diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go index 15631b970..084fc5638 100644 --- a/cmd/boulder-ra/main.go +++ b/cmd/boulder-ra/main.go @@ -79,8 +79,7 @@ type config struct { InformationalCTLogs []ctconfig.LogDescription // IssuerCertPath is the path to the intermediate used to issue certificates. - // It is required if the RevokeAtRA feature is enabled and is used to - // generate OCSP URLs to purge at revocation time. + // It is used to generate OCSP URLs to purge at revocation time. IssuerCertPath string Features map[string]bool @@ -131,10 +130,6 @@ func main() { err = pa.SetHostnamePolicyFile(c.RA.HostnamePolicyFile) cmd.FailOnError(err, "Couldn't load hostname policy file") - if features.Enabled(features.RevokeAtRA) && (c.RA.AkamaiPurgerService == nil || c.RA.IssuerCertPath == "") { - cmd.Fail("If the RevokeAtRA feature is enabled the AkamaiPurgerService and IssuerCertPath config fields must be populated") - } - tlsConfig, err := c.RA.TLS.Load() cmd.FailOnError(err, "TLS config") @@ -158,14 +153,12 @@ func main() { var apc akamaipb.AkamaiPurgerClient var issuerCert *x509.Certificate - if features.Enabled(features.RevokeAtRA) { - apConn, err := bgrpc.ClientSetup(c.RA.AkamaiPurgerService, tlsConfig, clientMetrics, clk) - cmd.FailOnError(err, "Unable to create a Akamai Purger client") - apc = akamaipb.NewAkamaiPurgerClient(apConn) + apConn, err := bgrpc.ClientSetup(c.RA.AkamaiPurgerService, tlsConfig, clientMetrics, clk) + cmd.FailOnError(err, "Unable to create a Akamai Purger client") + apc = akamaipb.NewAkamaiPurgerClient(apConn) - issuerCert, err = core.LoadCert(c.RA.IssuerCertPath) - cmd.FailOnError(err, "Failed to load issuer certificate") - } + issuerCert, err = core.LoadCert(c.RA.IssuerCertPath) + cmd.FailOnError(err, "Failed to load issuer certificate") // Boulder's components assume that there will always be CT logs configured. // Issuing a certificate without SCTs embedded is a miss-issuance event in the diff --git a/cmd/ocsp-updater/main.go b/cmd/ocsp-updater/main.go index 803ee1b6e..e2d0e8551 100644 --- a/cmd/ocsp-updater/main.go +++ b/cmd/ocsp-updater/main.go @@ -11,7 +11,6 @@ import ( "time" "github.com/jmhodges/clock" - "github.com/letsencrypt/boulder/akamai" akamaipb "github.com/letsencrypt/boulder/akamai/proto" capb "github.com/letsencrypt/boulder/ca/proto" "github.com/letsencrypt/boulder/cmd" @@ -22,7 +21,6 @@ import ( "github.com/letsencrypt/boulder/metrics" "github.com/letsencrypt/boulder/sa" sapb "github.com/letsencrypt/boulder/sa/proto" - "golang.org/x/crypto/ocsp" ) /* @@ -73,12 +71,10 @@ func newUpdater( issuerPath string, log blog.Logger, ) (*OCSPUpdater, error) { - if config.OldOCSPBatchSize == 0 || - config.RevokedCertificateBatchSize == 0 { + if config.OldOCSPBatchSize == 0 { return nil, fmt.Errorf("Loop batch sizes must be non-zero") } - if config.OldOCSPWindow.Duration == 0 || - config.RevokedCertificateWindow.Duration == 0 { + if config.OldOCSPWindow.Duration == 0 { return nil, fmt.Errorf("Loop window sizes must be non-zero") } if config.OCSPStaleMaxAge.Duration == 0 { @@ -125,20 +121,6 @@ func newUpdater( }, } - if !features.Enabled(features.RevokeAtRA) { - updater.loops = append(updater.loops, - &looper{ - clk: clk, - stats: stats.NewScope("RevokedCertificates"), - batchSize: config.RevokedCertificateBatchSize, - tickDur: config.RevokedCertificateWindow.Duration, - tickFunc: updater.revokedCertificatesTick, - name: "RevokedCertificates", - failureBackoffFactor: config.SignFailureBackoffFactor, - failureBackoffMax: config.SignFailureBackoffMax.Duration, - }) - } - return &updater, nil } @@ -172,11 +154,6 @@ func (updater *OCSPUpdater) findStaleOCSPResponses(oldestLastUpdatedTime time.Ti return statuses, err } -type responseMeta struct { - *core.OCSPResponse - *core.CertificateStatus -} - func (updater *OCSPUpdater) generateResponse(ctx context.Context, status core.CertificateStatus) (*core.CertificateStatus, error) { cert, err := sa.SelectCertificate( updater.dbMap, @@ -205,48 +182,10 @@ func (updater *OCSPUpdater) generateResponse(ctx context.Context, status core.Ce return &status, nil } -// generateRevokedResponse takes a core.CertificateStatus and updates it with a revoked OCSP response -// for the certificate it represents. generateRevokedResponse then returns the updated status and a -// list of OCSP request URLs that should be purged or an error. -func (updater *OCSPUpdater) generateRevokedResponse(ctx context.Context, status core.CertificateStatus) (*core.CertificateStatus, []string, error) { - cert, err := updater.sac.GetCertificate(ctx, status.Serial) - if err != nil { - return nil, nil, err - } - - signRequest := core.OCSPSigningRequest{ - CertDER: cert.DER, - Status: string(core.OCSPStatusRevoked), - Reason: status.RevokedReason, - RevokedAt: status.RevokedDate, - } - - ocspResponse, err := updater.cac.GenerateOCSP(ctx, signRequest) - if err != nil { - return nil, nil, err - } - - now := updater.clk.Now() - status.OCSPLastUpdated = now - status.OCSPResponse = ocspResponse - - // If cache client is populated generate purge URLs - var purgeURLs []string - if updater.purgerService != nil { - purgeURLs, err = akamai.GeneratePurgeURLs(cert.DER, updater.issuer) - if err != nil { - return nil, nil, err - } - } - - return &status, purgeURLs, nil -} - func (updater *OCSPUpdater) storeResponse(status *core.CertificateStatus) error { // Update the certificateStatus table with the new OCSP response, the status // WHERE is used make sure we don't overwrite a revoked response with a one - // containing a 'good' status and that we don't do the inverse when the OCSP - // status should be 'good'. + // containing a 'good' status. _, err := updater.dbMap.Exec( `UPDATE certificateStatus SET ocspResponse=?,ocspLastUpdated=? @@ -271,75 +210,6 @@ func (updater *OCSPUpdater) markExpired(status core.CertificateStatus) error { return err } -func (updater *OCSPUpdater) findRevokedCertificatesToUpdate(batchSize int) ([]core.CertificateStatus, error) { - const query = "WHERE NOT isExpired AND status = ? AND ocspLastUpdated <= revokedDate LIMIT ?" - statuses, err := sa.SelectCertificateStatuses( - updater.dbMap, - query, - string(core.OCSPStatusRevoked), - batchSize, - ) - return statuses, err -} - -func (updater *OCSPUpdater) revokedCertificatesTick(ctx context.Context, batchSize int) error { - statuses, err := updater.findRevokedCertificatesToUpdate(batchSize) - if err != nil { - updater.stats.Inc("Errors.FindRevokedCertificates", 1) - updater.log.AuditErrf("Failed to find revoked certificates: %s", err) - return err - } - if len(statuses) == batchSize { - updater.stats.Inc("revokedCertificatesTick.FullTick", 1) - } - - var allPurgeURLs []string - for _, status := range statuses { - // It's possible that, if our ticks are fast enough (mainly in tests), we - // will get a certificate status where the ocspLastUpdated == revokedDate - // and the certificate has already been revoked. In order to avoid - // generating a new response and purging the existing response, quickly - // check the actual response in this rare case. - if status.OCSPLastUpdated.Equal(status.RevokedDate) { - resp, err := ocsp.ParseResponse(status.OCSPResponse, nil) - if err != nil { - updater.log.AuditErrf("Failed to parse OCSP response: %s", err) - return err - } - if resp.Status == ocsp.Revoked { - // We already generated a revoked response, don't bother doing it again - continue - } - } - meta, purgeURLs, err := updater.generateRevokedResponse(ctx, status) - if err != nil { - updater.log.AuditErrf("Failed to generate revoked OCSP response: %s", err) - updater.stats.Inc("Errors.RevokedResponseGeneration", 1) - return err - } - allPurgeURLs = append(allPurgeURLs, purgeURLs...) - err = updater.storeResponse(meta) - if err != nil { - updater.stats.Inc("Errors.StoreRevokedResponse", 1) - updater.log.AuditErrf("Failed to store OCSP response: %s", err) - continue - } - } - - if len(allPurgeURLs) > 0 && updater.purgerService != nil { - go func() { - _, err = updater.purgerService.Purge(context.Background(), &akamaipb.PurgeRequest{ - Urls: allPurgeURLs, - }) - if err != nil { - updater.log.Errf("Request to Akamai purger service failed: %s", err) - } - }() - } - - return nil -} - func (updater *OCSPUpdater) generateOCSPResponses(ctx context.Context, statuses []core.CertificateStatus, stats metrics.Scope) error { // Use the semaphore pattern from // https://github.com/golang/go/wiki/BoundingResourceUse to send a number of @@ -478,11 +348,9 @@ type OCSPUpdaterConfig struct { cmd.ServiceConfig cmd.DBConfig - OldOCSPWindow cmd.ConfigDuration - RevokedCertificateWindow cmd.ConfigDuration + OldOCSPWindow cmd.ConfigDuration - OldOCSPBatchSize int - RevokedCertificateBatchSize int + OldOCSPBatchSize int OCSPMinTimeToExpiry cmd.ConfigDuration OCSPStaleMaxAge cmd.ConfigDuration diff --git a/cmd/ocsp-updater/main_test.go b/cmd/ocsp-updater/main_test.go index 63a10c2f2..4f1cd45a3 100644 --- a/cmd/ocsp-updater/main_test.go +++ b/cmd/ocsp-updater/main_test.go @@ -14,8 +14,8 @@ import ( "github.com/letsencrypt/boulder/core" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" - "github.com/letsencrypt/boulder/revocation" "github.com/letsencrypt/boulder/sa" + sapb "github.com/letsencrypt/boulder/sa/proto" "github.com/letsencrypt/boulder/sa/satest" "github.com/letsencrypt/boulder/test" "github.com/letsencrypt/boulder/test/vars" @@ -80,10 +80,8 @@ func setup(t *testing.T) (*OCSPUpdater, core.StorageAuthority, *gorp.DbMap, cloc sa, nil, OCSPUpdaterConfig{ - OldOCSPBatchSize: 1, - RevokedCertificateBatchSize: 1, - OldOCSPWindow: cmd.ConfigDuration{Duration: time.Second}, - RevokedCertificateWindow: cmd.ConfigDuration{Duration: time.Second}, + OldOCSPBatchSize: 1, + OldOCSPWindow: cmd.ConfigDuration{Duration: time.Second}, }, "", blog.NewMock(), @@ -115,23 +113,6 @@ func TestGenerateAndStoreOCSPResponse(t *testing.T) { test.AssertNotError(t, err, "Couldn't generate OCSP response") err = updater.storeResponse(meta) test.AssertNotError(t, err, "Couldn't store certificate status") - - secondMeta, purgeURLs, err := updater.generateRevokedResponse(ctx, status) - test.AssertNotError(t, err, "Couldn't generate revoked OCSP response") - err = updater.storeResponse(secondMeta) - test.AssertNotError(t, err, "Couldn't store certificate status") - test.AssertDeepEquals(t, purgeURLs, []string{ - // akamai magic POST format - "http://127.0.0.1:4002/?body-md5=1f00f751a981b76c", - // GET format with // replaced with / - "http://127.0.0.1:4002/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRBJaTET3lGgf1uVfnmEsA5Rr8viQQU+3hPEvlgFYMsnxd/NBmzLjbqQYkCEwD/ajxemKXeOt+gQo15uy0YcQs=", - // GET format with url-encoding - "http://127.0.0.1:4002/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRBJaTET3lGgf1uVfnmEsA5Rr8viQQU%2B3hPEvlgFYMsnxd%2FNBmzLjbqQYkCEwD%2FajxemKXeOt%2BgQo15uy0YcQs%3D", - }) - - newStatus, err := sa.GetCertificateStatus(ctx, status.Serial) - test.AssertNotError(t, err, "Couldn't retrieve certificate status") - test.AssertByteEquals(t, meta.OCSPResponse, newStatus.OCSPResponse) } func TestGenerateOCSPResponses(t *testing.T) { @@ -263,29 +244,6 @@ func TestFindStaleOCSPResponsesStaleMaxAge(t *testing.T) { test.AssertEquals(t, certs[0].Serial, core.SerialToString(parsedCertA.SerialNumber)) } -func TestFindRevokedCertificatesToUpdate(t *testing.T) { - updater, sa, _, fc, cleanUp := setup(t) - defer cleanUp() - - reg := satest.CreateWorkingRegistration(t, sa) - cert, err := core.LoadCert("test-cert.pem") - test.AssertNotError(t, err, "Couldn't read test certificate") - issued := fc.Now() - _, err = sa.AddCertificate(ctx, cert.Raw, reg.ID, nil, &issued) - test.AssertNotError(t, err, "Couldn't add test-cert.pem") - - statuses, err := updater.findRevokedCertificatesToUpdate(10) - test.AssertNotError(t, err, "Failed to find revoked certificates") - test.AssertEquals(t, len(statuses), 0) - - err = sa.MarkCertificateRevoked(ctx, core.SerialToString(cert.SerialNumber), revocation.KeyCompromise) - test.AssertNotError(t, err, "Failed to revoke certificate") - - statuses, err = updater.findRevokedCertificatesToUpdate(10) - test.AssertNotError(t, err, "Failed to find revoked certificates") - test.AssertEquals(t, len(statuses), 1) -} - func TestOldOCSPResponsesTick(t *testing.T) { updater, sa, _, fc, cleanUp := setup(t) defer cleanUp() @@ -356,33 +314,6 @@ func TestOldOCSPResponsesTickIsExpired(t *testing.T) { test.AssertEquals(t, cs.IsExpired, true) } -func TestRevokedCertificatesTick(t *testing.T) { - updater, sa, _, fc, cleanUp := setup(t) - defer cleanUp() - - reg := satest.CreateWorkingRegistration(t, sa) - parsedCert, err := core.LoadCert("test-cert.pem") - test.AssertNotError(t, err, "Couldn't read test certificate") - issued := fc.Now() - _, err = sa.AddCertificate(ctx, parsedCert.Raw, reg.ID, nil, &issued) - test.AssertNotError(t, err, "Couldn't add test-cert.pem") - - err = sa.MarkCertificateRevoked(ctx, core.SerialToString(parsedCert.SerialNumber), revocation.KeyCompromise) - test.AssertNotError(t, err, "Failed to revoke certificate") - - statuses, err := updater.findRevokedCertificatesToUpdate(10) - test.AssertNotError(t, err, "Failed to find revoked certificates") - test.AssertEquals(t, len(statuses), 1) - - err = updater.revokedCertificatesTick(ctx, 10) - test.AssertNotError(t, err, "Failed to run revokedCertificatesTick") - - status, err := sa.GetCertificateStatus(ctx, core.SerialToString(parsedCert.SerialNumber)) - test.AssertNotError(t, err, "Failed to get certificate status") - test.AssertEquals(t, status.Status, core.OCSPStatusRevoked) - test.Assert(t, len(status.OCSPResponse) != 0, "Certificate status doesn't contain OCSP response") -} - func TestStoreResponseGuard(t *testing.T) { updater, sa, _, fc, cleanUp := setup(t) defer cleanUp() @@ -397,7 +328,14 @@ func TestStoreResponseGuard(t *testing.T) { status, err := sa.GetCertificateStatus(ctx, core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, "Failed to get certificate status") - err = sa.MarkCertificateRevoked(ctx, core.SerialToString(parsedCert.SerialNumber), 0) + serialStr := core.SerialToString(parsedCert.SerialNumber) + reason := int64(0) + revokedDate := fc.Now().UnixNano() + err = sa.RevokeCertificate(context.Background(), &sapb.RevokeCertificateRequest{ + Serial: &serialStr, + Reason: &reason, + Date: &revokedDate, + }) test.AssertNotError(t, err, "Failed to revoked certificate") // Attempt to update OCSP response where status.Status is good but stored status diff --git a/core/interfaces.go b/core/interfaces.go index ce1fb43d9..4e48d70fa 100644 --- a/core/interfaces.go +++ b/core/interfaces.go @@ -149,7 +149,6 @@ type StorageAdder interface { UpdateRegistration(ctx context.Context, reg Registration) error NewPendingAuthorization(ctx context.Context, authz Authorization) (Authorization, error) FinalizeAuthorization(ctx context.Context, authz Authorization) error - MarkCertificateRevoked(ctx context.Context, serial string, reasonCode revocation.Reason) error AddCertificate(ctx context.Context, der []byte, regID int64, ocsp []byte, issued *time.Time) (digest string, err error) RevokeAuthorizationsByDomain(ctx context.Context, domain identifier.ACMEIdentifier) (finalized, pending int64, err error) DeactivateRegistration(ctx context.Context, id int64) error diff --git a/features/featureflag_string.go b/features/featureflag_string.go index 6d1678ed0..a50801f91 100644 --- a/features/featureflag_string.go +++ b/features/featureflag_string.go @@ -17,11 +17,11 @@ func _() { _ = x[SetIssuedNamesRenewalBit-6] _ = x[FasterRateLimit-7] _ = x[ProbeCTLogs-8] - _ = x[CAAValidationMethods-9] - _ = x[CAAAccountURI-10] - _ = x[HeadNonceStatusOK-11] - _ = x[NewAuthorizationSchema-12] - _ = x[RevokeAtRA-13] + _ = x[RevokeAtRA-9] + _ = x[CAAValidationMethods-10] + _ = x[CAAAccountURI-11] + _ = x[HeadNonceStatusOK-12] + _ = x[NewAuthorizationSchema-13] _ = x[EarlyOrderRateLimit-14] _ = x[EnforceMultiVA-15] _ = x[MultiVAFullResults-16] @@ -30,9 +30,9 @@ func _() { _ = x[MandatoryPOSTAsGET-19] } -const _FeatureFlag_name = "unusedPerformValidationRPCACME13KeyRolloverSimplifiedVAHTTPTLSSNIRevalidationAllowRenewalFirstRLSetIssuedNamesRenewalBitFasterRateLimitProbeCTLogsCAAValidationMethodsCAAAccountURIHeadNonceStatusOKNewAuthorizationSchemaRevokeAtRAEarlyOrderRateLimitEnforceMultiVAMultiVAFullResultsRemoveWFE2AccountIDCheckRenewalFirstMandatoryPOSTAsGET" +const _FeatureFlag_name = "unusedPerformValidationRPCACME13KeyRolloverSimplifiedVAHTTPTLSSNIRevalidationAllowRenewalFirstRLSetIssuedNamesRenewalBitFasterRateLimitProbeCTLogsRevokeAtRACAAValidationMethodsCAAAccountURIHeadNonceStatusOKNewAuthorizationSchemaEarlyOrderRateLimitEnforceMultiVAMultiVAFullResultsRemoveWFE2AccountIDCheckRenewalFirstMandatoryPOSTAsGET" -var _FeatureFlag_index = [...]uint16{0, 6, 26, 43, 59, 77, 96, 120, 135, 146, 166, 179, 196, 218, 228, 247, 261, 279, 298, 315, 333} +var _FeatureFlag_index = [...]uint16{0, 6, 26, 43, 59, 77, 96, 120, 135, 146, 156, 176, 189, 206, 228, 247, 261, 279, 298, 315, 333} func (i FeatureFlag) String() string { if i < 0 || i >= FeatureFlag(len(_FeatureFlag_index)-1) { diff --git a/features/features.go b/features/features.go index c23c3c95a..599e66091 100644 --- a/features/features.go +++ b/features/features.go @@ -20,6 +20,7 @@ const ( SetIssuedNamesRenewalBit FasterRateLimit ProbeCTLogs + RevokeAtRA // Currently in-use features // Check CAA and respect validationmethods parameter. @@ -32,8 +33,6 @@ const ( // NewAuthorizationSchema enables usage of the new authorization storage schema // and associated RPCs. NewAuthorizationSchema - // RevokeAtRA enables revocation in the RA instead of ocsp-updater - RevokeAtRA // EarlyOrderRateLimit enables the RA applying certificate per name/per FQDN // set rate limits in NewOrder in addition to FinalizeOrder. EarlyOrderRateLimit diff --git a/grpc/sa-wrappers.go b/grpc/sa-wrappers.go index fa2bd64f4..a33e78075 100644 --- a/grpc/sa-wrappers.go +++ b/grpc/sa-wrappers.go @@ -383,20 +383,6 @@ func (sac StorageAuthorityClientWrapper) FinalizeAuthorization(ctx context.Conte return nil } -func (sac StorageAuthorityClientWrapper) MarkCertificateRevoked(ctx context.Context, serial string, reasonCode revocation.Reason) error { - reason := int64(reasonCode) - - _, err := sac.inner.MarkCertificateRevoked(ctx, &sapb.MarkCertificateRevokedRequest{ - Serial: &serial, - Code: &reason, - }) - if err != nil { - return err - } - - return nil -} - func (sac StorageAuthorityClientWrapper) AddCertificate( ctx context.Context, der []byte, @@ -1008,19 +994,6 @@ func (sas StorageAuthorityServerWrapper) FinalizeAuthorization(ctx context.Conte return &corepb.Empty{}, nil } -func (sas StorageAuthorityServerWrapper) MarkCertificateRevoked(ctx context.Context, request *sapb.MarkCertificateRevokedRequest) (*corepb.Empty, error) { - if request == nil || request.Serial == nil || request.Code == nil { - return nil, errIncompleteRequest - } - - err := sas.inner.MarkCertificateRevoked(ctx, *request.Serial, revocation.Reason(*request.Code)) - if err != nil { - return nil, err - } - - return &corepb.Empty{}, nil -} - func (sas StorageAuthorityServerWrapper) AddCertificate(ctx context.Context, request *sapb.AddCertificateRequest) (*sapb.AddCertificateResponse, error) { if request == nil || request.Der == nil || request.RegID == nil || request.Issued == nil { return nil, errIncompleteRequest diff --git a/mocks/mocks.go b/mocks/mocks.go index d7293a264..3f0346414 100644 --- a/mocks/mocks.go +++ b/mocks/mocks.go @@ -21,7 +21,6 @@ import ( "github.com/letsencrypt/boulder/identifier" "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" - "github.com/letsencrypt/boulder/revocation" sapb "github.com/letsencrypt/boulder/sa/proto" ) @@ -335,11 +334,6 @@ func (sa *StorageAuthority) FinalizeAuthorization(_ context.Context, authz core. return } -// MarkCertificateRevoked is a mock -func (sa *StorageAuthority) MarkCertificateRevoked(_ context.Context, serial string, reasonCode revocation.Reason) (err error) { - return -} - // NewPendingAuthorization is a mock func (sa *StorageAuthority) NewPendingAuthorization(_ context.Context, authz core.Authorization) (core.Authorization, error) { return authz, nil diff --git a/ra/mock_test.go b/ra/mock_test.go index f3db715e3..26bdc3572 100644 --- a/ra/mock_test.go +++ b/ra/mock_test.go @@ -115,10 +115,6 @@ func (sa *mockInvalidAuthorizationsAuthority) FinalizeAuthorization(ctx context. return nil, nil } -func (sa *mockInvalidAuthorizationsAuthority) MarkCertificateRevoked(ctx context.Context, in *sapb.MarkCertificateRevokedRequest, opts ...grpc.CallOption) (*core.Empty, error) { - return nil, nil -} - func (sa *mockInvalidAuthorizationsAuthority) AddCertificate(ctx context.Context, in *sapb.AddCertificateRequest, opts ...grpc.CallOption) (*sapb.AddCertificateResponse, error) { return nil, nil } diff --git a/ra/ra.go b/ra/ra.go index 4146d85ea..312839c63 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -1777,12 +1777,7 @@ func (ra *RegistrationAuthorityImpl) revokeCertificate(ctx context.Context, cert // RevokeCertificateWithReg terminates trust in the certificate provided. func (ra *RegistrationAuthorityImpl) RevokeCertificateWithReg(ctx context.Context, cert x509.Certificate, revocationCode revocation.Reason, regID int64) error { serialString := core.SerialToString(cert.SerialNumber) - var err error - if features.Enabled(features.RevokeAtRA) { - err = ra.revokeCertificate(ctx, cert, revocationCode) - } else { - err = ra.SA.MarkCertificateRevoked(ctx, serialString, revocationCode) - } + err := ra.revokeCertificate(ctx, cert, revocationCode) state := "Failure" defer func() { @@ -1813,12 +1808,7 @@ func (ra *RegistrationAuthorityImpl) RevokeCertificateWithReg(ctx context.Contex // called from the admin-revoker tool. func (ra *RegistrationAuthorityImpl) AdministrativelyRevokeCertificate(ctx context.Context, cert x509.Certificate, revocationCode revocation.Reason, user string) error { serialString := core.SerialToString(cert.SerialNumber) - var err error - if features.Enabled(features.RevokeAtRA) { - err = ra.revokeCertificate(ctx, cert, revocationCode) - } else { - err = ra.SA.MarkCertificateRevoked(ctx, serialString, revocationCode) - } + err := ra.revokeCertificate(ctx, cert, revocationCode) state := "Failure" defer func() { diff --git a/sa/proto/sa.pb.go b/sa/proto/sa.pb.go index 8d2a34058..c7f3d4ba2 100644 --- a/sa/proto/sa.pb.go +++ b/sa/proto/sa.pb.go @@ -1030,53 +1030,6 @@ func (m *Exists) GetExists() bool { return false } -type MarkCertificateRevokedRequest struct { - Serial *string `protobuf:"bytes,1,opt,name=serial" json:"serial,omitempty"` - Code *int64 `protobuf:"varint,2,opt,name=code" json:"code,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` -} - -func (m *MarkCertificateRevokedRequest) Reset() { *m = MarkCertificateRevokedRequest{} } -func (m *MarkCertificateRevokedRequest) String() string { return proto.CompactTextString(m) } -func (*MarkCertificateRevokedRequest) ProtoMessage() {} -func (*MarkCertificateRevokedRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{19} -} - -func (m *MarkCertificateRevokedRequest) XXX_Unmarshal(b []byte) error { - return xxx_messageInfo_MarkCertificateRevokedRequest.Unmarshal(m, b) -} -func (m *MarkCertificateRevokedRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - return xxx_messageInfo_MarkCertificateRevokedRequest.Marshal(b, m, deterministic) -} -func (m *MarkCertificateRevokedRequest) XXX_Merge(src proto.Message) { - xxx_messageInfo_MarkCertificateRevokedRequest.Merge(m, src) -} -func (m *MarkCertificateRevokedRequest) XXX_Size() int { - return xxx_messageInfo_MarkCertificateRevokedRequest.Size(m) -} -func (m *MarkCertificateRevokedRequest) XXX_DiscardUnknown() { - xxx_messageInfo_MarkCertificateRevokedRequest.DiscardUnknown(m) -} - -var xxx_messageInfo_MarkCertificateRevokedRequest proto.InternalMessageInfo - -func (m *MarkCertificateRevokedRequest) GetSerial() string { - if m != nil && m.Serial != nil { - return *m.Serial - } - return "" -} - -func (m *MarkCertificateRevokedRequest) GetCode() int64 { - if m != nil && m.Code != nil { - return *m.Code - } - return 0 -} - type AddCertificateRequest struct { Der []byte `protobuf:"bytes,1,opt,name=der" json:"der,omitempty"` RegID *int64 `protobuf:"varint,2,opt,name=regID" json:"regID,omitempty"` @@ -1096,7 +1049,7 @@ func (m *AddCertificateRequest) Reset() { *m = AddCertificateRequest{} } func (m *AddCertificateRequest) String() string { return proto.CompactTextString(m) } func (*AddCertificateRequest) ProtoMessage() {} func (*AddCertificateRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{20} + return fileDescriptor_099fb35e782a48a6, []int{19} } func (m *AddCertificateRequest) XXX_Unmarshal(b []byte) error { @@ -1156,7 +1109,7 @@ func (m *AddCertificateResponse) Reset() { *m = AddCertificateResponse{} func (m *AddCertificateResponse) String() string { return proto.CompactTextString(m) } func (*AddCertificateResponse) ProtoMessage() {} func (*AddCertificateResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{21} + return fileDescriptor_099fb35e782a48a6, []int{20} } func (m *AddCertificateResponse) XXX_Unmarshal(b []byte) error { @@ -1195,7 +1148,7 @@ func (m *RevokeAuthorizationsByDomainRequest) Reset() { *m = RevokeAutho func (m *RevokeAuthorizationsByDomainRequest) String() string { return proto.CompactTextString(m) } func (*RevokeAuthorizationsByDomainRequest) ProtoMessage() {} func (*RevokeAuthorizationsByDomainRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{22} + return fileDescriptor_099fb35e782a48a6, []int{21} } func (m *RevokeAuthorizationsByDomainRequest) XXX_Unmarshal(b []byte) error { @@ -1235,7 +1188,7 @@ func (m *RevokeAuthorizationsByDomainResponse) Reset() { *m = RevokeAuth func (m *RevokeAuthorizationsByDomainResponse) String() string { return proto.CompactTextString(m) } func (*RevokeAuthorizationsByDomainResponse) ProtoMessage() {} func (*RevokeAuthorizationsByDomainResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{23} + return fileDescriptor_099fb35e782a48a6, []int{22} } func (m *RevokeAuthorizationsByDomainResponse) XXX_Unmarshal(b []byte) error { @@ -1282,7 +1235,7 @@ func (m *OrderRequest) Reset() { *m = OrderRequest{} } func (m *OrderRequest) String() string { return proto.CompactTextString(m) } func (*OrderRequest) ProtoMessage() {} func (*OrderRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{24} + return fileDescriptor_099fb35e782a48a6, []int{23} } func (m *OrderRequest) XXX_Unmarshal(b []byte) error { @@ -1329,7 +1282,7 @@ func (m *GetValidOrderAuthorizationsRequest) Reset() { *m = GetValidOrde func (m *GetValidOrderAuthorizationsRequest) String() string { return proto.CompactTextString(m) } func (*GetValidOrderAuthorizationsRequest) ProtoMessage() {} func (*GetValidOrderAuthorizationsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{25} + return fileDescriptor_099fb35e782a48a6, []int{24} } func (m *GetValidOrderAuthorizationsRequest) XXX_Unmarshal(b []byte) error { @@ -1377,7 +1330,7 @@ func (m *GetOrderForNamesRequest) Reset() { *m = GetOrderForNamesRequest func (m *GetOrderForNamesRequest) String() string { return proto.CompactTextString(m) } func (*GetOrderForNamesRequest) ProtoMessage() {} func (*GetOrderForNamesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{26} + return fileDescriptor_099fb35e782a48a6, []int{25} } func (m *GetOrderForNamesRequest) XXX_Unmarshal(b []byte) error { @@ -1433,7 +1386,7 @@ func (m *GetAuthorizationsRequest) Reset() { *m = GetAuthorizationsReque func (m *GetAuthorizationsRequest) String() string { return proto.CompactTextString(m) } func (*GetAuthorizationsRequest) ProtoMessage() {} func (*GetAuthorizationsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{27} + return fileDescriptor_099fb35e782a48a6, []int{26} } func (m *GetAuthorizationsRequest) XXX_Unmarshal(b []byte) error { @@ -1493,7 +1446,7 @@ func (m *Authorizations) Reset() { *m = Authorizations{} } func (m *Authorizations) String() string { return proto.CompactTextString(m) } func (*Authorizations) ProtoMessage() {} func (*Authorizations) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{28} + return fileDescriptor_099fb35e782a48a6, []int{27} } func (m *Authorizations) XXX_Unmarshal(b []byte) error { @@ -1533,7 +1486,7 @@ func (m *Authorizations_MapElement) Reset() { *m = Authorizations_MapEle func (m *Authorizations_MapElement) String() string { return proto.CompactTextString(m) } func (*Authorizations_MapElement) ProtoMessage() {} func (*Authorizations_MapElement) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{28, 0} + return fileDescriptor_099fb35e782a48a6, []int{27, 0} } func (m *Authorizations_MapElement) XXX_Unmarshal(b []byte) error { @@ -1579,7 +1532,7 @@ func (m *AddPendingAuthorizationsRequest) Reset() { *m = AddPendingAutho func (m *AddPendingAuthorizationsRequest) String() string { return proto.CompactTextString(m) } func (*AddPendingAuthorizationsRequest) ProtoMessage() {} func (*AddPendingAuthorizationsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{29} + return fileDescriptor_099fb35e782a48a6, []int{28} } func (m *AddPendingAuthorizationsRequest) XXX_Unmarshal(b []byte) error { @@ -1618,7 +1571,7 @@ func (m *AuthorizationIDs) Reset() { *m = AuthorizationIDs{} } func (m *AuthorizationIDs) String() string { return proto.CompactTextString(m) } func (*AuthorizationIDs) ProtoMessage() {} func (*AuthorizationIDs) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{30} + return fileDescriptor_099fb35e782a48a6, []int{29} } func (m *AuthorizationIDs) XXX_Unmarshal(b []byte) error { @@ -1657,7 +1610,7 @@ func (m *AuthorizationID2) Reset() { *m = AuthorizationID2{} } func (m *AuthorizationID2) String() string { return proto.CompactTextString(m) } func (*AuthorizationID2) ProtoMessage() {} func (*AuthorizationID2) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{31} + return fileDescriptor_099fb35e782a48a6, []int{30} } func (m *AuthorizationID2) XXX_Unmarshal(b []byte) error { @@ -1696,7 +1649,7 @@ func (m *Authorization2IDs) Reset() { *m = Authorization2IDs{} } func (m *Authorization2IDs) String() string { return proto.CompactTextString(m) } func (*Authorization2IDs) ProtoMessage() {} func (*Authorization2IDs) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{32} + return fileDescriptor_099fb35e782a48a6, []int{31} } func (m *Authorization2IDs) XXX_Unmarshal(b []byte) error { @@ -1738,7 +1691,7 @@ func (m *RevokeCertificateRequest) Reset() { *m = RevokeCertificateReque func (m *RevokeCertificateRequest) String() string { return proto.CompactTextString(m) } func (*RevokeCertificateRequest) ProtoMessage() {} func (*RevokeCertificateRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{33} + return fileDescriptor_099fb35e782a48a6, []int{32} } func (m *RevokeCertificateRequest) XXX_Unmarshal(b []byte) error { @@ -1803,7 +1756,7 @@ func (m *FinalizeAuthorizationRequest) Reset() { *m = FinalizeAuthorizat func (m *FinalizeAuthorizationRequest) String() string { return proto.CompactTextString(m) } func (*FinalizeAuthorizationRequest) ProtoMessage() {} func (*FinalizeAuthorizationRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_099fb35e782a48a6, []int{34} + return fileDescriptor_099fb35e782a48a6, []int{33} } func (m *FinalizeAuthorizationRequest) XXX_Unmarshal(b []byte) error { @@ -1888,7 +1841,6 @@ func init() { proto.RegisterType((*FQDNSetExistsRequest)(nil), "sa.FQDNSetExistsRequest") proto.RegisterType((*PreviousCertificateExistsRequest)(nil), "sa.PreviousCertificateExistsRequest") proto.RegisterType((*Exists)(nil), "sa.Exists") - proto.RegisterType((*MarkCertificateRevokedRequest)(nil), "sa.MarkCertificateRevokedRequest") proto.RegisterType((*AddCertificateRequest)(nil), "sa.AddCertificateRequest") proto.RegisterType((*AddCertificateResponse)(nil), "sa.AddCertificateResponse") proto.RegisterType((*RevokeAuthorizationsByDomainRequest)(nil), "sa.RevokeAuthorizationsByDomainRequest") @@ -1910,126 +1862,123 @@ func init() { func init() { proto.RegisterFile("sa/proto/sa.proto", fileDescriptor_099fb35e782a48a6) } var fileDescriptor_099fb35e782a48a6 = []byte{ - // 1890 bytes of a gzipped FileDescriptorProto + // 1854 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x59, 0xef, 0x72, 0xdb, 0xc6, - 0x11, 0xe7, 0x1f, 0x51, 0xa6, 0x56, 0xb2, 0xfe, 0x9c, 0x25, 0x1a, 0x86, 0x25, 0x5b, 0xbe, 0x38, - 0xae, 0x32, 0x9d, 0x51, 0x5c, 0xb4, 0x93, 0x74, 0x46, 0xb5, 0x53, 0x2b, 0x94, 0x65, 0x39, 0xb6, + 0x11, 0xe7, 0x1f, 0xd3, 0x26, 0x57, 0xb2, 0xfe, 0x9c, 0x25, 0x1a, 0x86, 0x25, 0x9b, 0xbe, 0x38, + 0xae, 0x32, 0x9d, 0x51, 0x5c, 0xb4, 0x93, 0x74, 0x46, 0xb5, 0x53, 0x2b, 0x94, 0x65, 0xa5, 0x8e, 0xcc, 0x80, 0xb1, 0x9c, 0x69, 0x3b, 0x9d, 0x41, 0x88, 0xb3, 0x8c, 0x9a, 0x02, 0x18, 0xdc, 0x51, - 0x32, 0xf5, 0xb9, 0x33, 0xed, 0x13, 0x74, 0xfa, 0xb1, 0xcf, 0xd1, 0x97, 0xe8, 0x23, 0xb5, 0x73, - 0x7b, 0x07, 0x10, 0x00, 0x0f, 0xa4, 0x63, 0x77, 0xf2, 0x0d, 0xbb, 0xb7, 0xff, 0xee, 0x6e, 0x6f, - 0xf7, 0xb7, 0x24, 0xac, 0x71, 0xef, 0xf3, 0x41, 0x1c, 0x89, 0xe8, 0x73, 0xee, 0xed, 0xe2, 0x07, - 0xa9, 0x71, 0xcf, 0xde, 0xe8, 0x45, 0x31, 0xd3, 0x0b, 0xf2, 0x53, 0x2d, 0xd1, 0x6d, 0x58, 0x76, - 0xd9, 0x69, 0xc0, 0x45, 0xec, 0x89, 0x20, 0x0a, 0x8f, 0xda, 0x64, 0x19, 0x6a, 0x81, 0x6f, 0x55, - 0xb7, 0xab, 0x3b, 0x75, 0xb7, 0x16, 0xf8, 0xf4, 0x16, 0xc0, 0xd3, 0xee, 0x8b, 0xe3, 0x57, 0xec, - 0x87, 0x6f, 0xd8, 0x88, 0xac, 0x42, 0xfd, 0x2f, 0x17, 0x6f, 0x71, 0x79, 0xc9, 0x95, 0x9f, 0xf4, - 0x0e, 0xac, 0x3c, 0x1a, 0x8a, 0x37, 0x51, 0x1c, 0x5c, 0x4e, 0x9a, 0x58, 0x40, 0x13, 0xff, 0xae, - 0xc2, 0xad, 0x43, 0x26, 0x3a, 0x2c, 0xf4, 0x83, 0xf0, 0x34, 0x27, 0xed, 0xb2, 0x1f, 0x87, 0x8c, - 0x0b, 0x72, 0x0f, 0x96, 0xe3, 0x5c, 0x1c, 0x3a, 0x82, 0x02, 0x57, 0xca, 0x05, 0x3e, 0x0b, 0x45, - 0xf0, 0x3a, 0x60, 0xf1, 0x77, 0xa3, 0x01, 0xb3, 0x6a, 0xe8, 0xa6, 0xc0, 0x25, 0x3b, 0xb0, 0x32, - 0xe6, 0x9c, 0x78, 0xfd, 0x21, 0xb3, 0xea, 0x28, 0x58, 0x64, 0x93, 0x5b, 0x00, 0xe7, 0x5e, 0x3f, - 0xf0, 0x5f, 0x86, 0x22, 0xe8, 0x5b, 0x73, 0xe8, 0x35, 0xc3, 0xa1, 0x1c, 0xb6, 0x0e, 0x99, 0x38, - 0x91, 0x8c, 0x5c, 0xe4, 0xfc, 0xa7, 0x86, 0x6e, 0xc1, 0x15, 0x3f, 0x3a, 0xf3, 0x82, 0x90, 0x5b, - 0xb5, 0xed, 0xfa, 0xce, 0x82, 0x9b, 0x90, 0xf2, 0x50, 0xc3, 0xe8, 0x02, 0x03, 0xac, 0xbb, 0xf2, - 