Delete our forked version of the x509 library, and update all call-sites
to use the version that we upstreamed and got released in go1.21. This
requires making a few changes to calling code:
- replace crl_x509.RevokedCertificate with x509.RevocationListEntry
- replace RevocationList.RevokedCertificates with
RevocationList.RevokedCertificateEntries
- make RevocationListEntry.ReasonCode a non-pointer integer
Our lints cannot yet be updated to use the new types and fields, because
those improvements have not yet been adopted by the zcrypto/x509 package
used by the linting framework.
Fixes https://github.com/letsencrypt/boulder/issues/6741
Update zlint to v3.5.0, which introduces scaffolding for running lints
over CRLs.
Convert all of our existing CRL checks to structs which match the zlint
interface, and add them to the registry. Then change our linter's
CheckCRL function, and crl-checker's Validate function, to run all lints
in the zlint registry.
Finally, update the ceremony tool to run these lints as well.
This change touches a lot of files, but involves almost no logic
changes. It's all just infrastructure, changing the way our lints and
their tests are shaped, and moving test files into new homes.
Fixes https://github.com/letsencrypt/boulder/issues/6934
Fixes https://github.com/letsencrypt/boulder/issues/6979
- Require `letsencrypt/validator` package.
- Add a framework for registering configuration structs and any custom
validators for each Boulder component at `init()` time.
- Add a `validate` subcommand which allows you to pass a `-component`
name and `-config` file path.
- Expose validation via exported utility functions
`cmd.LookupConfigValidator()`, `cmd.ValidateJSONConfig()` and
`cmd.ValidateYAMLConfig()`.
- Add unit test which validates all registered component configuration
structs against test configuration files.
Part of #6052
The things we need in crl/checker really only need x509.Certificate.
This allows us to remove a dependency on pkcs11key from the crl checker,
and transitively on CGO.
I've confirmed that `CGO_ENABLED=0 go build ./crl/checker` succeeds on
this branch, while it fails on main.
Add output listing the number of CRLs inspected, their total size in
bytes, and the total number of revocation entries seen. Also print the
oldest thisUpdate timestamp observed.
Allow the -issuer flag to take the special value "-", which causes no
issuer file to be loaded and no CRL signatures to be validated. Also
improve the error message if no -issuer flag is provided at all.
Fixes#6409
While downloading all of the CRLs in a JSON Array of Partitioned
CRLs, keep track of every serial seen so far, and report any dupes
as errors. The same serial should never appear in two different
shards of the same CRL.
Add a -ageLimit flag to crl-checker, with a default value of 7d,
which causes it to log an error if any of the fetched CRLs have
a thisUpdate timestamp older than the given value.
I got some URLs wrong when using this tool, which resulted in confusing errors
as the error bodies tried to get parsed as a CRL. As well, the errors had
a stray \n at the end which I've also removed. The logger interface escapes
newlines, and already includes one at the end of the line.
Add crl-checker, a simple tool which downloads, parses, lints,
and validates signatures on a list of CRLs. It takes its input in
the form of a JSON Array of Sharded CRL URLs, the exact
same format as we will be disclosing in CCADB.
We can add additional checks -- such as ensuring that a set of
known-revoked serials are present, or checking that all of the
downloaded CRLs are "recent enough" -- over time.
Phil Porada
Aaron Gable
Samantha
Jacob Hoffman-Andrews
Matthew McPherrin