.MarkCertificateRevoked(ctx, serialString, revocationCode)
}
err := ra.revokeCertificate(ctx, cert, revocationCode)
state := "Failure"
defer func() {

349
sa/proto/sa.pb.go
View File

@ -1030,53 +1030,6 @@ func (m *Exists) GetExists() bool {
return false
}
type MarkCertificateRevokedRequest struct {
Serial *string `protobuf:"bytes,1,opt,name=serial" json:"serial,omitempty"`
Code *int64 `protobuf:"varint,2,opt,name=code" json:"code,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
func (m *MarkCertificateRevokedRequest) Reset() { *m = MarkCertificateRevokedRequest{} }
func (m *MarkCertificateRevokedRequest) String() string { return proto.CompactTextString(m) }
func (*MarkCertificateRevokedRequest) ProtoMessage() {}
func (*MarkCertificateRevokedRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{19}
}
func (m *MarkCertificateRevokedRequest) XXX_Unmarshal(b []byte) error {
return xxx_messageInfo_MarkCertificateRevokedRequest.Unmarshal(m, b)
}
func (m *MarkCertificateRevokedRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
return xxx_messageInfo_MarkCertificateRevokedRequest.Marshal(b, m, deterministic)
}
func (m *MarkCertificateRevokedRequest) XXX_Merge(src proto.Message) {
xxx_messageInfo_MarkCertificateRevokedRequest.Merge(m, src)
}
func (m *MarkCertificateRevokedRequest) XXX_Size() int {
return xxx_messageInfo_MarkCertificateRevokedRequest.Size(m)
}
func (m *MarkCertificateRevokedRequest) XXX_DiscardUnknown() {
xxx_messageInfo_MarkCertificateRevokedRequest.DiscardUnknown(m)
}
var xxx_messageInfo_MarkCertificateRevokedRequest proto.InternalMessageInfo
func (m *MarkCertificateRevokedRequest) GetSerial() string {
if m != nil && m.Serial != nil {
return *m.Serial
}
return ""
}
func (m *MarkCertificateRevokedRequest) GetCode() int64 {
if m != nil && m.Code != nil {
return *m.Code
}
return 0
}
type AddCertificateRequest struct {
Der []byte `protobuf:"bytes,1,opt,name=der" json:"der,omitempty"`
RegID *int64 `protobuf:"varint,2,opt,name=regID" json:"regID,omitempty"`
@ -1096,7 +1049,7 @@ func (m *AddCertificateRequest) Reset() { *m = AddCertificateRequest{} }
func (m *AddCertificateRequest) String() string { return proto.CompactTextString(m) }
func (*AddCertificateRequest) ProtoMessage() {}
func (*AddCertificateRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{20}
return fileDescriptor_099fb35e782a48a6, []int{19}
}
func (m *AddCertificateRequest) XXX_Unmarshal(b []byte) error {
@ -1156,7 +1109,7 @@ func (m *AddCertificateResponse) Reset() { *m = AddCertificateResponse{}
func (m *AddCertificateResponse) String() string { return proto.CompactTextString(m) }
func (*AddCertificateResponse) ProtoMessage() {}
func (*AddCertificateResponse) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{21}
return fileDescriptor_099fb35e782a48a6, []int{20}
}
func (m *AddCertificateResponse) XXX_Unmarshal(b []byte) error {
@ -1195,7 +1148,7 @@ func (m *RevokeAuthorizationsByDomainRequest) Reset() { *m = RevokeAutho
func (m *RevokeAuthorizationsByDomainRequest) String() string { return proto.CompactTextString(m) }
func (*RevokeAuthorizationsByDomainRequest) ProtoMessage() {}
func (*RevokeAuthorizationsByDomainRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{22}
return fileDescriptor_099fb35e782a48a6, []int{21}
}
func (m *RevokeAuthorizationsByDomainRequest) XXX_Unmarshal(b []byte) error {
@ -1235,7 +1188,7 @@ func (m *RevokeAuthorizationsByDomainResponse) Reset() { *m = RevokeAuth
func (m *RevokeAuthorizationsByDomainResponse) String() string { return proto.CompactTextString(m) }
func (*RevokeAuthorizationsByDomainResponse) ProtoMessage() {}
func (*RevokeAuthorizationsByDomainResponse) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{23}
return fileDescriptor_099fb35e782a48a6, []int{22}
}
func (m *RevokeAuthorizationsByDomainResponse) XXX_Unmarshal(b []byte) error {
@ -1282,7 +1235,7 @@ func (m *OrderRequest) Reset() { *m = OrderRequest{} }
func (m *OrderRequest) String() string { return proto.CompactTextString(m) }
func (*OrderRequest) ProtoMessage() {}
func (*OrderRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{24}
return fileDescriptor_099fb35e782a48a6, []int{23}
}
func (m *OrderRequest) XXX_Unmarshal(b []byte) error {
@ -1329,7 +1282,7 @@ func (m *GetValidOrderAuthorizationsRequest) Reset() { *m = GetValidOrde
func (m *GetValidOrderAuthorizationsRequest) String() string { return proto.CompactTextString(m) }
func (*GetValidOrderAuthorizationsRequest) ProtoMessage() {}
func (*GetValidOrderAuthorizationsRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{25}
return fileDescriptor_099fb35e782a48a6, []int{24}
}
func (m *GetValidOrderAuthorizationsRequest) XXX_Unmarshal(b []byte) error {
@ -1377,7 +1330,7 @@ func (m *GetOrderForNamesRequest) Reset() { *m = GetOrderForNamesRequest
func (m *GetOrderForNamesRequest) String() string { return proto.CompactTextString(m) }
func (*GetOrderForNamesRequest) ProtoMessage() {}
func (*GetOrderForNamesRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{26}
return fileDescriptor_099fb35e782a48a6, []int{25}
}
func (m *GetOrderForNamesRequest) XXX_Unmarshal(b []byte) error {
@ -1433,7 +1386,7 @@ func (m *GetAuthorizationsRequest) Reset() { *m = GetAuthorizationsReque