0x93, 0xfe, 0xab, 0x0a, 0xd7, 0x0c, 0x2e, 0xc9, 0x6f, 0xa1, 0x81, 0xa1, 0x59, 0xd5, 0xed, 0xfa, - 0xce, 0xa2, 0x43, 0x77, 0xb9, 0xb7, 0x6b, 0x90, 0xdb, 0x7d, 0xee, 0x0d, 0x0e, 0xfa, 0xec, 0x8c, - 0x85, 0xc2, 0x55, 0x0a, 0xf6, 0x0b, 0x80, 0x31, 0x93, 0xb4, 0x60, 0x5e, 0x39, 0xd7, 0xb7, 0xa4, - 0x29, 0xf2, 0x19, 0x34, 0xbc, 0xa1, 0x78, 0x73, 0x89, 0xa7, 0xba, 0xe8, 0x5c, 0xdb, 0xc5, 0x54, - 0xc9, 0xdf, 0x98, 0x92, 0xa0, 0xff, 0xa9, 0xc1, 0xda, 0xd7, 0x2c, 0x96, 0x47, 0xd9, 0xf3, 0x04, - 0xeb, 0x0a, 0x4f, 0x0c, 0xb9, 0x34, 0xcc, 0x59, 0x1c, 0x78, 0xfd, 0xc4, 0xb0, 0xa2, 0x90, 0x8f, - 0x12, 0xfa, 0x1a, 0x34, 0x25, 0xef, 0x29, 0xea, 0xf1, 0xc1, 0x33, 0x8f, 0x8b, 0x97, 0x03, 0xdf, - 0x13, 0xcc, 0xd7, 0x57, 0x50, 0x64, 0x93, 0x6d, 0x58, 0x8c, 0xd9, 0x79, 0xf4, 0x96, 0xf9, 0x6d, - 0x4f, 0x30, 0xab, 0x81, 0x52, 0x59, 0x16, 0xb9, 0x0b, 0x57, 0x35, 0xe9, 0x32, 0x8f, 0x47, 0xa1, - 0x35, 0x8f, 0x32, 0x79, 0x26, 0xf9, 0x0d, 0x6c, 0xf4, 0x3d, 0x2e, 0x0e, 0xde, 0x0d, 0x02, 0x75, - 0x35, 0xc7, 0xde, 0x69, 0x97, 0x85, 0xc2, 0xba, 0x82, 0xd2, 0xe6, 0x45, 0x42, 0x61, 0x49, 0x06, - 0xe4, 0x32, 0x3e, 0x88, 0x42, 0xce, 0xac, 0x26, 0x3e, 0x80, 0x1c, 0x8f, 0xd8, 0xd0, 0x0c, 0x23, - 0xf1, 0xe8, 0xb5, 0x60, 0xb1, 0xb5, 0x80, 0xc6, 0x52, 0x9a, 0x6c, 0xc2, 0x42, 0xc0, 0xd1, 0x2c, - 0xf3, 0x2d, 0xd8, 0xae, 0xee, 0x34, 0xdd, 0x31, 0xe3, 0xe9, 0x5c, 0xb3, 0xb6, 0x5a, 0xa7, 0xdb, - 0x30, 0xdf, 0x1d, 0x9f, 0x96, 0xe1, 0x14, 0xe9, 0x1e, 0x34, 0x5c, 0x2f, 0x3c, 0x45, 0x57, 0xcc, - 0x8b, 0xfb, 0x01, 0xe3, 0x42, 0x67, 0x5b, 0x4a, 0x4b, 0xe5, 0xbe, 0x27, 0xe4, 0x4a, 0x0d, 0x57, - 0x34, 0x45, 0xb7, 0xa0, 0xf1, 0x75, 0x34, 0x0c, 0x05, 0x59, 0x87, 0x46, 0x4f, 0x7e, 0x68, 0x4d, - 0x45, 0xd0, 0xef, 0xe1, 0x36, 0x2e, 0x67, 0xee, 0x94, 0xef, 0x8f, 0x8e, 0xbd, 0x33, 0x96, 0x66, - 0xfa, 0x6d, 0x68, 0xc4, 0xd2, 0x3d, 0x2a, 0x2e, 0x3a, 0x0b, 0x32, 0xfb, 0x30, 0x1e, 0x57, 0xf1, - 0xa5, 0xe5, 0x50, 0x2a, 0xe8, 0x04, 0x57, 0x04, 0xfd, 0x5b, 0x15, 0x96, 0xd0, 0xb4, 0x36, 0x47, - 0xbe, 0x82, 0xa5, 0x5e, 0x86, 0xd6, 0xc9, 0x7c, 0x53, 0x9a, 0xcb, 0xca, 0x65, 0xb3, 0x38, 0xa7, - 0x60, 0x7f, 0x91, 0x4b, 0x66, 0x02, 0x73, 0xd2, 0x91, 0x3e, 0x2b, 0xfc, 0x1e, 0xef, 0xb1, 0x96, - 0xdd, 0x63, 0x07, 0xb6, 0xd0, 0x41, 0xb6, 0xe4, 0xf1, 0xfd, 0xd1, 0x51, 0x27, 0xd9, 0xa1, 0xac, - 0x5c, 0x03, 0x5d, 0xdd, 0x6a, 0xc1, 0x60, 0xbc, 0xe3, 0x9a, 0x79, 0xc7, 0xf4, 0xef, 0x55, 0xb8, - 0x83, 0x26, 0x8f, 0xc2, 0xf3, 0x8f, 0x2f, 0x11, 0x36, 0x34, 0xdf, 0x44, 0x5c, 0xe0, 0x6e, 0x54, - 0x5d, 0x4b, 0xe9, 0x71, 0x28, 0xf5, 0x92, 0x50, 0xba, 0x40, 0x30, 0x92, 0x17, 0xb1, 0xcf, 0xe2, - 0xd4, 0xf5, 0x26, 0x2c, 0x78, 0x3d, 0xdc, 0x7d, 0xea, 0x75, 0xcc, 0x98, 0xbd, 0xbf, 0x27, 0xb0, - 0x8e, 0x46, 0x1f, 0x7f, 0xdb, 0x3e, 0xee, 0x32, 0x91, 0x9a, 0x6d, 0xc1, 0xfc, 0x45, 0x10, 0xfa, - 0xd1, 0x85, 0xb6, 0xa9, 0xa9, 0xf2, 0x22, 0x47, 0xef, 0xc3, 0xba, 0x36, 0x72, 0xf0, 0x2e, 0xe0, - 0x63, 0x4b, 0x19, 0x8d, 0x6a, 0x5e, 0xa3, 0x03, 0xdb, 0x9d, 0x98, 0x9d, 0x07, 0xd1, 0x90, 0x67, - 0x92, 0x32, 0xaf, 0x5d, 0x56, 0xc8, 0xd6, 0xa1, 0x11, 0xb3, 0xd3, 0xa3, 0x76, 0x72, 0xff, 0x48, - 0xc8, 0x17, 0xa6, 0xd4, 0xa5, 0x1e, 0xc3, 0x2f, 0xd4, 0x6b, 0xba, 0x9a, 0xa2, 0xdf, 0xc0, 0xd6, - 0x73, 0x2f, 0x7e, 0x9b, 0xf1, 0xe7, 0x26, 0xd5, 0x23, 0x75, 0x68, 0x2c, 0x70, 0x04, 0xe6, 0x7a, - 0x91, 0xcf, 0xb4, 0x3f, 0xfc, 0xa6, 0x6f, 0x61, 0xe3, 0x91, 0xef, 0xe7, 0x6c, 0x29, 0x23, 0xab, - 0x50, 0xf7, 0x59, 0x9c, 0x74, 0x51, 0x9f, 0xc5, 0xe6, 0x78, 0xa5, 0x51, 0x59, 0x61, 0xf0, 0xca, - 0x97, 0x5c, 0xfc, 0x96, 0x01, 0x04, 0x9c, 0x0f, 0xd3, 0x42, 0xa9, 0x29, 0x7a, 0x1f, 0x5a, 0x45, - 0x67, 0xba, 0x2e, 0xc9, 0x33, 0x0a, 0x4e, 0x93, 0x52, 0x21, 0xcf, 0x08, 0x29, 0xfa, 0x00, 0x3e, - 0x51, 0x9b, 0xcb, 0x27, 0xed, 0xfe, 0xa8, 0x8d, 0x67, 0x38, 0xe3, 0x88, 0xe9, 0x9f, 0xe1, 0xee, - 0x74, 0x75, 0xed, 0x7e, 0x13, 0x16, 0x5e, 0x07, 0xa1, 0xd7, 0x0f, 0x2e, 0x59, 0x82, 0x2b, 0xc6, - 0x0c, 0x79, 0xfd, 0x03, 0x85, 0x0b, 0xf4, 0xd6, 0x13, 0x92, 0x76, 0x60, 0x09, 0x53, 0x39, 0xfb, - 0x36, 0x33, 0xc0, 0x84, 0xdc, 0x87, 0x6b, 0x43, 0xce, 0x4e, 0x9c, 0xbc, 0x7b, 0xb4, 0xd2, 0x74, - 0x4d, 0x4b, 0xf4, 0x19, 0xd0, 0xa4, 0x95, 0xa3, 0x65, 0xf3, 0x63, 0x2d, 0xfa, 0x69, 0xc1, 0xbc, - 0xd7, 0xeb, 0x89, 0xf4, 0x6e, 0x34, 0x45, 0x47, 0x70, 0xfd, 0x90, 0xa9, 0xd7, 0xf6, 0x38, 0x8a, - 0x73, 0x85, 0x72, 0xac, 0x52, 0xcd, 0xaa, 0x98, 0xeb, 0x63, 0xd9, 0x46, 0xea, 0xe5, 0x1b, 0xf9, - 0x67, 0x15, 0xac, 0x43, 0x26, 0x7e, 0x36, 0x3c, 0x22, 0xdb, 0x74, 0xcc, 0x7e, 0x1c, 0x06, 0xb1, - 0x8e, 0xe5, 0x92, 0x63, 0xf6, 0x35, 0xdd, 0x22, 0x9b, 0xfe, 0xa3, 0x0a, 0xcb, 0x05, 0xd0, 0xf2, - 0xeb, 0x04, 0x54, 0xa8, 0x3a, 0xbf, 0x25, 0x8b, 0xcc, 0x14, 0xbc, 0x82, 0xb2, 0xff, 0x7f, 0xbc, - 0xf2, 0x0c, 0x6e, 0x3f, 0xf2, 0x7d, 0x13, 0x06, 0x4d, 0x4f, 0xee, 0xb3, 0x7c, 0xa0, 0xd3, 0xac, - 0xdd, 0x85, 0xd5, 0x02, 0xea, 0xc5, 0x63, 0x0b, 0xfc, 0xa4, 0x8a, 0xc9, 0x4f, 0x4a, 0x27, 0xa4, - 0x9c, 0x09, 0x7c, 0xfd, 0x29, 0xac, 0xe5, 0x64, 0x9c, 0x82, 0xa9, 0xba, 0x32, 0x75, 0x09, 0x96, - 0x7a, 0x6d, 0x86, 0x72, 0x32, 0x05, 0x74, 0xc5, 0x0a, 0x09, 0xe9, 0xcc, 0x55, 0x94, 0x2c, 0x2b, - 0x12, 0x53, 0xe9, 0x0b, 0xc6, 0x6f, 0xd9, 0x7a, 0xe2, 0x04, 0xdc, 0xcc, 0x61, 0xb9, 0x49, 0x69, - 0xfa, 0xd7, 0x1a, 0x6c, 0x3e, 0xd6, 0x2f, 0xd6, 0x88, 0xde, 0x0d, 0x4f, 0x46, 0xa3, 0xbd, 0x5a, - 0x0e, 0xed, 0x59, 0x70, 0x85, 0x21, 0xe4, 0xe1, 0xda, 0x77, 0x42, 0x62, 0x9b, 0x12, 0x82, 0x9d, - 0x0d, 0x12, 0x04, 0xb8, 0xe0, 0x8e, 0x19, 0xa4, 0x0d, 0x6b, 0xd8, 0x5d, 0xb5, 0xd3, 0x5e, 0x14, - 0xfb, 0xdc, 0x6a, 0xe0, 0x25, 0xb5, 0xd4, 0x25, 0x9d, 0x14, 0x96, 0xdd, 0x49, 0x05, 0xf2, 0x10, - 0x56, 0xc6, 0xcc, 0x83, 0x38, 0x8e, 0x62, 0x44, 0x88, 0x8b, 0xce, 0xba, 0xb2, 0xd1, 0x89, 0xa3, - 0x1f, 0xfa, 0xec, 0xac, 0xcd, 0x84, 0x17, 0xf4, 0xb9, 0x5b, 0x14, 0x76, 0xfe, 0x7b, 0x03, 0x56, - 0xbb, 0x22, 0x8a, 0xbd, 0xd3, 0xe4, 0x14, 0xc4, 0x88, 0xec, 0xc1, 0xca, 0x21, 0xcb, 0x01, 0x0a, - 0x42, 0xb0, 0x8b, 0xe6, 0x1e, 0x9b, 0x4d, 0x94, 0x8b, 0x2c, 0x97, 0x56, 0xc8, 0xef, 0x60, 0xbd, - 0xa0, 0xbc, 0x3f, 0x92, 0x53, 0xd6, 0xb2, 0xb4, 0x30, 0x9e, 0xba, 0x4a, 0xb4, 0x1f, 0xc2, 0x6a, - 0xb1, 0x08, 0x90, 0x6b, 0x13, 0x8f, 0xeb, 0xa8, 0x6d, 0x9b, 0x12, 0x99, 0x56, 0xc8, 0x77, 0x58, - 0xc0, 0x4c, 0x2f, 0x82, 0xe0, 0x60, 0x31, 0x7d, 0x64, 0x2b, 0xb3, 0x7a, 0x02, 0x2d, 0xf3, 0xbc, - 0x44, 0xee, 0x68, 0xa3, 0xe5, 0xb3, 0x94, 0x7d, 0xbd, 0x64, 0xa0, 0xa1, 0x15, 0xf2, 0x2b, 0x58, - 0x3e, 0x64, 0x59, 0x74, 0x4a, 0x40, 0x0a, 0x2b, 0xc4, 0x6c, 0xaf, 0xa9, 0x60, 0x32, 0xcb, 0xb4, - 0x42, 0xf6, 0xf0, 0x78, 0x27, 0x87, 0x94, 0xac, 0xe2, 0x06, 0xa2, 0xce, 0xa2, 0x08, 0xad, 0x90, - 0x2e, 0x58, 0x65, 0x78, 0x98, 0x7c, 0x92, 0x42, 0xd5, 0x72, 0xb4, 0x6c, 0xaf, 0x16, 0xf1, 0x2c, - 0xad, 0x90, 0xef, 0x35, 0x00, 0xcd, 0xab, 0x1d, 0xbc, 0xf3, 0x7a, 0xe2, 0x23, 0x2d, 0x3f, 0x81, - 0x96, 0x19, 0xda, 0xaa, 0x63, 0x9f, 0x0a, 0x7b, 0xed, 0x85, 0x54, 0x84, 0x56, 0xc8, 0x73, 0xb8, - 0x59, 0x22, 0x8d, 0x18, 0xff, 0xa7, 0x9a, 0x7b, 0x00, 0x36, 0x7e, 0x1a, 0x2b, 0xaf, 0xf1, 0xad, - 0xe4, 0xd4, 0x1d, 0x58, 0xcc, 0xa0, 0x5a, 0xd2, 0x4a, 0xd7, 0x72, 0x30, 0x37, 0xaf, 0xd3, 0xd1, - 0x2e, 0x8d, 0x98, 0x9c, 0x7c, 0x9a, 0x8a, 0x4e, 0xc3, 0xec, 0x79, 0x8b, 0x5f, 0xc0, 0xd5, 0x1c, - 0x0c, 0x26, 0x56, 0xba, 0x5a, 0x40, 0xc6, 0x79, 0xbd, 0x2f, 0xe1, 0x6a, 0x0e, 0xf4, 0x2a, 0x3d, - 0x13, 0x0e, 0xb6, 0x31, 0x29, 0x15, 0x8b, 0x56, 0xc8, 0x0b, 0xb8, 0x51, 0x8a, 0x7d, 0xc9, 0x5d, - 0x29, 0x3a, 0x0b, 0x1a, 0x17, 0x0c, 0xfe, 0x1e, 0xd6, 0x8a, 0xc5, 0xc2, 0x21, 0xeb, 0x86, 0x6a, - 0xe1, 0x94, 0x3d, 0xec, 0x27, 0x40, 0x26, 0x30, 0x87, 0x43, 0x36, 0xf5, 0xa3, 0x36, 0x1f, 0x22, - 0x99, 0xec, 0xf5, 0xb4, 0x42, 0x5e, 0x22, 0x7a, 0x31, 0x25, 0x84, 0xf3, 0x31, 0x95, 0xe7, 0xa1, - 0x4e, 0x5c, 0x63, 0xa6, 0x39, 0xb3, 0x53, 0xed, 0x4f, 0xb0, 0x39, 0x05, 0x1e, 0x3a, 0xe4, 0x5e, - 0xb6, 0x7e, 0x95, 0x03, 0xc8, 0x92, 0x4d, 0x7f, 0xab, 0xa3, 0x33, 0x26, 0x9d, 0xf3, 0x41, 0x59, - 0xe9, 0x62, 0x01, 0x3f, 0x31, 0x99, 0x7b, 0x8f, 0x5a, 0x6b, 0x0e, 0x73, 0x0f, 0x56, 0x8e, 0xd9, - 0x45, 0xa1, 0x9f, 0x4d, 0x74, 0x9f, 0x92, 0x8e, 0xf4, 0x25, 0x10, 0xf5, 0x73, 0xcd, 0x4c, 0xfd, - 0x45, 0xc5, 0x3b, 0x38, 0x1b, 0x88, 0x11, 0xad, 0x90, 0x03, 0xb8, 0x7e, 0xcc, 0x2e, 0x8c, 0xad, - 0xc8, 0x74, 0xd9, 0x65, 0x19, 0xb0, 0x07, 0x1b, 0x46, 0x9c, 0x62, 0x36, 0x52, 0x88, 0xe1, 0x29, - 0xb4, 0xcc, 0xa3, 0x9f, 0x3a, 0xcc, 0xa9, 0x63, 0x61, 0xd1, 0xd6, 0x11, 0x2c, 0xe7, 0x87, 0x31, - 0x72, 0x03, 0x4f, 0xdb, 0x34, 0x0d, 0xda, 0xb6, 0x69, 0x49, 0x43, 0xaf, 0x0a, 0xe1, 0xb0, 0x39, - 0x6d, 0xcc, 0x22, 0xbf, 0x50, 0x69, 0x3d, 0x73, 0x8e, 0xb3, 0x77, 0x66, 0x0b, 0xa6, 0x4e, 0xf7, - 0xa0, 0xd5, 0x66, 0x5e, 0x4f, 0x04, 0xe7, 0x93, 0x97, 0x39, 0xf9, 0x8a, 0x0a, 0x9b, 0x7f, 0x00, - 0xd7, 0xc7, 0xca, 0xef, 0x01, 