Commit Graph

14 Commits

Author SHA1 Message Date
Phil Porada 4bd90ea82f
Log version string for more tools at startup (#7087)
This is a followup to https://github.com/letsencrypt/boulder/pull/7086
2023-09-19 12:46:55 -04:00
Aaron Gable cb28a001e9
Unfork crl x509 (#7078)
Delete our forked version of the x509 library, and update all call-sites
to use the version that we upstreamed and got released in go1.21. This
requires making a few changes to calling code:
- replace crl_x509.RevokedCertificate with x509.RevocationListEntry
- replace RevocationList.RevokedCertificates with
RevocationList.RevokedCertificateEntries
- make RevocationListEntry.ReasonCode a non-pointer integer

Our lints cannot yet be updated to use the new types and fields, because
those improvements have not yet been adopted by the zcrypto/x509 package
used by the linting framework.

Fixes https://github.com/letsencrypt/boulder/issues/6741
2023-09-15 20:25:13 -07:00
Aaron Gable b090ffbd2e
Use zlint to check our CRLs (#6972)
Update zlint to v3.5.0, which introduces scaffolding for running lints
over CRLs.

Convert all of our existing CRL checks to structs which match the zlint
interface, and add them to the registry. Then change our linter's
CheckCRL function, and crl-checker's Validate function, to run all lints
in the zlint registry.

Finally, update the ceremony tool to run these lints as well.

This change touches a lot of files, but involves almost no logic
changes. It's all just infrastructure, changing the way our lints and
their tests are shaped, and moving test files into new homes.

Fixes https://github.com/letsencrypt/boulder/issues/6934
Fixes https://github.com/letsencrypt/boulder/issues/6979
2023-07-11 15:39:05 -07:00
Samantha b2224eb4bc
config: Add validation tags to all configuration structs (#6674)
- Require `letsencrypt/validator` package.
- Add a framework for registering configuration structs and any custom
validators for each Boulder component at `init()` time.
- Add a `validate` subcommand which allows you to pass a `-component`
name and `-config` file path.
- Expose validation via exported utility functions
`cmd.LookupConfigValidator()`, `cmd.ValidateJSONConfig()` and
`cmd.ValidateYAMLConfig()`.
- Add unit test which validates all registered component configuration
structs against test configuration files.

Part of #6052
2023-03-21 14:08:03 -04:00
Jacob Hoffman-Andrews 12f2655878
crl/checker: remove dependency on issuance package (#6518)
The things we need in crl/checker really only need x509.Certificate.
This allows us to remove a dependency on pkcs11key from the crl checker,
and transitively on CGO.

I've confirmed that `CGO_ENABLED=0 go build ./crl/checker` succeeds on
this branch, while it fails on main.
2022-11-21 10:25:06 -08:00
Aaron Gable 3cc3b137e6
Add CRL Validate and Diff library methods (#6446)
Move Validate into a library, and add a Diff method, so that various
binaries can easily check and compare CRLs.

Fixes #6433
2022-10-21 17:06:58 -07:00
Jacob Hoffman-Andrews c7e2fe0195
crl-checker: optionally save fetched CRLs (#6431)
Add the -save flag to control this behavior.
2022-10-06 20:01:19 -07:00
Aaron Gable e7919df533
crl-checker: emit useful info upon success (#6427)
Add output listing the number of CRLs inspected, their total size in
bytes, and the total number of revocation entries seen. Also print the
oldest thisUpdate timestamp observed.
2022-10-03 16:20:19 -07:00
Aaron Gable a40d89c74b
crl-checker: allow disabling signature validation (#6432)
Allow the -issuer flag to take the special value "-", which causes no
issuer file to be loaded and no CRL signatures to be validated. Also
improve the error message if no -issuer flag is provided at all.

Fixes #6409
2022-10-03 16:18:51 -07:00
Aaron Gable f1a0be7f73
crl-checker: check for duplicate serials (#6418)
While downloading all of the CRLs in a JSON Array of Partitioned
CRLs, keep track of every serial seen so far, and report any dupes
as errors. The same serial should never appear in two different
shards of the same CRL.
2022-10-03 13:37:10 -07:00
Aaron Gable d41dc3a51e
crl-checker: add check for too-old CRLs (#6407)
Add a -ageLimit flag to crl-checker, with a default value of 7d,
which causes it to log an error if any of the fetched CRLs have
a thisUpdate timestamp older than the given value.
2022-10-03 11:55:09 -07:00
Jacob Hoffman-Andrews b99058d3fc
crl-checker: add -emit-revoked flag (#6402)
This allows easily interrogating the actual contents of the CRLs.
2022-09-28 15:59:19 -07:00
Matthew McPherrin 1b2e8fdc42
crl-updater: Check HTTP response code on CRL downloads (#6396)
I got some URLs wrong when using this tool, which resulted in confusing errors
as the error bodies tried to get parsed as a CRL. As well, the errors had
a stray \n at the end which I've also removed. The logger interface escapes
newlines, and already includes one at the end of the line.
2022-09-22 11:21:44 -07:00
Aaron Gable aed604294e
crl-checker: a simple tool to validate public CRLs (#6381)
Add crl-checker, a simple tool which downloads, parses, lints,
and validates signatures on a list of CRLs. It takes its input in
the form of a JSON Array of Sharded CRL URLs, the exact
same format as we will be disclosing in CCADB.

We can add additional checks -- such as ensuring that a set of
known-revoked serials are present, or checking that all of the
downloaded CRLs are "recent enough" -- over time.
2022-09-14 16:41:51 -07:00