func (m *GetAuthorizationsRequest) String() string { return proto.CompactTextString(m) }
func (*GetAuthorizationsRequest) ProtoMessage() {}
func (*GetAuthorizationsRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{27}
return fileDescriptor_099fb35e782a48a6, []int{26}
}
func (m *GetAuthorizationsRequest) XXX_Unmarshal(b []byte) error {
@ -1493,7 +1446,7 @@ func (m *Authorizations) Reset() { *m = Authorizations{} }
func (m *Authorizations) String() string { return proto.CompactTextString(m) }
func (*Authorizations) ProtoMessage() {}
func (*Authorizations) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{28}
return fileDescriptor_099fb35e782a48a6, []int{27}
}
func (m *Authorizations) XXX_Unmarshal(b []byte) error {
@ -1533,7 +1486,7 @@ func (m *Authorizations_MapElement) Reset() { *m = Authorizations_MapEle
func (m *Authorizations_MapElement) String() string { return proto.CompactTextString(m) }
func (*Authorizations_MapElement) ProtoMessage() {}
func (*Authorizations_MapElement) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{28, 0}
return fileDescriptor_099fb35e782a48a6, []int{27, 0}
}
func (m *Authorizations_MapElement) XXX_Unmarshal(b []byte) error {
@ -1579,7 +1532,7 @@ func (m *AddPendingAuthorizationsRequest) Reset() { *m = AddPendingAutho
func (m *AddPendingAuthorizationsRequest) String() string { return proto.CompactTextString(m) }
func (*AddPendingAuthorizationsRequest) ProtoMessage() {}
func (*AddPendingAuthorizationsRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{29}
return fileDescriptor_099fb35e782a48a6, []int{28}
}
func (m *AddPendingAuthorizationsRequest) XXX_Unmarshal(b []byte) error {
@ -1618,7 +1571,7 @@ func (m *AuthorizationIDs) Reset() { *m = AuthorizationIDs{} }
func (m *AuthorizationIDs) String() string { return proto.CompactTextString(m) }
func (*AuthorizationIDs) ProtoMessage() {}
func (*AuthorizationIDs) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{30}
return fileDescriptor_099fb35e782a48a6, []int{29}
}
func (m *AuthorizationIDs) XXX_Unmarshal(b []byte) error {
@ -1657,7 +1610,7 @@ func (m *AuthorizationID2) Reset() { *m = AuthorizationID2{} }
func (m *AuthorizationID2) String() string { return proto.CompactTextString(m) }
func (*AuthorizationID2) ProtoMessage() {}
func (*AuthorizationID2) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{31}
return fileDescriptor_099fb35e782a48a6, []int{30}
}
func (m *AuthorizationID2) XXX_Unmarshal(b []byte) error {
@ -1696,7 +1649,7 @@ func (m *Authorization2IDs) Reset() { *m = Authorization2IDs{} }
func (m *Authorization2IDs) String() string { return proto.CompactTextString(m) }
func (*Authorization2IDs) ProtoMessage() {}
func (*Authorization2IDs) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{32}
return fileDescriptor_099fb35e782a48a6, []int{31}
}
func (m *Authorization2IDs) XXX_Unmarshal(b []byte) error {
@ -1738,7 +1691,7 @@ func (m *RevokeCertificateRequest) Reset() { *m = RevokeCertificateReque
func (m *RevokeCertificateRequest) String() string { return proto.CompactTextString(m) }
func (*RevokeCertificateRequest) ProtoMessage() {}
func (*RevokeCertificateRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{33}
return fileDescriptor_099fb35e782a48a6, []int{32}
}
func (m *RevokeCertificateRequest) XXX_Unmarshal(b []byte) error {
@ -1803,7 +1756,7 @@ func (m *FinalizeAuthorizationRequest) Reset() { *m = FinalizeAuthorizat
func (m *FinalizeAuthorizationRequest) String() string { return proto.CompactTextString(m) }
func (*FinalizeAuthorizationRequest) ProtoMessage() {}
func (*FinalizeAuthorizationRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_099fb35e782a48a6, []int{34}
return fileDescriptor_099fb35e782a48a6, []int{33}
}
func (m *FinalizeAuthorizationRequest) XXX_Unmarshal(b []byte) error {
@ -1888,7 +1841,6 @@ func init() {
proto.RegisterType((*FQDNSetExistsRequest)(nil), "sa.FQDNSetExistsRequest")
proto.RegisterType((*PreviousCertificateExistsRequest)(nil), "sa.PreviousCertificateExistsRequest")
proto.RegisterType((*Exists)(nil), "sa.Exists")
proto.RegisterType((*MarkCertificateRevokedRequest)(nil), "sa.MarkCertificateRevokedRequest")
proto.RegisterType((*AddCertificateRequest)(nil), "sa.AddCertificateRequest")
proto.RegisterType((*AddCertificateResponse)(nil), "sa.AddCertificateResponse")
proto.RegisterType((*RevokeAuthorizationsByDomainRequest)(nil), "sa.RevokeAuthorizationsByDomainRequest")
@ -1910,126 +1862,123 @@ func init() {
func init() { proto.RegisterFile("sa/proto/sa.proto", fileDescriptor_099fb35e782a48a6) }
var fileDescriptor_099fb35e782a48a6 = []byte{
// 1890 bytes of a gzipped FileDescriptorProto
// 1854 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x59, 0xef, 0x72, 0xdb, 0xc6,
0x11, 0xe7, 0x1f, 0x51, 0xa6, 0x56, 0xb2, 0xfe, 0x9c, 0x25, 0x1a, 0x86, 0x25, 0x5b, 0xbe, 0x38,
0xae, 0x32, 0x9d, 0x51, 0x5c, 0xb4, 0x93, 0x74, 0x46, 0xb5, 0x53, 0x2b, 0x94, 0x65, 0x39, 0xb6,
0x11, 0xe7, 0x1f, 0xd3, 0x26, 0x57, 0xb2, 0xfe, 0x9c, 0x25, 0x1a, 0x86, 0x25, 0x9b, 0xbe, 0x38,
0xae, 0x32, 0x9d, 0x51, 0x5c, 0xb4, 0x93, 0x74, 0x46, 0xb5, 0x53, 0x2b, 0x94, 0x65, 0xa5, 0x8e,
0xcc, 0x80, 0xb1, 0x9c, 0x69, 0x3b, 0x9d, 0x41, 0x88, 0xb3, 0x8c, 0x9a, 0x02, 0x18, 0xdc, 0x51,
