Commit Graph

704 Commits

Author SHA1 Message Date
Richard Barnes a39be0a85d Remove superfluous VerifyCSR method 2016-01-20 10:32:01 -05:00
Roland Shoemaker 11661bab9e Merge branch 'master' into more-revoker 2016-01-15 13:41:55 -08:00
Roland Shoemaker a77c8e3d5b Switch to single RevokeAuthorizationsByDomain SA method 2016-01-12 11:49:51 -08:00
Roland Shoemaker cbdf0444b6 review fixes 2016-01-08 16:21:12 -08:00
Hugo Landau f218e314f8 Add good key testing for ECDSA. 2016-01-07 22:48:38 +00:00
Roland Bracewell Shoemaker 21f20b1430 Merge branch 'master' into delete_ca_revokecertificate 2016-01-07 12:34:39 -08:00
Jeff Hodges f6473efcc2 delete ca.RevokeCertificate
Also, delete the unused core.CertificateAuthorityDatabase while we're
here.

Fixes #1319
2016-01-04 23:59:21 -08:00
Jeff Hodges 9913eb61ba Merge branch 'master' into more-revoker 2016-01-04 17:02:51 -08:00
Jeff Hodges a00094faa8 Merge branch 'master' into dns-meta 2016-01-04 16:16:33 -08:00
Alex Gaynor cbeffe96a6 Fixed a bunch of typos 2016-01-04 18:39:34 -05:00
Roland Shoemaker d18b8a536d Add DNS ValidationRecord metadata 2016-01-04 12:20:45 -08:00
Roland Shoemaker 6eb9c87dcb Add RPC to get all authorizations for a domain 2016-01-04 10:56:27 -08:00
Roland Shoemaker 4c47b2aa75 Add RevokeAuthorization RPC method 2015-12-31 16:13:06 +00:00
Jacob Hoffman-Andrews 70ac73ca58 Remove unneeded code in core.
B64enc and B64dec can be replaced by base64.RawURLEncoding.
Thumbprint is now implemented in go-jose, and we have the relevant version
imported already, so we can use that.
SyntaxError isn't used anywhere and can be deleted.
2015-12-17 13:36:24 -08:00
Roland Shoemaker d8110a425a Add DNS challenge integration test
Adds a dns-01 type validation to test.js and reworks dns-test-srv to allow changing TXT record values.
Also makes some changes to how integration-test.py works in order to reduce complexity now the
ct-test-srv is working again.
2015-12-16 17:57:15 -08:00
Jeff Hodges 6b0e53b8e0 use ProblemDetails inside of wfe
This uses ProblemDetails throughout the wfe. This is the last step in
allowing the backend services to pass ProblemDetails from RPCs through
to the user.

Updates #1153.

Fixes #1161.
2015-12-15 11:44:33 -08:00
Jeff Hodges b31165444f move dns code to dns pkg and rename to bdns
Moves the DNS code from core to dns and renames the dns package to bdns
to be clearer.

Fixes #1260 and will be good to have while we add retries and such.
2015-12-14 11:21:43 -08:00
Jeff Hodges 8300b06ad6 Merge branch 'master' into delete_old_challenges 2015-12-10 23:04:00 -08:00
Jacob Hoffman-Andrews c6d6a3edd8 Merge branch 'master' into google-ct 2015-12-10 18:12:55 -08:00
Jeff Hodges c9010744b4 delete old challenge code
Specifically, delete the simpleHttp and dvsni.

Hooray!

Fixes #894
2015-12-10 15:41:40 -08:00
Jeff Hodges 568dd72f00 require a valid challenge type in RecordsSane
This is a change to ValidationRecord. This case is unlikely to be
trigged by code, but was allowing tests to pass in a branch that deleted
the simpleHttp and dvsni challenge types and is a good check to have in
place.

Updates #894
2015-12-07 12:56:55 -08:00
Jeff Hodges b19ea71dbf Merge branch 'master' into google-ct 2015-12-04 16:17:27 -08:00
Jacob Hoffman-Andrews d5bb20561f Fix nil dereference in AcmeURL unmarshal and in validateContacts. 2015-12-04 09:46:46 -08:00
Roland Shoemaker 7e093c3ed4 Merge branch 'master' into google-ct 2015-11-30 12:05:17 -08:00
Roland Shoemaker 52b7effa5d Review fixes pt. 2 2015-11-25 12:56:44 -08:00
Jeff Hodges 2114f5d5cc move ProblemDetails into its own package
Part of #1161
2015-11-24 23:14:38 -08:00
Roland Bracewell Shoemaker 444c3ff8cb Merge branch 'master' into google-ct 2015-11-24 17:25:56 -08:00
Jacob Hoffman-Andrews 169a0b79e3 Export BuildID via expvars. 2015-11-24 14:24:51 -08:00
Roland Shoemaker 3ae32d4d61 Switch back to using an internal SCT representation to make life easier 2015-11-23 14:27:06 -08:00
Roland Shoemaker 01895a13d0 Switch to google, part 1 2015-11-23 12:42:50 -08:00
Jeff Hodges 2d1339f5f5 Merge branch 'master' into nonce-err 2015-11-23 12:02:49 -08:00
Jacob Hoffman-Andrews 3463d72554 Replace DialTimeout with ReadTimeout.
Generally Dial will be very fast because our resolver is local, so there's no
need to override its default of 2s. However, since our resolver recurses more or
less every time, getting the answer back is very slow. So we want to be able to
set a high ReadTimeout.
2015-11-22 14:34:23 -08:00
Roland Shoemaker 458c7e2b4a Add badNonce error as described in the specification 2015-11-20 15:57:22 -08:00
J.C. Jones 31aaef3f4e Only use TCP for DNS.
Since Boulder always requests DNSSEC records, in practice DNS responses often
exceed the IP MTU.