0x4f, 0x0a, 0xea, 0xf7, 0xa0, 0x79, 0xcc, 0x2e, 0xf0, 0x7d, 0x11, - 0xbd, 0x84, 0x84, 0x9d, 0x25, 0x68, 0x85, 0xdc, 0x07, 0xd2, 0xd5, 0xf3, 0x57, 0x27, 0x8e, 0x7a, - 0x8c, 0xf3, 0x20, 0x3c, 0x35, 0x6a, 0x24, 0x96, 0x7f, 0x09, 0x57, 0x13, 0x0d, 0x44, 0x74, 0xb3, - 0x84, 0x93, 0x5c, 0x2a, 0x8f, 0x65, 0x2c, 0xdc, 0x4c, 0x66, 0x41, 0x82, 0xdd, 0x39, 0x3b, 0xb9, - 0x16, 0x03, 0xff, 0x23, 0xdc, 0x9c, 0x52, 0x45, 0x3e, 0xb2, 0xcc, 0x28, 0x50, 0x98, 0x9b, 0x4a, - 0xc9, 0x4d, 0x6d, 0xd1, 0x34, 0xab, 0x16, 0x83, 0x3b, 0x9c, 0xec, 0x13, 0xfc, 0x83, 0x8a, 0xfc, - 0x2b, 0xb0, 0xca, 0xe6, 0x2d, 0x85, 0x72, 0x66, 0x4c, 0x63, 0xb6, 0xa9, 0x39, 0xe9, 0x4e, 0x36, - 0x31, 0x09, 0xa9, 0x08, 0xcb, 0x06, 0xa4, 0xe2, 0x6d, 0xb9, 0x40, 0x8e, 0xd9, 0x45, 0xb1, 0x64, - 0xbe, 0x57, 0x50, 0x1b, 0x13, 0x41, 0x39, 0x2a, 0xaa, 0x23, 0x68, 0x19, 0x4b, 0x8f, 0x43, 0xb6, - 0xb1, 0xe5, 0x4f, 0x19, 0x9f, 0x8a, 0xe1, 0x7d, 0x05, 0x56, 0xc9, 0xfb, 0x29, 0xeb, 0xd8, 0x05, - 0x03, 0xaf, 0x60, 0x6b, 0xda, 0x3b, 0x77, 0xde, 0xbf, 0x66, 0xe4, 0x0d, 0xef, 0x5f, 0xf9, 0x43, - 0x03, 0xff, 0x36, 0xfa, 0x5f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x45, 0x48, 0xab, 0xa8, 0x65, 0x1a, - 0x00, 0x00, + 0x32, 0xf5, 0xb9, 0x33, 0xed, 0x13, 0x74, 0xfa, 0xb1, 0xef, 0xd0, 0x6f, 0x7d, 0x89, 0xbe, 0x52, + 0xe7, 0xf6, 0x0e, 0x20, 0x00, 0x1e, 0x48, 0x27, 0xee, 0xf4, 0x1b, 0x76, 0x6f, 0xff, 0xdd, 0xdd, + 0xee, 0xde, 0x6f, 0x49, 0x58, 0xe7, 0xde, 0xa7, 0xa3, 0x38, 0x12, 0xd1, 0xa7, 0xdc, 0xdb, 0xc5, + 0x0f, 0x52, 0xe3, 0x9e, 0xbd, 0x39, 0x88, 0x62, 0xa6, 0x17, 0xe4, 0xa7, 0x5a, 0xa2, 0x1d, 0x58, + 0x71, 0xd9, 0x69, 0xc0, 0x45, 0xec, 0x89, 0x20, 0x0a, 0x8f, 0xba, 0x64, 0x05, 0x6a, 0x81, 0x6f, + 0x55, 0x3b, 0xd5, 0x9d, 0xba, 0x5b, 0x0b, 0x7c, 0x7a, 0x07, 0xe0, 0xab, 0xfe, 0x8b, 0xe3, 0x57, + 0xec, 0xfb, 0xdf, 0xb1, 0x09, 0x59, 0x83, 0xfa, 0x9f, 0x2f, 0xde, 0xe2, 0xf2, 0xb2, 0x2b, 0x3f, + 0xe9, 0x3d, 0x58, 0x7d, 0x32, 0x16, 0x6f, 0xa2, 0x38, 0xb8, 0x9c, 0x35, 0xd1, 0x42, 0x13, 0xff, + 0xae, 0xc2, 0x9d, 0x43, 0x26, 0x7a, 0x2c, 0xf4, 0x83, 0xf0, 0x34, 0x27, 0xed, 0xb2, 0x1f, 0xc6, + 0x8c, 0x0b, 0xf2, 0x00, 0x56, 0xe2, 0x5c, 0x1c, 0x3a, 0x82, 0x02, 0x57, 0xca, 0x05, 0x3e, 0x0b, + 0x45, 0xf0, 0x3a, 0x60, 0xf1, 0xb7, 0x93, 0x11, 0xb3, 0x6a, 0xe8, 0xa6, 0xc0, 0x25, 0x3b, 0xb0, + 0x3a, 0xe5, 0x9c, 0x78, 0xc3, 0x31, 0xb3, 0xea, 0x28, 0x58, 0x64, 0x93, 0x3b, 0x00, 0xe7, 0xde, + 0x30, 0xf0, 0x5f, 0x86, 0x22, 0x18, 0x5a, 0x57, 0xd0, 0x6b, 0x86, 0x43, 0x39, 0x6c, 0x1f, 0x32, + 0x71, 0x22, 0x19, 0xb9, 0xc8, 0xf9, 0x8f, 0x0d, 0xdd, 0x82, 0x6b, 0x7e, 0x74, 0xe6, 0x05, 0x21, + 0xb7, 0x6a, 0x9d, 0xfa, 0x4e, 0xcb, 0x4d, 0x48, 0x79, 0xa8, 0x61, 0x74, 0x81, 0x01, 0xd6, 0x5d, + 0xf9, 0x49, 0xff, 0x59, 0x85, 0x1b, 0x06, 0x97, 0xe4, 0xd7, 0xd0, 0xc0, 0xd0, 0xac, 0x6a, 0xa7, + 0xbe, 0xb3, 0xe4, 0xd0, 0x5d, 0xee, 0xed, 0x1a, 0xe4, 0x76, 0xbf, 0xf6, 0x46, 0x07, 0x43, 0x76, + 0xc6, 0x42, 0xe1, 0x2a, 0x05, 0xfb, 0x05, 0xc0, 0x94, 0x49, 0xda, 0x70, 0x55, 0x39, 0xd7, 0xb7, + 0xa4, 0x29, 0xf2, 0x09, 0x34, 0xbc, 0xb1, 0x78, 0x73, 0x89, 0xa7, 0xba, 0xe4, 0xdc, 0xd8, 0xc5, + 0x54, 0xc9, 0xdf, 0x98, 0x92, 0xa0, 0xff, 0xa9, 0xc1, 0xfa, 0x97, 0x2c, 0x96, 0x47, 0x39, 0xf0, + 0x04, 0xeb, 0x0b, 0x4f, 0x8c, 0xb9, 0x34, 0xcc, 0x59, 0x1c, 0x78, 0xc3, 0xc4, 0xb0, 0xa2, 0x90, + 0x8f, 0x12, 0xfa, 0x1a, 0x34, 0x25, 0xef, 0x29, 0x1a, 0xf0, 0xd1, 0x73, 0x8f, 0x8b, 0x97, 0x23, + 0xdf, 0x13, 0xcc, 0xd7, 0x57, 0x50, 0x64, 0x93, 0x0e, 0x2c, 0xc5, 0xec, 0x3c, 0x7a, 0xcb, 0xfc, + 0xae, 0x27, 0x98, 0xd5, 0x40, 0xa9, 0x2c, 0x8b, 0xdc, 0x87, 0xeb, 0x9a, 0x74, 0x99, 0xc7, 0xa3, + 0xd0, 0xba, 0x8a, 0x32, 0x79, 0x26, 0xf9, 0x15, 0x6c, 0x0e, 0x3d, 0x2e, 0x0e, 0xde, 0x8d, 0x02, + 0x75, 0x35, 0xc7, 0xde, 0x69, 0x9f, 0x85, 0xc2, 0xba, 0x86, 0xd2, 0xe6, 0x45, 0x42, 0x61, 0x59, + 0x06, 0xe4, 0x32, 0x3e, 0x8a, 0x42, 0xce, 0xac, 0x26, 0x16, 0x40, 0x8e, 0x47, 0x6c, 0x68, 0x86, + 0x91, 0x78, 0xf2, 0x5a, 0xb0, 0xd8, 0x6a, 0xa1, 0xb1, 0x94, 0x26, 0x5b, 0xd0, 0x0a, 0x38, 0x9a, + 0x65, 0xbe, 0x05, 0x9d, 0xea, 0x4e, 0xd3, 0x9d, 0x32, 0xbe, 0xba, 0xd2, 0xac, 0xad, 0xd5, 0x69, + 0x07, 0xae, 0xf6, 0xa7, 0xa7, 0x65, 0x38, 0x45, 0xba, 0x07, 0x0d, 0xd7, 0x0b, 0x4f, 0xd1, 0x15, + 0xf3, 0xe2, 0x61, 0xc0, 0xb8, 0xd0, 0xd9, 0x96, 0xd2, 0x52, 0x79, 0xe8, 0x09, 0xb9, 0x52, 0xc3, + 0x15, 0x4d, 0xd1, 0x6d, 0x68, 0x7c, 0x19, 0x8d, 0x43, 0x41, 0x36, 0xa0, 0x31, 0x90, 0x1f, 0x5a, + 0x53, 0x11, 0xf4, 0x3b, 0xb8, 0x8b, 0xcb, 0x99, 0x3b, 0xe5, 0xfb, 0x93, 0x63, 0xef, 0x8c, 0xa5, + 0x99, 0x7e, 0x17, 0x1a, 0xb1, 0x74, 0x8f, 0x8a, 0x4b, 0x4e, 0x4b, 0x66, 0x1f, 0xc6, 0xe3, 0x2a, + 0xbe, 0xb4, 0x1c, 0x4a, 0x05, 0x9d, 0xe0, 0x8a, 0xa0, 0x7f, 0xad, 0xc2, 0x32, 0x9a, 0xd6, 0xe6, + 0xc8, 0x17, 0xb0, 0x3c, 0xc8, 0xd0, 0x3a, 0x99, 0x6f, 0x4b, 0x73, 0x59, 0xb9, 0x6c, 0x16, 0xe7, + 0x14, 0xec, 0xcf, 0x72, 0xc9, 0x4c, 0xe0, 0x8a, 0x74, 0xa4, 0xcf, 0x0a, 0xbf, 0xa7, 0x7b, 0xac, + 0x65, 0xf7, 0xd8, 0x83, 0x6d, 0x74, 0x90, 0x6d, 0x79, 0x7c, 0x7f, 0x72, 0xd4, 0x4b, 0x76, 0x28, + 0x3b, 0xd7, 0x48, 0x77, 0xb7, 0x5a, 0x30, 0x9a, 0xee, 0xb8, 0x66, 0xde, 0x31, 0xfd, 0x5b, 0x15, + 0xee, 0xa1, 0xc9, 0xa3, 0xf0, 0xfc, 0xc3, 0x5b, 0x84, 0x0d, 0xcd, 0x37, 0x11, 0x17, 0xb8, 0x1b, + 0xd5, 0xd7, 0x52, 0x7a, 0x1a, 0x4a, 0xbd, 0x24, 0x94, 0x3e, 0x10, 0x8c, 0xe4, 0x45, 0xec, 0xb3, + 0x38, 0x75, 0xbd, 0x05, 0x2d, 0x6f, 0x80, 0xbb, 0x4f, 0xbd, 0x4e, 0x19, 0x8b, 0xf7, 0xf7, 0x0c, + 0x36, 0xd0, 0xe8, 0xd3, 0x6f, 0xba, 0xc7, 0x7d, 0x26, 0x52, 0xb3, 0x6d, 0xb8, 0x7a, 0x11, 0x84, + 0x7e, 0x74, 0xa1, 0x6d, 0x6a, 0xaa, 0xbc, 0xc9, 0xd1, 0x87, 0xb0, 0xa1, 0x8d, 0x1c, 0xbc, 0x0b, + 0xf8, 0xd4, 0x52, 0x46, 0xa3, 0x9a, 0xd7, 0xe8, 0x41, 0xa7, 0x17, 0xb3, 0xf3, 0x20, 0x1a, 0xf3, + 0x4c, 0x52, 0xe6, 0xb5, 0xcb, 0x1a, 0xd9, 0x06, 0x34, 0x62, 0x76, 0x7a, 0xd4, 0x4d, 0xee, 0x1f, + 0x09, 0x59, 0x61, 0x4a, 0x5d, 0xea, 0x31, 0xfc, 0x42, 0xbd, 0xa6, 0xab, 0x29, 0xfa, 0x16, 0x36, + 0x9f, 0xf8, 0x7e, 0xc6, 0x5d, 0xe2, 0x68, 0x0d, 0xea, 0x3e, 0x8b, 0x93, 0x87, 0xcf, 0x67, 0xb1, + 0xd9, 0x85, 0x4c, 0x46, 0xd9, 0x14, 0xf0, 0x96, 0x96, 0x5d, 0xfc, 0x96, 0xce, 0x02, 0xce, 0xc7, + 0x69, 0x6f, 0xd3, 0x14, 0x7d, 0x08, 0xed, 0xa2, 0x33, 0xdd, 0x4a, 0xe4, 0xb6, 0x82, 0xd3, 0xa4, + 0xba, 0xe5, 0xb6, 0x90, 0xa2, 0x8f, 0xe0, 0x23, 0x17, 0xbb, 0x59, 0x3e, 0xcf, 0xf6, 0x27, 0x5d, + 0xdc, 0xf6, 0x82, 0x53, 0xa1, 0x7f, 0x82, 0xfb, 0xf3, 0xd5, 0xb5, 0xfb, 0x2d, 0x68, 0xbd, 0x0e, + 0x42, 0x6f, 0x18, 0x5c, 0xb2, 0x04, 0x0a, 0x4c, 0x19, 0xf2, 0xc6, 0x46, 0xea, 0x29, 0xd7, 0x5b, + 0x4f, 0x48, 0xda, 0x83, 0x65, 0xcc, 0xbe, 0x6c, 0x39, 0x65, 0xb0, 0x04, 0x79, 0x08, 0x37, 0xc6, + 0x9c, 0x9d, 0x38, 0x79, 0xf7, 0x68, 0xa5, 0xe9, 0x9a, 0x96, 0xe8, 0x73, 0xa0, 0xc9, 0xeb, 0x8b, + 0x96, 0xcd, 0xf5, 0x55, 0xf4, 0xd3, 0x86, 0xab, 0xde, 0x60, 0x20, 0xd2, 0xbb, 0xd1, 0x14, 0x9d, + 0xc0, 0xcd, 0x43, 0xa6, 0x0a, 0xe4, 0x69, 0x14, 0xe7, 0x7a, 0xdb, 0x54, 0xa5, 0x9a, 0x55, 0x31, + 0xb7, 0xb4, 0xb2, 0x8d, 0xd4, 0xcb, 0x37, 0xf2, 0x8f, 0x2a, 0x58, 0x87, 0x4c, 0xfc, 0xdf, 0x20, + 0x84, 0x7c, 0x59, 0x63, 0xf6, 0xc3, 0x38, 0x88, 0x75, 0x2c, 0x97, 0x1c, 0xb3, 0xaf, 0xe9, 0x16, + 0xd9, 0xf4, 0xef, 0x55, 0x58, 0x29, 0xe0, 0x8c, 0x5f, 0x26, 0x38, 0x40, 0xb5, 0xe6, 0x6d, 0xd9, + 0x17, 0xe6, 0x40, 0x0c, 0x94, 0xfd, 0xdf, 0x43, 0x8c, 0xe7, 0x70, 0xf7, 0x89, 0xef, 0x9b, 0x60, + 0x63, 0x7a, 0x72, 0x9f, 0xe4, 0x03, 0x9d, 0x67, 0xed, 0x3e, 0xac, 0x15, 0x80, 0x2a, 0x1e, 0x5b, + 0xe0, 0x27, 0x8d, 0x47, 0x7e, 0x52, 0x3a, 0x23, 0xe5, 0xcc, 0x40, 0xe2, 0x8f, 0x61, 0x3d, 0x27, + 0xe3, 0x14, 0x4c, 0xd5, 0x95, 0xa9, 0x4b, 0xb0, 0x54, 0xb5, 0x19, 0xda, 0xc9, 0x1c, 0x9c, 0x14, + 0x2b, 0xf0, 0xa2, 0x33, 0x57, 0x51, 0xb2, 0xad, 0x48, 0x18, 0xa4, 0x2f, 0x18, 0xbf, 0xe5, 0x6b, + 0x11, 0x27, 0x78, 0xe4, 0x0a, 0xb6, 0x9b, 0x94, 0xa6, 0x7f, 0xa9, 0xc1, 0xd6, 0x53, 0x5d, 0xb1, + 0x46, 0xc0, 0x6d, 0x28, 0x19, 0x0d, 0xd0, 0x6a, 0x39, 0x80, 0x66, 0xc1, 0x35, 0x86, 0x28, 0x85, + 0x6b, 0xdf, 0x09, 0x89, 0x2f, 0x8b, 0x10, 0xec, 0x6c, 0x94, 0x80, 0xb6, 0x96, 0x3b, 0x65, 0x90, + 0x2e, 0xac, 0xe3, 0x83, 0xa8, 0x9d, 0x0e, 0xa2, 0xd8, 0xe7, 0x56, 0x03, 0x2f, 0xa9, 0xad, 0x2e, + 0xe9, 0xa4, 0xb0, 0xec, 0xce, 0x2a, 0x90, 0xc7, 0xb0, 0x3a, 0x65, 0x1e, 0xc4, 0x71, 0x14, 0x23, + 0xa8, 0x5b, 0x72, 0x36, 0x94, 0x8d, 0x5e, 0x1c, 0x7d, 0x3f, 0x64, 0x67, 0x5d, 0x26, 0xbc, 0x60, + 0xc8, 0xdd, 0xa2, 0xb0, 0xf3, 0xaf, 0x5b, 0xb0, 0xd6, 0x17, 0x51, 0xec, 0x9d, 0x26, 0xa7, 0x20, + 0x26, 0x64, 0x0f, 0x56, 0x0f, 0x59, 0x0e, 0x03, 0x10, 0x82, 0x0f, 0x5f, 0xae, 0xd8, 0x6c, 0xa2, + 0x5c, 0x64, 0xb9, 0xb4, 0x42, 0x7e, 0x03, 0x1b, 0x05, 0xe5, 0xfd, 0x89, 0x1c, 0x8c, 0x56, 0xa4, + 0x85, 0xe9, 0xa0, 0x54, 0xa2, 0xfd, 0x18, 0xd6, 0x8a, 0x4d, 0x80, 0xdc, 0x98, 0x29, 0xae, 0xa3, + 0xae, 0x6d, 0x4a, 0x64, 0x5a, 