0x32, 0xf5, 0xb9, 0x33, 0xed, 0x13, 0x74, 0xfa, 0xb1, 0xcf, 0xd1, 0x97, 0xe8, 0x23, 0xb5, 0x73,
0x7b, 0x07, 0x10, 0x00, 0x0f, 0xa4, 0x63, 0x77, 0xf2, 0x0d, 0xbb, 0xb7, 0xff, 0xee, 0x6e, 0x6f,
0xf7, 0xb7, 0x24, 0xac, 0x71, 0xef, 0xf3, 0x41, 0x1c, 0x89, 0xe8, 0x73, 0xee, 0xed, 0xe2, 0x07,
0xa9, 0x71, 0xcf, 0xde, 0xe8, 0x45, 0x31, 0xd3, 0x0b, 0xf2, 0x53, 0x2d, 0xd1, 0x6d, 0x58, 0x76,
0xd9, 0x69, 0xc0, 0x45, 0xec, 0x89, 0x20, 0x0a, 0x8f, 0xda, 0x64, 0x19, 0x6a, 0x81, 0x6f, 0x55,
0xb7, 0xab, 0x3b, 0x75, 0xb7, 0x16, 0xf8, 0xf4, 0x16, 0xc0, 0xd3, 0xee, 0x8b, 0xe3, 0x57, 0xec,
0x87, 0x6f, 0xd8, 0x88, 0xac, 0x42, 0xfd, 0x2f, 0x17, 0x6f, 0x71, 0x79, 0xc9, 0x95, 0x9f, 0xf4,
0x0e, 0xac, 0x3c, 0x1a, 0x8a, 0x37, 0x51, 0x1c, 0x5c, 0x4e, 0x9a, 0x58, 0x40, 0x13, 0xff, 0xae,
0xc2, 0xad, 0x43, 0x26, 0x3a, 0x2c, 0xf4, 0x83, 0xf0, 0x34, 0x27, 0xed, 0xb2, 0x1f, 0x87, 0x8c,
0x0b, 0x72, 0x0f, 0x96, 0xe3, 0x5c, 0x1c, 0x3a, 0x82, 0x02, 0x57, 0xca, 0x05, 0x3e, 0x0b, 0x45,
0xf0, 0x3a, 0x60, 0xf1, 0x77, 0xa3, 0x01, 0xb3, 0x6a, 0xe8, 0xa6, 0xc0, 0x25, 0x3b, 0xb0, 0x32,
0xe6, 0x9c, 0x78, 0xfd, 0x21, 0xb3, 0xea, 0x28, 0x58, 0x64, 0x93, 0x5b, 0x00, 0xe7, 0x5e, 0x3f,
0xf0, 0x5f, 0x86, 0x22, 0xe8, 0x5b, 0x73, 0xe8, 0x35, 0xc3, 0xa1, 0x1c, 0xb6, 0x0e, 0x99, 0x38,
0x91, 0x8c, 0x5c, 0xe4, 0xfc, 0xa7, 0x86, 0x6e, 0xc1, 0x15, 0x3f, 0x3a, 0xf3, 0x82, 0x90, 0x5b,
0xb5, 0xed, 0xfa, 0xce, 0x82, 0x9b, 0x90, 0xf2, 0x50, 0xc3, 0xe8, 0x02, 0x03, 0xac, 0xbb, 0xf2,
0x93, 0xfe, 0xab, 0x0a, 0xd7, 0x0c, 0x2e, 0xc9, 0x6f, 0xa1, 0x81, 0xa1, 0x59, 0xd5, 0xed, 0xfa,
0xce, 0xa2, 0x43, 0x77, 0xb9, 0xb7, 0x6b, 0x90, 0xdb, 0x7d, 0xee, 0x0d, 0x0e, 0xfa, 0xec, 0x8c,
0x85, 0xc2, 0x55, 0x0a, 0xf6, 0x0b, 0x80, 0x31, 0x93, 0xb4, 0x60, 0x5e, 0x39, 0xd7, 0xb7, 0xa4,
0x29, 0xf2, 0x19, 0x34, 0xbc, 0xa1, 0x78, 0x73, 0x89, 0xa7, 0xba, 0xe8, 0x5c, 0xdb, 0xc5, 0x54,
0xc9, 0xdf, 0x98, 0x92, 0xa0, 0xff, 0xa9, 0xc1, 0xda, 0xd7, 0x2c, 0x96, 0x47, 0xd9, 0xf3, 0x04,
0xeb, 0x0a, 0x4f, 0x0c, 0xb9, 0x34, 0xcc, 0x59, 0x1c, 0x78, 0xfd, 0xc4, 0xb0, 0xa2, 0x90, 0x8f,
0x12, 0xfa, 0x1a, 0x34, 0x25, 0xef, 0x29, 0xea, 0xf1, 0xc1, 0x33, 0x8f, 0x8b, 0x97, 0x03, 0xdf,
0x13, 0xcc, 0xd7, 0x57, 0x50, 0x64, 0x93, 0x6d, 0x58, 0x8c, 0xd9, 0x79, 0xf4, 0x96, 0xf9, 0x6d,
0x4f, 0x30, 0xab, 0x81, 0x52, 0x59, 0x16, 0xb9, 0x0b, 0x57, 0x35, 0xe9, 0x32, 0x8f, 0x47, 0xa1,
0x35, 0x8f, 0x32, 0x79, 0x26, 0xf9, 0x0d, 0x6c, 0xf4, 0x3d, 0x2e, 0x0e, 0xde, 0x0d, 0x02, 0x75,
0x35, 0xc7, 0xde, 0x69, 0x97, 0x85, 0xc2, 0xba, 0x82, 0xd2, 0xe6, 0x45, 0x42, 0x61, 0x49, 0x06,
0xe4, 0x32, 0x3e, 0x88, 0x42, 0xce, 0xac, 0x26, 0x3e, 0x80, 0x1c, 0x8f, 0xd8, 0xd0, 0x0c, 0x23,
0xf1, 0xe8, 0xb5, 0x60, 0xb1, 0xb5, 0x80, 0xc6, 0x52, 0x9a, 0x6c, 0xc2, 0x42, 0xc0, 0xd1, 0x2c,
0xf3, 0x2d, 0xd8, 0xae, 0xee, 0x34, 0xdd, 0x31, 0xe3, 0xe9, 0x5c, 0xb3, 0xb6, 0x5a, 0xa7, 0xdb,
0x30, 0xdf, 0x1d, 0x9f, 0x96, 0xe1, 0x14, 0xe9, 0x1e, 0x34, 0x5c, 0x2f, 0x3c, 0x45, 0x57, 0xcc,
0x8b, 0xfb, 0x01, 0xe3, 0x42, 0x67, 0x5b, 0x4a, 0x4b, 0xe5, 0xbe, 0x27, 0xe4, 0x4a, 0x0d, 0x57,
0x34, 0x45, 0xb7, 0xa0, 0xf1, 0x75, 0x34, 0x0c, 0x05, 0x59, 0x87, 0x46, 0x4f, 0x7e, 0x68, 0x4d,
0x45, 0xd0, 0xef, 0xe1, 0x36, 0x2e, 0x67, 0xee, 0x94, 0xef, 0x8f, 0x8e, 0xbd, 0x33, 0x96, 0x66,
0xfa, 0x6d, 0x68, 0xc4, 0xd2, 0x3d, 0x2a, 0x2e, 0x3a, 0x0b, 0x32, 0xfb, 0x30, 0x1e, 0x57, 0xf1,
0xa5, 0xe5, 0x50, 0x2a, 0xe8, 0x04, 0x57, 0x04, 0xfd, 0x5b, 0x15, 0x96, 0xd0, 0xb4, 0x36, 0x47,
0xbe, 0x82, 0xa5, 0x5e, 0x86, 0xd6, 0xc9, 0x7c, 0x53, 0x9a, 0xcb, 0xca, 0x65, 0xb3, 0x38, 0xa7,
0x60, 0x7f, 0x91, 0x4b, 0x66, 0x02, 0x73, 0xd2, 0x91, 0x3e, 0x2b, 0xfc, 0x1e, 0xef, 0xb1, 0x96,
0xdd, 0x63, 0x07, 0xb6, 0xd0, 0x41, 0xb6, 0xe4, 0xf1, 0xfd, 0xd1, 0x51, 0x27, 0xd9, 0xa1, 0xac,
0x5c, 0x03, 0x5d, 0xdd, 0x6a, 0xc1, 0x60, 0xbc, 0xe3, 0x9a, 0x79, 0xc7, 0xf4, 0xef, 0x55, 0xb8,
0x83, 0x26, 0x8f, 0xc2, 0xf3, 0x8f, 0x2f, 0x11, 0x36, 0x34, 0xdf, 0x44, 0x5c, 0xe0, 0x6e, 0x54,
0x5d, 0x4b, 0xe9, 0x71, 0x28, 0xf5, 0x92, 0x50, 0xba, 0x40, 0x30, 0x92, 0x17, 0xb1, 0xcf, 0xe2,
0xd4, 0xf5, 0x26, 0x2c, 0x78, 0x3d, 0xdc, 0x7d, 0xea, 0x75, 0xcc, 0x98, 0xbd, 0xbf, 0x27, 0xb0,
0x8e, 0x46, 0x1f, 0x7f, 0xdb, 0x3e, 0xee, 0x32, 0x91, 0x9a, 0x6d, 0xc1, 0xfc, 0x45, 0x10, 0xfa,
0xd1, 0x85, 0xb6, 0xa9, 0xa9, 0xf2, 0x22, 0x47, 0xef, 0xc3, 0xba, 0x36, 0x72, 0xf0, 0x2e, 0xe0,
0x63, 0x4b, 0x19, 0x8d, 0x6a, 0x5e, 0xa3, 0x03, 0xdb, 0x9d, 0x98, 0x9d, 0x07, 0xd1, 0x90, 0x67,
0x92, 0x32, 0xaf, 0x5d, 0x56, 0xc8, 0xd6, 0xa1, 0x11, 0xb3, 0xd3, 0xa3, 0x76, 0x72, 0xff, 0x48,
0xc8, 0x17, 0xa6, 0xd4, 0xa5, 0x1e, 0xc3, 0x2f, 0xd4, 0x6b, 0xba, 0x9a, 0xa2, 0xdf, 0xc0, 0xd6,
0x73, 0x2f, 0x7e, 0x9b, 0xf1, 0xe7, 0x26, 0xd5, 0x23, 0x75, 0x68, 0x2c, 0x70, 0x04, 0xe6, 0x7a,
0x91, 0xcf, 0xb4, 0x3f, 0xfc, 0xa6, 0x6f, 0x61, 0xe3, 0x91, 0xef, 0xe7, 0x6c, 0x29, 0x23, 0xab,
0x50, 0xf7, 0x59, 0x9c, 0x74, 0x51, 0x9f, 0xc5, 0xe6, 0x78, 0xa5, 0x51, 0x59, 0x61, 0xf0, 0xca,
0x97, 0x5c, 0xfc, 0x96, 0x01, 0x04, 0x9c, 0x0f, 0xd3, 0x42, 0xa9, 0x29, 0x7a, 0x1f, 0x5a, 0x45,
0x67, 0xba, 0x2e, 0xc9, 0x33, 0x0a, 0x4e, 0x93, 0x52, 0x21, 0xcf, 0x08, 0x29, 0xfa, 0x00, 0x3e,
0x51, 0x9b, 0xcb, 0x27, 0xed, 0xfe, 0xa8, 0x8d, 0x67, 0x38, 0xe3, 0x88, 0xe9, 0x9f, 0xe1, 0xee,
0x74, 0x75, 0xed, 0x7e, 0x13, 0x16, 0x5e, 0x07, 0xa1, 0xd7, 0x0f, 0x2e, 0x59, 0x82, 0x2b, 0xc6,
0x0c, 0x79, 0xfd, 0x03, 0x85, 0x0b, 0xf4, 0xd6, 0x13, 0x92, 0x76, 0x60, 0x09, 0x53, 0x39, 0xfb,
