CA: Fail construction if no issuers are provided (#6736)

If a CA config is created with an empty `issuers[]` json, then the CA should fail to start up. With no issuers present, the integration tests fail with the following error truncated for readability. ``` boulder-ra [AUDIT] Certificate request - error Error":"issuing precertificate: no issuer found for public key algorithm RSA" ``` Fixes https://github.com/letsencrypt/boulder/issues/6735
2023-03-09 18:34:38 -05:00 · 2023-03-09 18:34:38 -05:00 · b9f0fe030a
parent 88569e618b
commit b9f0fe030a
2 changed files with 29 additions and 0 deletions
--- a/ca/ca.go
+++ b/ca/ca.go
@ -131,6 +131,10 @@ func NewCertificateAuthorityImpl(
 		return nil, err
 	}

+	if len(boulderIssuers) == 0 {
+		return nil, errors.New("must have at least one issuer")
+	}
+
 	issuers := makeIssuerMaps(boulderIssuers)

 	orphanCount := prometheus.NewCounterVec(
--- a/ca/ca_test.go
+++ b/ca/ca_test.go
@ -421,6 +421,31 @@ func issueCertificateSubTestValidityUsesCAClock(t *testing.T, i *TestCertificate
 	test.AssertEquals(t, i.cert.NotAfter.Add(time.Second).Sub(i.cert.NotBefore), i.ca.validityPeriod)
 }

+// Test failure mode when no issuers are present.
+func TestNoIssuers(t *testing.T) {
+	testCtx := setup(t)
+	sa := &mockSA{}
+	_, err := NewCertificateAuthorityImpl(
+		sa,
+		testCtx.pa,
+		testCtx.ocsp,
+		nil, // No issuers
+		nil,
+		testCtx.certExpiry,
+		testCtx.certBackdate,
+		testCtx.serialPrefix,
+		testCtx.maxNames,
+		testCtx.keyPolicy,
+		nil,
+		testCtx.logger,
+		testCtx.stats,
+		testCtx.signatureCount,
+		testCtx.signErrorCount,
+		testCtx.fc)
+	test.AssertError(t, err, "No issuers found during CA construction.")
+	test.AssertEquals(t, err.Error(), "must have at least one issuer")
+}
+
 // Test issuing when multiple issuers are present.
 func TestMultipleIssuers(t *testing.T) {
 	testCtx := setup(t)