0x21, 0xdf, 0x62, 0x03, 0x33, 0x55, 0x04, 0xc1, 0x59, 0x60, 0xfe, + 0x94, 0x55, 0x66, 0xf5, 0x04, 0xda, 0xe6, 0x11, 0x87, 0xdc, 0xd3, 0x46, 0xcb, 0xc7, 0x1f, 0xfb, + 0x66, 0xc9, 0x0c, 0x42, 0x2b, 0xe4, 0x17, 0xb0, 0x72, 0xc8, 0xb2, 0x80, 0x92, 0x80, 0x14, 0x56, + 0x20, 0xd7, 0x5e, 0x57, 0xc1, 0x64, 0x96, 0x69, 0x85, 0xec, 0xe1, 0xf1, 0xce, 0xce, 0x15, 0x59, + 0xc5, 0x4d, 0x04, 0x8a, 0x45, 0x11, 0x5a, 0x21, 0x7d, 0xb0, 0xca, 0x20, 0x2c, 0xf9, 0x28, 0x45, + 0x97, 0xe5, 0x00, 0xd7, 0x5e, 0x2b, 0x42, 0x50, 0x5a, 0x21, 0xdf, 0x69, 0xcc, 0x98, 0x57, 0x3b, + 0x78, 0xe7, 0x0d, 0xc4, 0x07, 0x5a, 0x7e, 0x06, 0x6d, 0x33, 0x1a, 0x55, 0xc7, 0x3e, 0x17, 0xa9, + 0xda, 0xad, 0x54, 0x84, 0x56, 0xc8, 0xd7, 0x70, 0xbb, 0x44, 0x1a, 0x61, 0xf9, 0x8f, 0x35, 0xf7, + 0x08, 0x6c, 0xfc, 0x34, 0x76, 0x5e, 0x63, 0xad, 0xe4, 0xd4, 0x1d, 0x58, 0xca, 0x00, 0x51, 0xd2, + 0x4e, 0xd7, 0x72, 0xc8, 0x34, 0xaf, 0xd3, 0xd3, 0x2e, 0x8d, 0x30, 0x9a, 0x7c, 0x9c, 0x8a, 0xce, + 0x83, 0xd9, 0x79, 0x8b, 0x9f, 0xc1, 0xf5, 0x1c, 0x72, 0x25, 0x56, 0xba, 0x5a, 0x00, 0xb3, 0x79, + 0xbd, 0xcf, 0xe1, 0x7a, 0x0e, 0xa7, 0x2a, 0x3d, 0x13, 0x74, 0xb5, 0x31, 0x29, 0x15, 0x8b, 0x56, + 0xc8, 0x0b, 0xb8, 0x55, 0x0a, 0x57, 0xc9, 0x7d, 0x29, 0xba, 0x08, 0xcd, 0x16, 0x0c, 0xfe, 0x16, + 0xd6, 0x8b, 0xcd, 0xc2, 0x21, 0x1b, 0x86, 0x6e, 0xe1, 0x94, 0x15, 0xf6, 0x33, 0x20, 0x33, 0x98, + 0xc3, 0x21, 0x5b, 0xba, 0xa8, 0xcd, 0x87, 0x48, 0x66, 0xdf, 0x7a, 0x5a, 0x21, 0x2f, 0x11, 0xbd, + 0x98, 0x12, 0xc2, 0xf9, 0x90, 0xce, 0xf3, 0x58, 0x27, 0xae, 0x31, 0xd3, 0x9c, 0xc5, 0xa9, 0xf6, + 0x47, 0xd8, 0x9a, 0x03, 0x0f, 0x1d, 0xf2, 0x20, 0xdb, 0xbf, 0xca, 0x01, 0x64, 0xc9, 0xa6, 0xbf, + 0xd1, 0xd1, 0x19, 0x93, 0xce, 0xf9, 0x49, 0x59, 0xe9, 0x62, 0x03, 0x3f, 0x31, 0x99, 0x7b, 0x8f, + 0x5e, 0x6b, 0x0e, 0x73, 0x0f, 0x56, 0x8f, 0xd9, 0x45, 0xe1, 0x3d, 0x9b, 0x79, 0x7d, 0x4a, 0x5e, + 0xa4, 0xcf, 0x81, 0xa8, 0x5f, 0x58, 0x16, 0xea, 0x2f, 0x29, 0xde, 0xc1, 0xd9, 0x48, 0x4c, 0x68, + 0x85, 0x1c, 0xc0, 0xcd, 0x63, 0x76, 0x61, 0x7c, 0x8a, 0x4c, 0x97, 0x5d, 0x96, 0x01, 0x7b, 0xb0, + 0x69, 0xc4, 0x29, 0x66, 0x23, 0x85, 0x18, 0x8e, 0x60, 0x25, 0x3f, 0x40, 0x91, 0x5b, 0x78, 0x42, + 0xa6, 0x09, 0xce, 0xb6, 0x4d, 0x4b, 0x1a, 0x2e, 0x55, 0x08, 0x87, 0xad, 0x79, 0xa3, 0x11, 0xf9, + 0x99, 0x4a, 0xc5, 0x85, 0xb3, 0x97, 0xbd, 0xb3, 0x58, 0x30, 0x75, 0xba, 0x07, 0xed, 0x2e, 0xf3, + 0x06, 0x22, 0x38, 0x9f, 0xbd, 0x80, 0xd9, 0xcc, 0x2f, 0x6c, 0xfe, 0x11, 0xdc, 0x9c, 0x2a, 0xbf, + 0x07, 0xa4, 0x28, 0xa8, 0x3f, 0x80, 0xe6, 0x31, 0xbb, 0xc0, 0x9a, 0x20, 0x7a, 0x09, 0x09, 0x3b, + 0x4b, 0xd0, 0x0a, 0x79, 0x08, 0xa4, 0xaf, 0x67, 0xa6, 0x5e, 0x1c, 0x0d, 0x18, 0xe7, 0x41, 0x78, + 0x6a, 0xd4, 0x48, 0x2c, 0xff, 0x1c, 0xae, 0x27, 0x1a, 0x88, 0xc2, 0x16, 0x09, 0x27, 0xf7, 0x5f, + 0x1e, 0xcb, 0x54, 0xb8, 0x99, 0xcc, 0x6f, 0x04, 0x5f, 0xd4, 0xec, 0xb4, 0x59, 0x0c, 0xfc, 0x0f, + 0x70, 0x7b, 0x4e, 0xe5, 0x7f, 0x60, 0x6b, 0x50, 0x40, 0x2e, 0x37, 0x49, 0x92, 0xdb, 0xda, 0xa2, + 0x69, 0xbe, 0x2c, 0x06, 0x77, 0x38, 0xdb, 0xdb, 0xf9, 0x4f, 0x6a, 0xcc, 0xaf, 0xc0, 0x2a, 0x9b, + 0x91, 0x14, 0x32, 0x59, 0x30, 0x41, 0xd9, 0xa6, 0x07, 0x45, 0xbf, 0x3e, 0x33, 0xd3, 0x8b, 0x8a, + 0xb0, 0x6c, 0xa8, 0x29, 0xde, 0x96, 0x0b, 0xe4, 0x98, 0x5d, 0x14, 0xdb, 0xdc, 0x7b, 0x05, 0xb5, + 0x39, 0x13, 0x94, 0xa3, 0xa2, 0x3a, 0x82, 0xb6, 0xb1, 0x5d, 0x38, 0xa4, 0x83, 0xcf, 0xf4, 0x9c, + 0x91, 0xa7, 0x18, 0xde, 0x17, 0x60, 0x95, 0xd4, 0x4f, 0xd9, 0x2b, 0x5b, 0x30, 0xf0, 0x0a, 0xb6, + 0xe7, 0xd5, 0xb9, 0xf3, 0xfe, 0x3d, 0x23, 0x6f, 0x78, 0xff, 0xda, 0xef, 0x1b, 0xf8, 0xef, 0xcc, + 0x7f, 0x03, 0x00, 0x00, 0xff, 0xff, 0x4d, 0x98, 0x41, 0xa2, 0xcc, 0x19, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -2076,7 +2025,6 @@ type StorageAuthorityClient interface { UpdateRegistration(ctx context.Context, in *proto1.Registration, opts ...grpc.CallOption) (*proto1.Empty, error) NewPendingAuthorization(ctx context.Context, in *proto1.Authorization, opts ...grpc.CallOption) (*proto1.Authorization, error) FinalizeAuthorization(ctx context.Context, in *proto1.Authorization, opts ...grpc.CallOption) (*proto1.Empty, error) - MarkCertificateRevoked(ctx context.Context, in *MarkCertificateRevokedRequest, opts ...grpc.CallOption) (*proto1.Empty, error) AddCertificate(ctx context.Context, in *AddCertificateRequest, opts ...grpc.CallOption) (*AddCertificateResponse, error) RevokeAuthorizationsByDomain(ctx context.Context, in *RevokeAuthorizationsByDomainRequest, opts ...grpc.CallOption) (*RevokeAuthorizationsByDomainResponse, error) DeactivateRegistration(ctx context.Context, in *RegistrationID, opts ...grpc.CallOption) (*proto1.Empty, error) @@ -2357,15 +2305,6 @@ func (c *storageAuthorityClient) FinalizeAuthorization(ctx context.Context, in * return out, nil } -func (c *storageAuthorityClient) MarkCertificateRevoked(ctx context.Context, in *MarkCertificateRevokedRequest, opts ...grpc.CallOption) (*proto1.Empty, error) { - out := new(proto1.Empty) - err := c.cc.Invoke(ctx, "/sa.StorageAuthority/MarkCertificateRevoked", in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - func (c *storageAuthorityClient) AddCertificate(ctx context.Context, in *AddCertificateRequest, opts ...grpc.CallOption) (*AddCertificateResponse, error) { out := new(AddCertificateResponse) err := c.cc.Invoke(ctx, "/sa.StorageAuthority/AddCertificate", in, out, opts...) @@ -2562,7 +2501,6 @@ type StorageAuthorityServer interface { UpdateRegistration(context.Context, *proto1.Registration) (*proto1.Empty, error) NewPendingAuthorization(context.Context, *proto1.Authorization) (*proto1.Authorization, error) FinalizeAuthorization(context.Context, *proto1.Authorization) (*proto1.Empty, error) - MarkCertificateRevoked(context.Context, *MarkCertificateRevokedRequest) (*proto1.Empty, error) AddCertificate(context.Context, *AddCertificateRequest) (*AddCertificateResponse, error) RevokeAuthorizationsByDomain(context.Context, *RevokeAuthorizationsByDomainRequest) (*RevokeAuthorizationsByDomainResponse, error) DeactivateRegistration(context.Context, *RegistrationID) (*proto1.Empty, error) @@ -2671,9 +2609,6 @@ func (*UnimplementedStorageAuthorityServer) NewPendingAuthorization(ctx context. func (*UnimplementedStorageAuthorityServer) FinalizeAuthorization(ctx context.Context, req *proto1.Authorization) (*proto1.Empty, error) { return nil, status.Errorf(codes.Unimplemented, "method FinalizeAuthorization not implemented") } -func (*UnimplementedStorageAuthorityServer) MarkCertificateRevoked(ctx context.Context, req *MarkCertificateRevokedRequest) (*proto1.Empty, error) { - return nil, status.Errorf(codes.Unimplemented, "method MarkCertificateRevoked not implemented") -} func (*UnimplementedStorageAuthorityServer) AddCertificate(ctx context.Context, req *AddCertificateRequest) (*AddCertificateResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method AddCertificate not implemented") } @@ -3237,24 +3172,6 @@ func _StorageAuthority_FinalizeAuthorization_Handler(srv interface{}, ctx contex return interceptor(ctx, in, info, handler) } -func _StorageAuthority_MarkCertificateRevoked_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(MarkCertificateRevokedRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(StorageAuthorityServer).MarkCertificateRevoked(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: "/sa.StorageAuthority/MarkCertificateRevoked", - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(StorageAuthorityServer).MarkCertificateRevoked(ctx, req.