0x36, 0x33, 0xc0, 0x84, 0xdc, 0x87, 0x6b, 0x43, 0xce, 0x4e, 0x9c, 0xbc, 0x7b, 0xb4, 0xd2, 0x74,
0x4d, 0x4b, 0xf4, 0x19, 0xd0, 0xa4, 0x95, 0xa3, 0x65, 0xf3, 0x63, 0x2d, 0xfa, 0x69, 0xc1, 0xbc,
0xd7, 0xeb, 0x89, 0xf4, 0x6e, 0x34, 0x45, 0x47, 0x70, 0xfd, 0x90, 0xa9, 0xd7, 0xf6, 0x38, 0x8a,
0x73, 0x85, 0x72, 0xac, 0x52, 0xcd, 0xaa, 0x98, 0xeb, 0x63, 0xd9, 0x46, 0xea, 0xe5, 0x1b, 0xf9,
0x67, 0x15, 0xac, 0x43, 0x26, 0x7e, 0x36, 0x3c, 0x22, 0xdb, 0x74, 0xcc, 0x7e, 0x1c, 0x06, 0xb1,
0x8e, 0xe5, 0x92, 0x63, 0xf6, 0x35, 0xdd, 0x22, 0x9b, 0xfe, 0xa3, 0x0a, 0xcb, 0x05, 0xd0, 0xf2,
0xeb, 0x04, 0x54, 0xa8, 0x3a, 0xbf, 0x25, 0x8b, 0xcc, 0x14, 0xbc, 0x82, 0xb2, 0xff, 0x7f, 0xbc,
0xf2, 0x0c, 0x6e, 0x3f, 0xf2, 0x7d, 0x13, 0x06, 0x4d, 0x4f, 0xee, 0xb3, 0x7c, 0xa0, 0xd3, 0xac,
0xdd, 0x85, 0xd5, 0x02, 0xea, 0xc5, 0x63, 0x0b, 0xfc, 0xa4, 0x8a, 0xc9, 0x4f, 0x4a, 0x27, 0xa4,
0x9c, 0x09, 0x7c, 0xfd, 0x29, 0xac, 0xe5, 0x64, 0x9c, 0x82, 0xa9, 0xba, 0x32, 0x75, 0x09, 0x96,
0x7a, 0x6d, 0x86, 0x72, 0x32, 0x05, 0x74, 0xc5, 0x0a, 0x09, 0xe9, 0xcc, 0x55, 0x94, 0x2c, 0x2b,
0x12, 0x53, 0xe9, 0x0b, 0xc6, 0x6f, 0xd9, 0x7a, 0xe2, 0x04, 0xdc, 0xcc, 0x61, 0xb9, 0x49, 0x69,
0xfa, 0xd7, 0x1a, 0x6c, 0x3e, 0xd6, 0x2f, 0xd6, 0x88, 0xde, 0x0d, 0x4f, 0x46, 0xa3, 0xbd, 0x5a,
0x0e, 0xed, 0x59, 0x70, 0x85, 0x21, 0xe4, 0xe1, 0xda, 0x77, 0x42, 0x62, 0x9b, 0x12, 0x82, 0x9d,
0x0d, 0x12, 0x04, 0xb8, 0xe0, 0x8e, 0x19, 0xa4, 0x0d, 0x6b, 0xd8, 0x5d, 0xb5, 0xd3, 0x5e, 0x14,
0xfb, 0xdc, 0x6a, 0xe0, 0x25, 0xb5, 0xd4, 0x25, 0x9d, 0x14, 0x96, 0xdd, 0x49, 0x05, 0xf2, 0x10,
0x56, 0xc6, 0xcc, 0x83, 0x38, 0x8e, 0x62, 0x44, 0x88, 0x8b, 0xce, 0xba, 0xb2, 0xd1, 0x89, 0xa3,
0x1f, 0xfa, 0xec, 0xac, 0xcd, 0x84, 0x17, 0xf4, 0xb9, 0x5b, 0x14, 0x76, 0xfe, 0x7b, 0x03, 0x56,
0xbb, 0x22, 0x8a, 0xbd, 0xd3, 0xe4, 0x14, 0xc4, 0x88, 0xec, 0xc1, 0xca, 0x21, 0xcb, 0x01, 0x0a,
0x42, 0xb0, 0x8b, 0xe6, 0x1e, 0x9b, 0x4d, 0x94, 0x8b, 0x2c, 0x97, 0x56, 0xc8, 0xef, 0x60, 0xbd,
0xa0, 0xbc, 0x3f, 0x92, 0x53, 0xd6, 0xb2, 0xb4, 0x30, 0x9e, 0xba, 0x4a, 0xb4, 0x1f, 0xc2, 0x6a,
0xb1, 0x08, 0x90, 0x6b, 0x13, 0x8f, 0xeb, 0xa8, 0x6d, 0x9b, 0x12, 0x99, 0x56, 0xc8, 0x77, 0x58,
0xc0, 0x4c, 0x2f, 0x82, 0xe0, 0x60, 0x31, 0x7d, 0x64, 0x2b, 0xb3, 0x7a, 0x02, 0x2d, 0xf3, 0xbc,
0x44, 0xee, 0x68, 0xa3, 0xe5, 0xb3, 0x94, 0x7d, 0xbd, 0x64, 0xa0, 0xa1, 0x15, 0xf2, 0x2b, 0x58,
0x3e, 0x64, 0x59, 0x74, 0x4a, 0x40, 0x0a, 0x2b, 0xc4, 0x6c, 0xaf, 0xa9, 0x60, 0x32, 0xcb, 0xb4,
0x42, 0xf6, 0xf0, 0x78, 0x27, 0x87, 0x94, 0xac, 0xe2, 0x06, 0xa2, 0xce, 0xa2, 0x08, 0xad, 0x90,
0x2e, 0x58, 0x65, 0x78, 0x98, 0x7c, 0x92, 0x42, 0xd5, 0x72, 0xb4, 0x6c, 0xaf, 0x16, 0xf1, 0x2c,
0xad, 0x90, 0xef, 0x35, 0x00, 0xcd, 0xab, 0x1d, 0xbc, 0xf3, 0x7a, 0xe2, 0x23, 0x2d, 0x3f, 0x81,
0x96, 0x19, 0xda, 0xaa, 0x63, 0x9f, 0x0a, 0x7b, 0xed, 0x85, 0x54, 0x84, 0x56, 0xc8, 0x73, 0xb8,
0x59, 0x22, 0x8d, 0x18, 0xff, 0xa7, 0x9a, 0x7b, 0x00, 0x36, 0x7e, 0x1a, 0x2b, 0xaf, 0xf1, 0xad,
0xe4, 0xd4, 0x1d, 0x58, 0xcc, 0xa0, 0x5a, 0xd2, 0x4a, 0xd7, 0x72, 0x30, 0x37, 0xaf, 0xd3, 0xd1,
0x2e, 0x8d, 0x98, 0x9c, 0x7c, 0x9a, 0x8a, 0x4e, 0xc3, 0xec, 0x79, 0x8b, 0x5f, 0xc0, 0xd5, 0x1c,
0x0c, 0x26, 0x56, 0xba, 0x5a, 0x40, 0xc6, 0x79, 0xbd, 0x2f, 0xe1, 0x6a, 0x0e, 0xf4, 0x2a, 0x3d,
0x13, 0x0e, 0xb6, 0x31, 0x29, 0x15, 0x8b, 0x56, 0xc8, 0x0b, 0xb8, 0x51, 0x8a, 0x7d, 0xc9, 0x5d,
0x29, 0x3a, 0x0b, 0x1a, 0x17, 0x0c, 0xfe, 0x1e, 0xd6, 0x8a, 0xc5, 0xc2, 0x21, 0xeb, 0x86, 0x6a,
0xe1, 0x94, 0x3d, 0xec, 0x27, 0x40, 0x26, 0x30, 0x87, 0x43, 0x36, 0xf5, 0xa3, 0x36, 0x1f, 0x22,
0x99, 0xec, 0xf5, 0xb4, 0x42, 0x5e, 0x22, 0x7a, 0x31, 0x25, 0x84, 0xf3, 0x31, 0x95, 0xe7, 0xa1,
0x4e, 0x5c, 0x63, 0xa6, 0x39, 0xb3, 0x53, 0xed, 0x4f, 0xb0, 0x39, 0x05, 0x1e, 0x3a, 0xe4, 0x5e,
0xb6, 0x7e, 0x95, 0x03, 0xc8, 0x92, 0x4d, 0x7f, 0xab, 0xa3, 0x33, 0x26, 0x9d, 0xf3, 0x41, 0x59,
0xe9, 0x62, 0x01, 0x3f, 0x31, 0x99, 0x7b, 0x8f, 0x5a, 0x6b, 0x0e, 0x73, 0x0f, 0x56, 0x8e, 0xd9,
0x45, 0xa1, 0x9f, 0x4d, 0x74, 0x9f, 0x92, 0x8e, 0xf4, 0x25, 0x10, 0xf5, 0x73, 0xcd, 0x4c, 0xfd,
0x45, 0xc5, 0x3b, 0x38, 0x1b, 0x88, 0x11, 0xad, 0x90, 0x03, 0xb8, 0x7e, 0xcc, 0x2e, 0x8c, 0xad,
0xc8, 0x74, 0xd9, 0x65, 0x19, 0xb0, 0x07, 0x1b, 0x46, 0x9c, 0x62, 0x36, 0x52, 0x88, 0xe1, 0x29,
0xb4, 0xcc, 0xa3, 0x9f, 0x3a, 0xcc, 0xa9, 0x63, 0x61, 0xd1, 0xd6, 0x11, 0x2c, 0xe7, 0x87, 0x31,
0x72, 0x03, 0x4f, 0xdb, 0x34, 0x0d, 0xda, 0xb6, 0x69, 0x49, 0x43, 0xaf, 0x0a, 0xe1, 0xb0, 0x39,
0x6d, 0xcc, 0x22, 0xbf, 0x50, 0x69, 0x3d, 0x73, 0x8e, 0xb3, 0x77, 0x66, 0x0b, 0xa6, 0x4e, 0xf7,
0xa0, 0xd5, 0x66, 0x5e, 0x4f, 0x04, 0xe7, 0x93, 0x97, 0x39, 0xf9, 0x8a, 0x0a, 0x9b, 0x7f, 0x00,
0xd7, 0xc7, 0xca, 0xef, 0x01, 0x4f, 0x0a, 0xea, 0xf7, 0xa0, 0x79, 0xcc, 0x2e, 0xf0, 0x7d, 0x11,
0xbd, 0x84, 0x84, 0x9d, 0x25, 0x68, 0x85, 0xdc, 0x07, 0xd2, 0xd5, 0xf3, 0x57, 0x27, 0x8e, 0x7a,
0x8c, 0xf3, 0x20, 0x3c, 0x35, 0x6a, 0x24, 0x96, 0x7f, 0x09, 0x57, 0x13, 0x0d, 0x44, 0x74, 0xb3,
0x84, 0x93, 0x5c, 0x2a, 0x8f, 0x65, 0x2c, 0xdc, 0x4c, 0x66, 0x41, 0x82, 0xdd, 0x39, 0x3b, 0xb9,
0x16, 0x03, 0xff, 0x23, 0xdc, 0x9c, 0x52, 0x45, 0x3e, 0xb2, 0xcc, 0x28, 0x50, 0x98, 0x9b, 0x4a,
0xc9, 0x4d, 0x6d, 0xd1, 0x34, 0xab, 0x16, 0x83, 0x3b, 0x9c, 0xec, 0x13, 0xfc, 0x83, 0x8a, 0xfc,
0x2b, 0xb0, 0xca, 0xe6, 0x2d, 0x85, 0x72, 0x66, 0x4c, 0x63, 0xb6, 0xa9, 0x39, 0xe9, 0x4e, 0x36,
