Bugfix: Make OCSP Response lifespans configurable.
This commit is contained in:
parent
8447297414
commit
ed63a524bf
|
@ -35,7 +35,10 @@ type Config struct {
|
||||||
DBName string
|
DBName string
|
||||||
SerialPrefix int
|
SerialPrefix int
|
||||||
Key KeyConfig
|
Key KeyConfig
|
||||||
// How long issue certificates are valid for, should match expiry field
|
// LifespanOCSP is how long OCSP responses are valid for; It should be longer
|
||||||
|
// than the minTimeToExpiry field for the OCSP Updater.
|
||||||
|
LifespanOCSP string
|
||||||
|
// How long issued certificates are valid for, should match expiry field
|
||||||
// in cfssl config.
|
// in cfssl config.
|
||||||
Expiry string
|
Expiry string
|
||||||
// The maximum number of subjectAltNames in a single certificate
|
// The maximum number of subjectAltNames in a single certificate
|
||||||
|
@ -116,9 +119,17 @@ func NewCertificateAuthorityImpl(cadb core.CertificateAuthorityDatabase, config
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if config.LifespanOCSP == "" {
|
||||||
|
return nil, errors.New("Config must specify an OCSP lifespan period.")
|
||||||
|
}
|
||||||
|
lifespanOCSP, err := time.ParseDuration(config.LifespanOCSP)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
// Set up our OCSP signer. Note this calls for both the issuer cert and the
|
// Set up our OCSP signer. Note this calls for both the issuer cert and the
|
||||||
// OCSP signing cert, which are the same in our case.
|
// OCSP signing cert, which are the same in our case.
|
||||||
ocspSigner, err := ocsp.NewSigner(issuer, issuer, priv, time.Hour)
|
ocspSigner, err := ocsp.NewSigner(issuer, issuer, priv, lifespanOCSP)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -307,6 +307,7 @@ func setup(t *testing.T) (cadb core.CertificateAuthorityDatabase, storageAuthori
|
||||||
},
|
},
|
||||||
TestMode: true,
|
TestMode: true,
|
||||||
Expiry: "8760h",
|
Expiry: "8760h",
|
||||||
|
LifespanOCSP: "45m",
|
||||||
MaxNames: 2,
|
MaxNames: 2,
|
||||||
CFSSL: cfsslConfig.Config{
|
CFSSL: cfsslConfig.Config{
|
||||||
Signing: &cfsslConfig.Signing{
|
Signing: &cfsslConfig.Signing{
|
||||||
|
|
|
@ -184,11 +184,14 @@ func main() {
|
||||||
auditlogger.Info(app.VersionString())
|
auditlogger.Info(app.VersionString())
|
||||||
|
|
||||||
// Calculate the cut-off timestamp
|
// Calculate the cut-off timestamp
|
||||||
|
if c.OCSPUpdater.MinTimeToExpiry == "" {
|
||||||
|
panic("Config must specify a MinTimeToExpiry period.")
|
||||||
|
}
|
||||||
dur, err := time.ParseDuration(c.OCSPUpdater.MinTimeToExpiry)
|
dur, err := time.ParseDuration(c.OCSPUpdater.MinTimeToExpiry)
|
||||||
cmd.FailOnError(err, "Could not parse MinTimeToExpiry from config.")
|
cmd.FailOnError(err, "Could not parse MinTimeToExpiry from config.")
|
||||||
|
|
||||||
oldestLastUpdatedTime := time.Now().Add(-dur)
|
oldestLastUpdatedTime := time.Now().Add(-dur)
|
||||||
auditlogger.Info(fmt.Sprintf("Searching for OCSP reponses older than %s", oldestLastUpdatedTime))
|
auditlogger.Info(fmt.Sprintf("Searching for OCSP responses older than %s", oldestLastUpdatedTime))
|
||||||
|
|
||||||
count := int(math.Min(float64(ocspResponseLimit), float64(c.OCSPUpdater.ResponseLimit)))
|
count := int(math.Min(float64(ocspResponseLimit), float64(c.OCSPUpdater.ResponseLimit)))
|
||||||
|
|
||||||
|
|
|
@ -45,6 +45,7 @@
|
||||||
"File": "test/test-ca.key"
|
"File": "test/test-ca.key"
|
||||||
},
|
},
|
||||||
"expiry": "2160h",
|
"expiry": "2160h",
|
||||||
|
"lifespanOCSP": "96h",
|
||||||
"maxNames": 1000,
|
"maxNames": 1000,
|
||||||
"cfssl": {
|
"cfssl": {
|
||||||
"signing": {
|
"signing": {
|
||||||
|
|
|
@ -42,6 +42,7 @@
|
||||||
"testMode": true,
|
"testMode": true,
|
||||||
"_comment": "This should only be present in testMode. In prod use an HSM.",
|
"_comment": "This should only be present in testMode. In prod use an HSM.",
|
||||||
"expiry": "2160h",
|
"expiry": "2160h",
|
||||||
|
"lifespanOCSP": "96h",
|
||||||
"maxNames": 1000,
|
"maxNames": 1000,
|
||||||
"Key": {
|
"Key": {
|
||||||
"PKCS11": {
|
"PKCS11": {
|
||||||
|
|
|
@ -45,6 +45,7 @@
|
||||||
"File": "test/test-ca.key"
|
"File": "test/test-ca.key"
|
||||||
},
|
},
|
||||||
"expiry": "2160h",
|
"expiry": "2160h",
|
||||||
|
"lifespanOCSP": "96h",
|
||||||
"maxNames": 1000,
|
"maxNames": 1000,
|
||||||
"cfssl": {
|
"cfssl": {
|
||||||
"signing": {
|
"signing": {
|
||||||
|
|
Loading…
Reference in New Issue