(*MarkCertificateRevokedRequest)) - } - return interceptor(ctx, in, info, handler) -} - func _StorageAuthority_AddCertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(AddCertificateRequest) if err := dec(in); err != nil { @@ -3695,10 +3612,6 @@ var _StorageAuthority_serviceDesc = grpc.ServiceDesc{ MethodName: "FinalizeAuthorization", Handler: _StorageAuthority_FinalizeAuthorization_Handler, }, - { - MethodName: "MarkCertificateRevoked", - Handler: _StorageAuthority_MarkCertificateRevoked_Handler, - }, { MethodName: "AddCertificate", Handler: _StorageAuthority_AddCertificate_Handler, diff --git a/sa/proto/sa.proto b/sa/proto/sa.proto index 024a0bbba..20ed2ff9d 100644 --- a/sa/proto/sa.proto +++ b/sa/proto/sa.proto @@ -38,7 +38,6 @@ service StorageAuthority { rpc UpdateRegistration(core.Registration) returns (core.Empty) {} rpc NewPendingAuthorization(core.Authorization) returns (core.Authorization) {} rpc FinalizeAuthorization(core.Authorization) returns (core.Empty) {} - rpc MarkCertificateRevoked(MarkCertificateRevokedRequest) returns (core.Empty) {} rpc AddCertificate(AddCertificateRequest) returns (AddCertificateResponse) {} rpc RevokeAuthorizationsByDomain(RevokeAuthorizationsByDomainRequest) returns (RevokeAuthorizationsByDomainResponse) {} rpc DeactivateRegistration(RegistrationID) returns (core.Empty) {} @@ -167,11 +166,6 @@ message Exists { optional bool exists = 1; } -message MarkCertificateRevokedRequest { - optional string serial = 1; - optional int64 code = 2; -} - message AddCertificateRequest { optional bytes der = 1; optional int64 regID = 2; diff --git a/sa/sa.go b/sa/sa.go index a620b41f8..f094994ba 100644 --- a/sa/sa.go +++ b/sa/sa.go @@ -523,58 +523,6 @@ func (ssa *SQLStorageAuthority) NewRegistration(ctx context.Context, reg core.Re return modelToRegistration(rm) } -// MarkCertificateRevoked stores the fact that a certificate is revoked, along -// with a timestamp and a reason. -// TODO(#4048): This method has been deprecated and replaced by RevokeCertificate. -func (ssa *SQLStorageAuthority) MarkCertificateRevoked(ctx context.Context, serial string, reasonCode revocation.Reason) error { - var err error - if _, err = ssa.GetCertificate(ctx, serial); err != nil { - return fmt.Errorf( - "Unable to mark certificate %s revoked: cert not found.", serial) - } - - if _, err = ssa.GetCertificateStatus(ctx, serial); err != nil { - return fmt.Errorf( - "Unable to mark certificate %s revoked: cert status not found.", serial) - } - - tx, err := ssa.dbMap.Begin() - if err != nil { - return err - } - txWithCtx := tx.WithContext(ctx) - - const statusQuery = "WHERE serial = ?" - statusObj, err := SelectCertificateStatus(txWithCtx, statusQuery, serial) - if err == sql.ErrNoRows { - err = fmt.Errorf("No certificate with serial %s", serial) - err = Rollback(tx, err) - return err - } - if err != nil { - err = Rollback(tx, err) - return err - } - - var n int64 - now := ssa.clk.Now() - statusObj.Status = core.OCSPStatusRevoked - statusObj.RevokedDate = now - statusObj.RevokedReason = reasonCode - n, err = tx.Update(&statusObj) - if err != nil { - err = Rollback(tx, err) - return err - } - if n == 0 { - err = berrors.InternalServerError("no certificate updated") - err = Rollback(tx, err) - return err - } - - return tx.Commit() -} - // UpdateRegistration stores an updated Registration func (ssa *SQLStorageAuthority) UpdateRegistration(ctx context.Context, reg core.Registration) error { const query = "WHERE id = ?" @@ -2381,8 +2329,7 @@ func (ssa *SQLStorageAuthority) FinalizeAuthorization2(ctx context.Context, req } // RevokeCertificate stores revocation information about a certificate. It will only store this -// information if the certificate is not alreay marked as revoked. This method is meant as a -// replacement for MarkCertificateRevoked and the ocsp-updater database methods. +// information if the certificate is not already marked as revoked. func (ssa *SQLStorageAuthority) RevokeCertificate(ctx context.Context, req *sapb.RevokeCertificateRequest) error { tx, err := ssa.dbMap.Begin() if err != nil { diff --git a/sa/sa_test.go b/sa/sa_test.go index 0435d57c8..cf006bf31 100644 --- a/sa/sa_test.go +++ b/sa/sa_test.go @@ -643,41 +643,6 @@ func TestCountCertificatesByNames(t *testing.T) { } } -func TestMarkCertificateRevoked(t *testing.T) { - sa, fc, cleanUp := initSA(t) - defer cleanUp() - - reg := satest.CreateWorkingRegistration(t, sa) - // Add a cert to the DB to test with. - certDER, err := ioutil.ReadFile("www.eff.org.der") - test.AssertNotError(t, err, "Couldn't read example cert DER") - issued := sa.clk.Now() - _, err = sa.AddCertificate(ctx, certDER, reg.ID, nil, &issued) - test.AssertNotError(t, err, "Couldn't add www.eff.org.der") - - serial := "000000000000000000000000000000021bd4" - const ocspResponse = "this is a fake OCSP response" - - certificateStatusObj, err := sa.GetCertificateStatus(ctx, serial) - test.AssertNotError(t, err, "sa.GetCertificateStatus failed") - test.AssertEquals(t, certificateStatusObj.Status, core.OCSPStatusGood) - - fc.Add(1 * time.Hour) - - err = sa.MarkCertificateRevoked(ctx, serial, revocation.KeyCompromise) - test.AssertNotError(t, err, "MarkCertificateRevoked failed") - - certificateStatusObj, err = sa.GetCertificateStatus(ctx, serial) - test.AssertNotError(t, err, "Failed to fetch certificate status") - - if revocation.KeyCompromise != certificateStatusObj.RevokedReason { - t.Errorf("RevokedReasons, expected %v, got %v", revocation.KeyCompromise, certificateStatusObj.RevokedReason) - } - if !fc.Now().Equal(certificateStatusObj.RevokedDate) { - t.Errorf("RevokedData, expected %s, got %s", fc.Now(), certificateStatusObj.RevokedDate) - } -} - func TestCountRegistrationsByIP(t *testing.T) { sa, fc, cleanUp := initSA(t) defer cleanUp() diff --git a/test/config-next/akamai-purger.json b/test/config-next/akamai-purger.json index d7999080e..e93b04e71 100644 --- a/test/config-next/akamai-purger.json +++ b/test/config-next/akamai-purger.json @@ -15,10 +15,7 @@ "grpc": { "address": ":9099", "clientNames": [ - "ocsp-updater.boulder", - "ra.boulder", - "ra1.boulder", - "ra2.boulder" + "ra.boulder" ] } }, diff --git a/test/config-next/ocsp-updater.json b/test/config-next/ocsp-updater.json index a82349992..f6646230c 100644 --- a/test/config-next/ocsp-updater.json +++ b/test/config-next/ocsp-updater.json @@ -4,11 +4,9 @@ "maxDBConns": 10, "oldOCSPWindow": "2s", "missingSCTWindow": "1s", - "revokedCertificateWindow": "1s", "oldOCSPBatchSize": 5000, "missingSCTBatchSize": 5000, "parallelGenerateOCSPRequests": 10, - "revokedCertificateBatchSize": 1000, "ocspMinTimeToExpiry": "72h", "ocspStaleMaxAge": "720h", "oldestIssuedSCT": "72h", @@ -28,12 +26,7 @@ "serverAddress": "ca.boulder:9096", "timeout": "15s" }, - "akamaiPurgerService": { - "serverAddress": "akamai-purger.boulder:9099", - "timeout": "15s" - }, "features": { - "RevokeAtRA": true } }, diff --git a/test/config-next/ra.json b/test/config-next/ra.json index b4974fb85..c292a5d55 100644 --- a/test/config-next/ra.json +++ b/test/config-next/ra.json @@ -45,7 +45,6 @@ ] }, "features": { - "RevokeAtRA": true, "EarlyOrderRateLimit": true, "NewAuthorizationSchema": true }, diff --git a/test/config/akamai-purger.json b/test/config/akamai-purger.json index 522c1efe6..f2035d91f 100644 --- a/test/config/akamai-purger.json +++ b/test/config/akamai-purger.json @@ -15,7 +15,7 @@ "grpc": { "address": ":9099", "clientNames": [ - "ocsp-updater.boulder" + "ra.boulder" ] } }, diff --git a/test/config/ocsp-updater.json b/test/config/ocsp-updater.json index c476360d5..f6646230c 100644 --- a/test/config/ocsp-updater.json +++ b/test/config/ocsp-updater.json @@ -4,11 +4,9 @@ "maxDBConns": 10, "oldOCSPWindow": "2s", "missingSCTWindow": "1s", - "revokedCertificateWindow": "1s", "oldOCSPBatchSize": 5000, "missingSCTBatchSize": 5000, "parallelGenerateOCSPRequests": 10, - "revokedCertificateBatchSize": 1000, "ocspMinTimeToExpiry": "72h", "ocspStaleMaxAge": "720h", "oldestIssuedSCT": "72h", @@ -28,10 +26,6 @@ "serverAddress": "ca.boulder:9096", "timeout": "15s" }, - "akamaiPurgerService": { - "serverAddress": "akamai-purger.boulder:9099", - "timeout": "15s" - }, "features": { } }, diff --git a/test/config/ra.json b/test/config/ra.json index 8861e6aee..4edd7e030 100644 --- a/test/config/ra.json +++ b/test/config/ra.json @@ -11,6 +11,7 @@ "pendingAuthorizationLifetimeDays": 7, "weakKeyDirectory": "test/example-weak-keys.json", "orderLifetime": "168h", + "issuerCertPath": "test/test-ca2.pem", "tls": { "caCertFile": "test/grpc-creds/minica.pem", "certFile": "test/grpc-creds/ra.boulder/cert.pem", @@ -32,6 +33,10 @@ "serverAddress": "sa.boulder:9095", "timeout": "15s" }, + "akamaiPurgerService": { + "serverAddress": "akamai-purger.boulder:9099", + "timeout": "15s" + }, "grpc": { "address": ":9094", "clientNames": [ diff --git a/test/helpers.py b/test/helpers.py index 5ef998185..ccde1211d 100644 --- a/test/helpers.py +++ b/test/helpers.py @@ -125,9 +125,6 @@ def ocsp_verify(cert_file, issuer_file, ocsp_response): def wait_for_ocsp_good(cert_file, issuer_file, url): fetch_until(cert_file, issuer_file, url, " unauthorized", ": good") -def wait_for_ocsp_revoked(cert_file, issuer_file, url): - fetch_until(cert_file, issuer_file, url, ": good", ": revoked") - def reset_akamai_purges(): requests.post("http://localhost:6789/debug/reset-purges") @@ -145,10 +142,6 @@ def verify_akamai_purge(): reset_akamai_purges() def verify_revocation(cert_file, issuer_file, url): - # This is gated on the RevokeAtRA feature flag. - if not CONFIG_NEXT: - wait_for_ocsp_revoked(cert_file, issuer_file, url) - return ocsp_request = make_ocsp_req(cert_file, issuer_file) responses = fetch_ocsp(ocsp_request, url)