0x31, 0x09, 0xa9, 0x08, 0xcb, 0x06, 0xa4, 0xe2, 0x6d, 0xb9, 0x40, 0x8e, 0xd9, 0x45, 0xb1, 0x64,
0xbe, 0x57, 0x50, 0x1b, 0x13, 0x41, 0x39, 0x2a, 0xaa, 0x23, 0x68, 0x19, 0x4b, 0x8f, 0x43, 0xb6,
0xb1, 0xe5, 0x4f, 0x19, 0x9f, 0x8a, 0xe1, 0x7d, 0x05, 0x56, 0xc9, 0xfb, 0x29, 0xeb, 0xd8, 0x05,
0x03, 0xaf, 0x60, 0x6b, 0xda, 0x3b, 0x77, 0xde, 0xbf, 0x66, 0xe4, 0x0d, 0xef, 0x5f, 0xf9, 0x43,
0x03, 0xff, 0x36, 0xfa, 0x5f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x45, 0x48, 0xab, 0xa8, 0x65, 0x1a,
0x00, 0x00,
0x32, 0xf5, 0xb9, 0x33, 0xed, 0x13, 0x74, 0xfa, 0xb1, 0xef, 0xd0, 0x6f, 0x7d, 0x89, 0xbe, 0x52,
0xe7, 0xf6, 0x0e, 0x20, 0x00, 0x1e, 0x48, 0x27, 0xee, 0xf4, 0x1b, 0x76, 0x6f, 0xff, 0xdd, 0xdd,
0xee, 0xde, 0x6f, 0x49, 0x58, 0xe7, 0xde, 0xa7, 0xa3, 0x38, 0x12, 0xd1, 0xa7, 0xdc, 0xdb, 0xc5,
0x0f, 0x52, 0xe3, 0x9e, 0xbd, 0x39, 0x88, 0x62, 0xa6, 0x17, 0xe4, 0xa7, 0x5a, 0xa2, 0x1d, 0x58,
0x71, 0xd9, 0x69, 0xc0, 0x45, 0xec, 0x89, 0x20, 0x0a, 0x8f, 0xba, 0x64, 0x05, 0x6a, 0x81, 0x6f,
0x55, 0x3b, 0xd5, 0x9d, 0xba, 0x5b, 0x0b, 0x7c, 0x7a, 0x07, 0xe0, 0xab, 0xfe, 0x8b, 0xe3, 0x57,
0xec, 0xfb, 0xdf, 0xb1, 0x09, 0x59, 0x83, 0xfa, 0x9f, 0x2f, 0xde, 0xe2, 0xf2, 0xb2, 0x2b, 0x3f,
0xe9, 0x3d, 0x58, 0x7d, 0x32, 0x16, 0x6f, 0xa2, 0x38, 0xb8, 0x9c, 0x35, 0xd1, 0x42, 0x13, 0xff,
0xae, 0xc2, 0x9d, 0x43, 0x26, 0x7a, 0x2c, 0xf4, 0x83, 0xf0, 0x34, 0x27, 0xed, 0xb2, 0x1f, 0xc6,
0x8c, 0x0b, 0xf2, 0x00, 0x56, 0xe2, 0x5c, 0x1c, 0x3a, 0x82, 0x02, 0x57, 0xca, 0x05, 0x3e, 0x0b,
0x45, 0xf0, 0x3a, 0x60, 0xf1, 0xb7, 0x93, 0x11, 0xb3, 0x6a, 0xe8, 0xa6, 0xc0, 0x25, 0x3b, 0xb0,
0x3a, 0xe5, 0x9c, 0x78, 0xc3, 0x31, 0xb3, 0xea, 0x28, 0x58, 0x64, 0x93, 0x3b, 0x00, 0xe7, 0xde,
0x30, 0xf0, 0x5f, 0x86, 0x22, 0x18, 0x5a, 0x57, 0xd0, 0x6b, 0x86, 0x43, 0x39, 0x6c, 0x1f, 0x32,
0x71, 0x22, 0x19, 0xb9, 0xc8, 0xf9, 0x8f, 0x0d, 0xdd, 0x82, 0x6b, 0x7e, 0x74, 0xe6, 0x05, 0x21,
0xb7, 0x6a, 0x9d, 0xfa, 0x4e, 0xcb, 0x4d, 0x48, 0x79, 0xa8, 0x61, 0x74, 0x81, 0x01, 0xd6, 0x5d,
0xf9, 0x49, 0xff, 0x59, 0x85, 0x1b, 0x06, 0x97, 0xe4, 0xd7, 0xd0, 0xc0, 0xd0, 0xac, 0x6a, 0xa7,
0xbe, 0xb3, 0xe4, 0xd0, 0x5d, 0xee, 0xed, 0x1a, 0xe4, 0x76, 0xbf, 0xf6, 0x46, 0x07, 0x43, 0x76,
0xc6, 0x42, 0xe1, 0x2a, 0x05, 0xfb, 0x05, 0xc0, 0x94, 0x49, 0xda, 0x70, 0x55, 0x39, 0xd7, 0xb7,
0xa4, 0x29, 0xf2, 0x09, 0x34, 0xbc, 0xb1, 0x78, 0x73, 0x89, 0xa7, 0xba, 0xe4, 0xdc, 0xd8, 0xc5,
0x54, 0xc9, 0xdf, 0x98, 0x92, 0xa0, 0xff, 0xa9, 0xc1, 0xfa, 0x97, 0x2c, 0x96, 0x47, 0x39, 0xf0,
0x04, 0xeb, 0x0b, 0x4f, 0x8c, 0xb9, 0x34, 0xcc, 0x59, 0x1c, 0x78, 0xc3, 0xc4, 0xb0, 0xa2, 0x90,
0x8f, 0x12, 0xfa, 0x1a, 0x34, 0x25, 0xef, 0x29, 0x1a, 0xf0, 0xd1, 0x73, 0x8f, 0x8b, 0x97, 0x23,
0xdf, 0x13, 0xcc, 0xd7, 0x57, 0x50, 0x64, 0x93, 0x0e, 0x2c, 0xc5, 0xec, 0x3c, 0x7a, 0xcb, 0xfc,
0xae, 0x27, 0x98, 0xd5, 0x40, 0xa9, 0x2c, 0x8b, 0xdc, 0x87, 0xeb, 0x9a, 0x74, 0x99, 0xc7, 0xa3,
0xd0, 0xba, 0x8a, 0x32, 0x79, 0x26, 0xf9, 0x15, 0x6c, 0x0e, 0x3d, 0x2e, 0x0e, 0xde, 0x8d, 0x02,
0x75, 0x35, 0xc7, 0xde, 0x69, 0x9f, 0x85, 0xc2, 0xba, 0x86, 0xd2, 0xe6, 0x45, 0x42, 0x61, 0x59,
0x06, 0xe4, 0x32, 0x3e, 0x8a, 0x42, 0xce, 0xac, 0x26, 0x16, 0x40, 0x8e, 0x47, 0x6c, 0x68, 0x86,
0x91, 0x78, 0xf2, 0x5a, 0xb0, 0xd8, 0x6a, 0xa1, 0xb1, 0x94, 0x26, 0x5b, 0xd0, 0x0a, 0x38, 0x9a,
0x65, 0xbe, 0x05, 0x9d, 0xea, 0x4e, 0xd3, 0x9d, 0x32, 0xbe, 0xba, 0xd2, 0xac, 0xad, 0xd5, 0x69,
0x07, 0xae, 0xf6, 0xa7, 0xa7, 0x65, 0x38, 0x45, 0xba, 0x07, 0x0d, 0xd7, 0x0b, 0x4f, 0xd1, 0x15,
0xf3, 0xe2, 0x61, 0xc0, 0xb8, 0xd0, 0xd9, 0x96, 0xd2, 0x52, 0x79, 0xe8, 0x09, 0xb9, 0x52, 0xc3,
0x15, 0x4d, 0xd1, 0x6d, 0x68, 0x7c, 0x19, 0x8d, 0x43, 0x41, 0x36, 0xa0, 0x31, 0x90, 0x1f, 0x5a,
0x53, 0x11, 0xf4, 0x3b, 0xb8, 0x8b, 0xcb, 0x99, 0x3b, 0xe5, 0xfb, 0x93, 0x63, 0xef, 0x8c, 0xa5,
0x99, 0x7e, 0x17, 0x1a, 0xb1, 0x74, 0x8f, 0x8a, 0x4b, 0x4e, 0x4b, 0x66, 0x1f, 0xc6, 0xe3, 0x2a,
0xbe, 0xb4, 0x1c, 0x4a, 0x05, 0x9d, 0xe0, 0x8a, 0xa0, 0x7f, 0xad, 0xc2, 0x32, 0x9a, 0xd6, 0xe6,
0xc8, 0x17, 0xb0, 0x3c, 0xc8, 0xd0, 0x3a, 0x99, 0x6f, 0x4b, 0x73, 0x59, 0xb9, 0x6c, 0x16, 0xe7,
0x14, 0xec, 0xcf, 0x72, 0xc9, 0x4c, 0xe0, 0x8a, 0x74, 0xa4, 0xcf, 0x0a, 0xbf, 0xa7, 0x7b, 0xac,
0x65, 0xf7, 0xd8, 0x83, 0x6d, 0x74, 0x90, 0x6d, 0x79, 0x7c, 0x7f, 0x72, 0xd4, 0x4b, 0x76, 0x28,
0x3b, 0xd7, 0x48, 0x77, 0xb7, 0x5a, 0x30, 0x9a, 0xee, 0xb8, 0x66, 0xde, 0x31, 0xfd, 0x5b, 0x15,
0xee, 0xa1, 0xc9, 0xa3, 0xf0, 0xfc, 0xc3, 0x5b, 0x84, 0x0d, 0xcd, 0x37, 0x11, 0x17, 0xb8, 0x1b,
0xd5, 0xd7, 0x52, 0x7a, 0x1a, 0x4a, 0xbd, 0x24, 0x94, 0x3e, 0x10, 0x8c, 0xe4, 0x45, 0xec, 0xb3,
0x38, 0x75, 0xbd, 0x05, 0x2d, 0x6f, 0x80, 0xbb, 0x4f, 0xbd, 0x4e, 0x19, 0x8b, 0xf7, 0xf7, 0x0c,
0x36, 0xd0, 0xe8, 0xd3, 0x6f, 0xba, 0xc7, 0x7d, 0x26, 0x52, 0xb3, 0x6d, 0xb8, 0x7a, 0x11, 0x84,
0x7e, 0x74, 0xa1, 0x6d, 0x6a, 0xaa, 0xbc, 0xc9, 0xd1, 0x87, 0xb0, 0xa1, 0x8d, 0x1c, 0xbc, 0x0b,
0xf8, 0xd4, 0x52, 0x46, 0xa3, 0x9a, 0xd7, 0xe8, 0x41, 0xa7, 0x17, 0xb3, 0xf3, 0x20, 0x1a, 0xf3,
0x4c, 0x52, 0xe6, 0xb5, 0xcb, 0x1a, 0xd9, 0x06, 0x34, 0x62, 0x76, 0x7a, 0xd4, 0x4d, 0xee, 0x1f,
0x09, 0x59, 0x61, 0x4a, 0x5d, 0xea, 0x31, 0xfc, 0x42, 0xbd, 0xa6, 0xab, 0x29, 0xfa, 0x16, 0x36,
0x9f, 0xf8, 0x7e, 0xc6, 0x5d, 0xe2, 0x68, 0x0d, 0xea, 0x3e, 0x8b, 0x93, 0x87, 0xcf, 0x67, 0xb1,
0xd9, 0x85, 0x4c, 0x46, 0xd9, 0x14, 0xf0, 0x96, 0x96, 0x5d, 0xfc, 0x96, 0xce, 0x02, 0xce, 0xc7,
0x69, 0x6f, 0xd3, 0x14, 0x7d, 0x08, 0xed, 0xa2, 0x33, 0xdd, 0x4a, 0xe4, 0xb6, 0x82, 0xd3, 0xa4,
0xba, 0xe5, 0xb6, 0x90, 0xa2, 0x8f, 0xe0, 0x23, 0x17, 0xbb, 0x59, 0x3e, 0xcf, 0xf6, 0x27, 0x5d,
0xdc, 0xf6, 0x82, 0x53, 0xa1, 0x7f, 0x82, 0xfb, 0xf3, 0xd5, 0xb5, 0xfb, 0x2d, 0x68, 0xbd, 0x0e,
0x42, 0x6f, 0x18, 0x5c, 0xb2, 0x04, 0x0a, 0x4c, 0x19, 0xf2, 0xc6, 0x46, 0xea, 0x29, 0xd7, 0x5b,
0x4f, 0x48, 0xda, 0x83, 0x65, 0xcc, 0xbe, 0x6c, 0x39, 0x65, 0xb0, 0x04, 0x79, 0x08, 0x37, 0xc6,
0x9c, 0x9d, 0x38, 0x79, 0xf7, 0x68, 0xa5, 0xe9, 0x9a, 0x96, 0xe8, 0x73, 0xa0, 0xc9, 0xeb, 0x8b,
0x96, 0xcd, 0xf5, 0x55, 0xf4, 0xd3, 0x86, 0xab, 0xde, 0x60, 0x20, 0xd2, 0xbb, 0xd1, 0x14, 0x9d,
0xc0, 0xcd, 0x43, 0xa6, 0x0a, 0xe4, 0x69, 0x14, 0xe7, 0x7a, 0xdb, 0x54, 0xa5, 0x9a, 0x55, 0x31,
0xb7, 0xb4, 0xb2, 0x8d, 0xd4, 0xcb, 0x37, 0xf2, 0x8f, 0x2a, 0x58, 0x87, 0x4c, 0xfc, 0xdf, 0x20,
0x84, 0x7c, 0x59, 0x63, 0xf6, 0xc3, 0x38, 0x88, 0x75, 0x2c, 0x97, 0x1c, 0xb3, 0xaf, 0xe9, 0x16,
0xd9, 0xf4, 0xef, 0x55, 0x58, 0x29, 0xe0, 0x8c, 0x5f, 0x26, 0x38, 0x40, 0xb5, 0xe6, 0x6d, 0xd9,
0x17, 0xe6, 0x40, 0x0c, 0x94, 0xfd, 0xdf, 0x43, 0x8c, 0xe7, 0x70, 0xf7, 0x89, 0xef, 0x9b, 0x60,
0x63, 0x7a, 0x72, 0x9f, 0xe4, 0x03, 0x9d, 0x67, 0xed, 0x3e, 0xac, 0x15, 0x80, 0x2a, 0x1e, 0x5b,
0xe0, 0x27, 0x8d, 0x47, 0x7e, 0x52, 0x3a, 0x23, 0xe5, 0xcc, 0x40, 0xe2, 0x8f, 0x61, 0x3d, 0x27,
0xe3, 0x14, 0x4c, 0xd5, 0x95, 0xa9, 0x4b, 0xb0, 0x54, 0xb5, 0x19, 0xda, 0xc9, 0x1c, 0x9c, 0x14,
0x2b, 0xf0, 0xa2, 0x33, 0x57, 0x51, 0xb2, 0xad, 0x48, 0x18, 0xa4, 0x2f, 0x18, 0xbf, 0xe5, 0x6b,
0x11, 0x27, 0x78, 0xe4, 0x0a, 0xb6, 0x9b, 0x94, 0xa6, 0x7f, 0xa9, 0xc1, 0xd6, 0x53, 0x5d, 0xb1,
0x46, 0xc0, 0x6d, 0x28, 0x19, 0x0d, 0xd0, 0x6a, 0x39, 0x80, 0x66, 0xc1, 0x35, 0x86, 0x28, 0x85,
0x6b, 0xdf, 0x09, 0x89, 0x2f, 0x8b, 0x10, 0xec, 0x6c, 0x94, 0x80, 0xb6, 0x96, 0x3b, 0x65, 0x90,
0x2e, 0xac, 0xe3, 0x83, 0xa8, 0x9d, 0x0e, 0xa2, 0xd8, 0xe7, 0x56, 0x03, 0x2f, 0xa9, 0xad, 0x2e,
0xe9, 0xa4, 0xb0, 0xec, 0xce, 0x2a, 0x90, 0xc7, 0xb0, 0x3a, 0x65, 0x1e, 0xc4, 0x71, 0x14, 0x23,
0xa8, 0x5b, 0x72, 0x36, 0x94, 0x8d, 0x5e, 0x1c, 0x7d, 0x3f, 0x64, 0x67, 0x5d, 0x26, 0xbc, 0x60,
0xc8, 0xdd, 0xa2, 0xb0, 0xf3, 0xaf, 0x5b, 0xb0, 0xd6, 0x17, 0x51, 0xec, 0x9d, 0x26, 0xa7, 0x20,
0x26, 0x64, 0x0f, 0x56, 0x0f, 0x59, 0x0e, 0x03, 0x10, 0x82, 0x0f, 0x5f, 0xae, 0xd8, 0x6c, 0xa2,
0x5c, 0x64, 0xb9, 0xb4, 0x42, 0x7e, 0x03, 0x1b, 0x05, 0xe5, 0xfd, 0x89, 0x1c, 0x8c, 0x56, 0xa4,
0x85, 0xe9, 0xa0, 0x54, 0xa2, 0xfd, 0x18, 0xd6, 0x8a, 0x4d, 0x80, 0xdc, 0x98, 0x29, 0xae, 0xa3,
0xae, 0x6d, 0x4a, 0x64, 0x5a, 0x21, 0xdf, 0x62, 0x03, 0x33, 0x55, 0x04, 0xc1, 0x59, 0x60, 0xfe,
0x94, 0x55, 0x66, 0xf5, 0x04, 0xda, 0xe6, 0x11, 0x87, 0xdc, 0xd3, 0x46, 0xcb, 0xc7, 0x1f, 0xfb,
0x66, 0xc9, 0x0c, 0x42, 0x2b, 0xe4, 0x17, 0xb0, 0x72, 0xc8, 0xb2, 0x80, 0x92, 0x80, 0x14, 0x56,
0x20, 0xd7, 0x5e, 0x57, 0xc1, 0x64, 0x96, 0x69, 0x85, 0xec, 0xe1, 0xf1, 0xce, 0xce, 0x15, 0x59,
0xc5, 0x4d, 0x04, 0x8a, 0x45, 0x11, 0x5a, 0x21, 0x7d, 0xb0, 0xca, 0x20, 0x2c, 0xf9, 0x28, 0x45,
0x97, 0xe5, 0x00, 0xd7, 0x5e, 0x2b, 0x42, 0x50, 0x5a, 0x21, 0xdf, 0x69, 0xcc, 0x98, 0x57, 0x3b,
0x78, 0xe7, 0x0d, 0xc4, 0x07, 0x5a, 0x7e, 0x06, 0x6d, 0x33, 0x1a, 0x55, 0xc7, 0x3e, 0x17, 0xa9,
0xda, 0xad, 0x54, 0x84, 0x56, 0xc8, 0xd7, 0x70, 0xbb, 0x44, 0x1a, 0x61, 0xf9, 0x8f, 0x35, 0xf7,
0x08, 0x6c, 0xfc, 0x34, 0x76, 0x5e, 0x63, 0xad, 0xe4, 0xd4, 0x1d, 0x58, 0xca, 0x00, 0x51, 0xd2,
0x4e, 0xd7, 0x72, 0xc8, 0x34, 0xaf, 0xd3, 0xd3, 0x2e, 0x8d, 0x30, 0x9a, 0x7c, 0x9c, 0x8a, 0xce,
0x83, 0xd9, 0x79, 0x8b, 0x9f, 0xc1, 0xf5, 0x1c, 0x72, 0x25, 0x56, 0xba, 0x5a, 0x00, 0xb3, 0x79,
0xbd, 0xcf, 0xe1, 0x7a, 0x0e, 0xa7, 0x2a, 0x3d, 0x13, 0x74, 0xb5, 0x31, 0x29, 0x15, 0x8b, 0x56,
0xc8, 0x0b, 0xb8, 0x55, 0x0a, 0x57, 0xc9, 0x7d, 0x29, 0xba, 0x08, 0xcd, 0x16, 0x0c, 0xfe, 0x16,
0xd6, 0x8b, 0xcd, 0xc2, 0x21, 0x1b, 0x86, 0x6e, 0xe1, 0x94, 0x15, 0xf6, 0x33, 0x20, 0x33, 0x98,
0xc3, 0x21, 0x5b, 0xba, 0xa8, 0xcd, 0x87, 0x48, 0x66, 0xdf, 0x7a, 0x5a, 0x21, 0x2f, 0x11, 0xbd,
0x98, 0x12, 0xc2, 0xf9, 0x90, 0xce, 0xf3, 0x58, 0x27, 0xae, 0x31, 0xd3, 0x9c, 0xc5, 0xa9, 0xf6,
0x47, 0xd8, 0x9a, 0x03, 0x0f, 0x1d, 0xf2, 0x20, 0xdb, 0xbf, 0xca, 0x01, 0x64, 0xc9, 0xa6, 0xbf,
0xd1, 0xd1, 0x19, 0x93, 0xce, 0xf9, 0x49, 0x59, 0xe9, 0x62, 0x03, 0x3f, 0x31, 0x99, 0x7b, 0x8f,
0x5e, 0x6b, 0x0e, 0x73, 0x0f, 0x56, 0x8f, 0xd9, 0x45, 0xe1, 0x3d, 0x9b, 0x79, 0x7d, 0x4a, 0x5e,
0xa4, 0xcf, 0x81, 0xa8, 0x5f, 0x58, 0x16, 0xea, 0x2f, 0x29, 0xde, 0xc1, 0xd9, 0x48, 0x4c, 0x68,
0x85, 0x1c, 0xc0, 0xcd, 0x63, 0x76, 0x61, 0x7c, 0x8a, 0x4c, 0x97, 0x5d, 0x96, 0x01, 0x7b, 0xb0,
0x69, 0xc4, 0x29, 0x66, 0x23, 0x85, 0x18, 0x8e, 0x60, 0x25, 0x3f, 0x40, 0x91, 0x5b, 0x78, 0x42,
0xa6, 0x09, 0xce, 0xb6, 0x4d, 0x4b, 0x1a, 0x2e, 0x55, 0x08, 0x87, 0xad, 0x79, 0xa3, 0x11, 0xf9,
0x99, 0x4a, 0xc5, 0x85, 0xb3, 0x97, 0xbd, 0xb3, 0x58, 0x30, 0x75, 0xba, 0x07, 0xed, 0x2e, 0xf3,
0x06, 0x22, 0x38, 0x9f, 0xbd, 0x80, 0xd9, 0xcc, 0x2f, 0x6c, 0xfe, 0x11, 0xdc, 0x9c, 0x2a, 0xbf,
0x07, 0xa4, 0x28, 0xa8, 0x3f, 0x80, 0xe6, 0x31, 0xbb, 0xc0, 0x9a, 0x20, 0x7a, 0x09, 0x09, 0x3b,
0x4b, 0xd0, 0x0a, 0x79, 0x08, 0xa4, 0xaf, 0x67, 0xa6, 0x5e, 0x1c, 0x0d, 0x18, 0xe7, 0x41, 0x78,
0x6a, 0xd4, 0x48, 0x2c, 0xff, 0x1c, 0xae, 0x27, 0x1a, 0x88, 0xc2, 0x16, 0x09, 0x27, 0xf7, 0x5f,
0x1e, 0xcb, 0x54, 0xb8, 0x99, 0xcc, 0x6f, 0x04, 0x5f, 0xd4, 0xec, 0xb4, 0x59, 0x0c, 0xfc, 0x0f,
0x70, 0x7b, 0x4e, 0xe5, 0x7f, 0x60, 0x6b, 0x50, 0x40, 0x2e, 0x37, 0x49, 0x92, 0xdb, 0xda, 0xa2,
0x69, 0xbe, 0x2c, 0x06, 0x77, 0x38, 0xdb, 0xdb, 0xf9, 0x4f, 0x6a, 0xcc, 0xaf, 0xc0, 0x2a, 0x9b,
0x91, 0x14, 0x32, 0x59, 0x30, 0x41, 0xd9, 0xa6, 0x07, 0x45, 0xbf, 0x3e, 0x33, 0xd3, 0x8b, 0x8a,
0xb0, 0x6c, 0xa8, 0x29, 0xde, 0x96, 0x0b, 0xe4, 0x98, 0x5d, 0x14, 0xdb, 0xdc, 0x7b, 0x05, 0xb5,
0x39, 0x13, 0x94, 0xa3, 0xa2, 0x3a, 0x82, 0xb6, 0xb1, 0x5d, 0x38, 0xa4, 0x83, 0xcf, 0xf4, 0x9c,
0x91, 0xa7, 0x18, 0xde, 0x17, 0x60, 0x95, 0xd4, 0x4f, 0xd9, 0x2b, 0x5b, 0x30, 0xf0, 0x0a, 0xb6,
0xe7, 0xd5, 0xb9, 0xf3, 0xfe, 0x3d, 0x23, 0x6f, 0x78, 0xff, 0xda, 0xef, 0x1b, 0xf8, 0xef, 0xcc,
0x7f, 0x03, 0x00, 0x00, 0xff, 0xff, 0x4d, 0x98, 0x41, 0xa2, 0xcc, 0x19, 0x00, 0x00,
}
// Reference imports to suppress errors if they are not otherwise used.
@ -2076,7 +2025,6 @@ type StorageAuthorityClient interface {
UpdateRegistration(ctx context.Context, in *proto1.Registration, opts ...grpc.CallOption) (*proto1.Empty, error)
NewPendingAuthorization(ctx context.Context, in *proto1.Authorization, opts ...grpc.CallOption) (*proto1.Authorization, error)
FinalizeAuthorization(ctx context.Context, in *proto1.Authorization, opts ...grpc.CallOption) (*proto1.Empty, error)
MarkCertificateRevoked(ctx context.Context, in *MarkCertificateRevokedRequest, opts ...grpc.CallOption) (*proto1.Empty, error)
AddCertificate(ctx context.Context, in *AddCertificateRequest, opts ...grpc.CallOption) (*AddCertificateResponse, error)
RevokeAuthorizationsByDomain(ctx context.Context, in *RevokeAuthorizationsByDomainRequest, opts ...grpc.CallOption) (*RevokeAuthorizationsByDomainResponse, error)
DeactivateRegistration(ctx context.Context, in *RegistrationID, opts ...grpc.CallOption) (*proto1.Empty, error)
@ -2357,15 +2305,6 @@ func (c *storageAuthorityClient) FinalizeAuthorization(ctx context.Context, in *
return out, nil
}
func (c *storageAuthorityClient) MarkCertificateRevoked(ctx context.Context, in *MarkCertificateRevokedRequest, opts ...grpc.CallOption) (*proto1.Empty, error) {
out := new(proto1.Empty)
err := c.cc.Invoke(ctx, "/sa.StorageAuthority/MarkCertificateRevoked", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *storageAuthorityClient) AddCertificate(ctx context.Context, in *AddCertificateRequest, opts ...grpc.CallOption) (*AddCertificateResponse, error) {
out := new(AddCertificateResponse)
err := c.cc.Invoke(ctx, "/sa.StorageAuthority/AddCertificate", in, out, opts...)
@ -2562,7 +2501,6 @@ type StorageAuthorityServer interface {
UpdateRegistration(context.Context, *proto1.Registration) (*proto1.Empty, error)
NewPendingAuthorization(context.Context, *proto1.Authorization) (*proto1.Authorization, error)
FinalizeAuthorization(context.Context, *proto1.Authorization) (*proto1.Empty, error)
MarkCertificateRevoked(context.Context, *MarkCertificateRevokedRequest) (*proto1.Empty, error)
AddCertificate(context.Context, *AddCertificateRequest) (*AddCertificateResponse, error)
RevokeAuthorizationsByDomain(context.Context, *RevokeAuthorizationsByDomainRequest) (*RevokeAuthorizationsByDomainResponse, error)
DeactivateRegistration(context.Context, *RegistrationID) (*proto1.Empty, error)
@ -2671,9 +2609,6 @@ func (*UnimplementedStorageAuthorityServer) NewPendingAuthorization(ctx context.
func (*UnimplementedStorageAuthorityServer) FinalizeAuthorization(ctx context.Context, req *proto1.Authorization) (*proto1.Empty, error) {
return nil, status.Errorf(codes.Unimplemented, "method FinalizeAuthorization not implemented")
}
func (*UnimplementedStorageAuthorityServer) MarkCertificateRevoked(ctx context.Context, req *MarkCertificateRevokedRequest) (*proto1.Empty, error) {
return nil, status.Errorf(codes.Unimplemented, "method MarkCertificateRevoked not implemented")
}
func (*UnimplementedStorageAuthorityServer) AddCertificate(ctx context.Context, req *AddCertificateRequest) (*AddCertificateResponse, error) {
return nil, status.Errorf(codes.Unimplemented, "method AddCertificate not implemented")
}
@ -3237,24 +3172,6 @@ func _StorageAuthority_FinalizeAuthorization_Handler(srv interface{}, ctx contex
return interceptor(ctx, in, info, handler)
}
func _StorageAuthority_MarkCertificateRevoked_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(MarkCertificateRevokedRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(StorageAuthorityServer).MarkCertificateRevoked(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/sa.StorageAuthority/MarkCertificateRevoked",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(StorageAuthorityServer).MarkCertificateRevoked(ctx, req.(*MarkCertificateRevokedRequest))
}
return interceptor(ctx, in, info, handler)
}
func _StorageAuthority_AddCertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(AddCertificateRequest)
if err := dec(in); err != nil {
@ -3695,10 +3612,6 @@ var _StorageAuthority_serviceDesc = grpc.ServiceDesc{
MethodName: "FinalizeAuthorization",
Handler: _StorageAuthority_FinalizeAuthorization_Handler,
},
{
MethodName: "MarkCertificateRevoked",
Handler: _StorageAuthority_MarkCertificateRevoked_Handler,
},
{
MethodName: "AddCertificate",
Handler: _StorageAuthority_AddCertificate_Handler,

6
sa/proto/sa.proto
View File

@ -38,7 +38,6 @@ service StorageAuthority {
rpc UpdateRegistration(core.Registration) returns (core.Empty) {}
rpc NewPendingAuthorization(core.Authorization) returns (core.Authorization) {}
rpc FinalizeAuthorization(core.Authorization) returns (core.Empty) {}
rpc MarkCertificateRevoked(MarkCertificateRevokedRequest) returns (core.Empty) {}
rpc AddCertificate(AddCertificateRequest) returns (AddCertificateResponse) {}
rpc RevokeAuthorizationsByDomain(RevokeAuthorizationsByDomainRequest) returns (RevokeAuthorizationsByDomainResponse) {}
rpc DeactivateRegistration(RegistrationID) returns (core.Empty) {}
@ -167,11 +166,6 @@ message Exists {
optional bool exists = 1;
}
message MarkCertificateRevokedRequest {
optional string serial = 1;
optional int64 code = 2;
}
message AddCertificateRequest {
optional bytes der = 1;
optional int64 regID = 2;

55
sa/sa.go
View File

@ -523,58 +523,6 @@ func (ssa *SQLStorageAuthority) NewRegistration(ctx context.Context, reg core.Re
return modelToRegistration(rm)
}
// MarkCertificateRevoked stores the fact that a certificate is revoked, along
// with a timestamp and a reason.
// TODO(#4048): This method has been deprecated and replaced by RevokeCertificate.
func (ssa *SQLStorageAuthority) MarkCertificateRevoked(ctx context.Context, serial string, reasonCode revocation.Reason) error {
var err error
if _, err = ssa.GetCertificate(ctx, serial); err != nil {
return fmt.Errorf(
"Unable to mark certificate %s revoked: cert not found.", serial)
}
if _, err = ssa.GetCertificateStatus(ctx, serial); err != nil {
return fmt.Errorf(
"Unable to mark certificate %s revoked: cert status not found.", serial)
}
tx, err := ssa.dbMap.Begin()
if err != nil {
return err
}
txWithCtx := tx.WithContext(ctx)
const statusQuery = "WHERE serial = ?"
statusObj, err := SelectCertificateStatus(txWithCtx, statusQuery, serial)
if err == sql.ErrNoRows {
err = fmt.Errorf("No certificate with serial %s", serial)
err = Rollback(tx, err)
return err
}
if err != nil {
err = Rollback(tx, err)
return err
}
var n int64
now := ssa.clk.Now()
statusObj.Status = core.OCSPStatusRevoked
statusObj.RevokedDate = now
statusObj.RevokedReason = reasonCode
n, err = tx.Update(&statusObj)
if err != nil {
err = Rollback(tx, err)
return err
}
if n == 0 {
err = berrors.InternalServerError("no certificate updated")
err = Rollback(tx, err)
return err
}
return tx.Commit()
}
// UpdateRegistration stores an updated Registration
func (ssa *SQLStorageAuthority) UpdateRegistration(ctx context.Context, reg core.Registration) error {
const query = "WHERE id = ?"
@ -2381,8 +2329,7 @@ func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req
}
// RevokeCertificate stores revocation information about a certificate. It will only store this
// information if the certificate is not alreay marked as revoked. This method is meant as a
// replacement for MarkCertificateRevoked and the ocsp-updater database methods.
// information if the certificate is not already marked as revoked.
func (ssa *SQLStorageAuthority) RevokeCertificate(ctx context.Context, req *sapb.RevokeCertificateRequest) error {
tx, err := ssa.dbMap.Begin()
if err != nil {

35
sa/sa_test.go
View File

@ -643,41 +643,6 @@ func TestCountCertificatesByNames(t *testing.T) {
}
}
func TestMarkCertificateRevoked(t *testing.T) {
sa, fc, cleanUp := initSA(t)
defer cleanUp()
reg := satest.CreateWorkingRegistration(t, sa)
// Add a cert to the DB to test with.
certDER, err := ioutil.ReadFile("www.eff.org.der")
test.AssertNotError(t, err, "Couldn't read example cert DER")
issued := sa.clk.Now()
_, err = sa.AddCertificate(ctx, certDER, reg.ID, nil, &issued)
test.AssertNotError(t, err, "Couldn't add www.eff.org.der")
serial := "000000000000000000000000000000021bd4"
const ocspResponse = "this is a fake OCSP response"
certificateStatusObj, err := sa.GetCertificateStatus(ctx, serial)
test.AssertNotError(t, err, "sa.GetCertificateStatus failed")
test.AssertEquals(t, certificateStatusObj.Status, core.OCSPStatusGood)
fc.Add(1 * time.Hour)
err = sa.MarkCertificateRevoked(ctx, serial, revocation.KeyCompromise)
test.AssertNotError(t, err, "MarkCertificateRevoked failed")
certificateStatusObj, err = sa.GetCertificateStatus(ctx, serial)
test.AssertNotError(t, err, "Failed to fetch certificate status")
if revocation.KeyCompromise != certificateStatusObj.RevokedReason {
t.Errorf("RevokedReasons, expected %v, got %v", revocation.KeyCompromise, certificateStatusObj.RevokedReason)
}
if !fc.Now().Equal(certificateStatusObj.RevokedDate) {
t.Errorf("RevokedData, expected %s, got %s", fc.Now(), certificateStatusObj.RevokedDate)
}
}
func TestCountRegistrationsByIP(t *testing.T) {
sa, fc, cleanUp := initSA(t)
defer cleanUp()

5
test/config-next/akamai-purger.json
View File

@ -15,10 +15,7 @@
"grpc": {
"address": ":9099",
"clientNames": [
"ocsp-updater.boulder",
"ra.boulder",
"ra1.boulder",
"ra2.boulder"
"ra.boulder"
]
}
},

7
test/config-next/ocsp-updater.json
View File

@ -4,11 +4,9 @@
"maxDBConns": 10,
"oldOCSPWindow": "2s",
"missingSCTWindow": "1s",
"revokedCertificateWindow": "1s",
"oldOCSPBatchSize": 5000,
"missingSCTBatchSize": 5000,
"parallelGenerateOCSPRequests": 10,
"revokedCertificateBatchSize": 1000,
"ocspMinTimeToExpiry": "72h",
"ocspStaleMaxAge": "720h",
"oldestIssuedSCT": "72h",
@ -28,12 +26,7 @@
"serverAddress": "ca.boulder:9096",
"timeout": "15s"
},
"akamaiPurgerService": {
"serverAddress": "akamai-purger.boulder:9099",
"timeout": "15s"
},
"features": {
"RevokeAtRA": true
}
},

1
test/config-next/ra.json
View File

@ -45,7 +45,6 @@
]
},
"features": {
"RevokeAtRA": true,
"EarlyOrderRateLimit": true,
"NewAuthorizationSchema": true
},

2
test/config/akamai-purger.json
View File

@ -15,7 +15,7 @@
"grpc": {
"address": ":9099",
"clientNames": [
"ocsp-updater.boulder"
"ra.boulder"
]
}
},

6
test/config/ocsp-updater.json
View File

@ -4,11 +4,9 @@
"maxDBConns": 10,
"oldOCSPWindow": "2s",
"missingSCTWindow": "1s",
"revokedCertificateWindow": "1s",
"oldOCSPBatchSize": 5000,
"missingSCTBatchSize": 5000,
"parallelGenerateOCSPRequests": 10,
"revokedCertificateBatchSize": 1000,
"ocspMinTimeToExpiry": "72h",
"ocspStaleMaxAge": "720h",
"oldestIssuedSCT": "72h",
@ -28,10 +26,6 @@
"serverAddress": "ca.boulder:9096",
"timeout": "15s"
},
"akamaiPurgerService": {
"serverAddress": "akamai-purger.boulder:9099",
"timeout": "15s"
},
"features": {
}
},

5
test/config/ra.json
View File

@ -11,6 +11,7 @@
"pendingAuthorizationLifetimeDays": 7,
"weakKeyDirectory": "test/example-weak-keys.json",
"orderLifetime": "168h",
"issuerCertPath": "test/test-ca2.pem",
"tls": {
"caCertFile": "test/grpc-creds/minica.pem",
"certFile": "test/grpc-creds/ra.boulder/cert.pem",
@ -32,6 +33,10 @@
"serverAddress": "sa.boulder:9095",
"timeout": "15s"
},
"akamaiPurgerService": {
"serverAddress": "akamai-purger.boulder:9099",
"timeout": "15s"
},
"grpc": {
"address": ":9094",
"clientNames": [

7
test/helpers.py
View File

@ -125,9 +125,6 @@ def ocsp_verify(cert_file, issuer_file, ocsp_response):
def wait_for_ocsp_good(cert_file, issuer_file, url):
fetch_until(cert_file, issuer_file, url, " unauthorized", ": good")
def wait_for_ocsp_revoked(cert_file, issuer_file, url):
fetch_until(cert_file, issuer_file, url, ": good", ": revoked")
def reset_akamai_purges():
requests.post("http://localhost:6789/debug/reset-purges")
@ -145,10 +142,6 @@ def verify_akamai_purge():
reset_akamai_purges()
def verify_revocation(cert_file, issuer_file, url):
# This is gated on the RevokeAtRA feature flag.
if not CONFIG_NEXT:
wait_for_ocsp_revoked(cert_file, issuer_file, url)
return
ocsp_request = make_ocsp_req(cert_file, issuer_file)
responses = fetch_ocsp(ocsp_request, url)