Boulder installations expect to have a local DNS resolver, and all modern DNS
resolvers support TCP connections. Since miekg/dns does not perform an
"attempt udp, timeout, retry via tcp" approach, it's simpler and more reliable
to always use TCP for internal DNS resolution. This makes failures more
obvious as well.

Also change the integration test DNS server to TCP.
2015-11-18 10:54:08 -07:00
Jacob Hoffman-Andrews 538df43438 Merge branch 'master' into short-nonce 2015-11-16 11:21:24 -08:00
Jacob Hoffman-Andrews 8b2c50bc65 Return pointer from NewNonceService. 2015-11-11 12:47:38 -08:00
Jacob Hoffman-Andrews c6bb0ad45b Merge branch 'master' into fix-nonce-race 2015-11-11 12:35:43 -08:00
Jacob Hoffman-Andrews dc4af5b364 Print errors and use pointer receivers. 2015-11-11 12:35:18 -08:00
Jacob Hoffman-Andrews e3669c24c7 Fix some races in nonce.go 2015-11-11 12:28:20 -08:00
Jacob Hoffman-Andrews 2b546a4306 Fix nonceLen and unexport const. 2015-11-07 11:18:44 -08:00
Jacob Hoffman-Andrews 4b42ede192 Check for short nonces. 2015-11-07 10:26:34 -08:00
Richard Barnes f61183e144 Use a map and set defaults 2015-11-07 12:39:57 -05:00
Jeff Hodges 13cab5c257 add Google Safe Browsing API calls
This allows us to call the Google Safe Browsing calls through the VA.

If the RA config's boolean UseIsSafeDomain is true, the RA will make the RPC
call to the VA during its NewAuthorization.

If the VA config's GoogleSafeBrowsingConfig struct is not nil, the VA
will check the Google Safe Browsing API in
VA.IsSafeDomain. If the GoogleSafeBrowsingConfig struct is nil, it will
always return true.

In order to actually make requests, the VA's GoogleSafeBrowsingConfig
will need to have a directory on disk it can store the local GSB hashes
it will check first and a working Google API key for the GSB API.

Fixes #1058
2015-11-06 16:37:34 -08:00
Jacob Hoffman-Andrews 65777155be Remove CNAME/DNAME logic
Fixes https://github.com/letsencrypt/boulder/issues/1048
2015-11-02 15:34:00 -08:00
Roland Shoemaker 661476f40e Backoff OCSP Updater on HSM failure
If a ServiceUnavailableError is returned from GenerateOCSP backoff before
attempting to retry the call as to not to overwhelm the CA with calls that
may instantly fail.
2015-10-26 14:06:32 -07:00
Richard Barnes 3637dfb0c1 ServiceUnavailableError 2015-10-21 16:25:43 -04:00
Roland Shoemaker 6171420108 Golint fixes to builds work 2015-10-18 18:59:05 -07:00
Jacob Hoffman-Andrews 2f75214a88 Add limit on number of pending authorizations.
Adds a new method CountPendingAuthorizations to SA.
2015-10-14 13:50:43 -07:00
Roland Shoemaker 45ec69951a Revert removal of ca.RevokeCertificate 2015-10-13 15:38:11 -07:00
Roland Shoemaker 2b604eef6e Review fixes pt. 2 2015-10-09 18:02:02 -07:00
Roland Shoemaker 1d710f91cd Merge branch 'master' into ocsp-revoke
Conflicts:
	cmd/ocsp-updater/main.go
2015-10-09 15:50:14 -07:00
Jeff Hodges 68536ac22a Merge branch 'master' into lower_domains 2015-10-09 13:04:00 -07:00
Jacob Hoffman-Andrews be36c3d71d Merge branch 'master' into test-reg-rate-limit-3 2015-10-09 12:48:13 -07:00
Jacob Hoffman-Andrews 88614a444f Merge branch 'master' into lower_domains 2015-10-09 12:10:22 -07:00
Roland Shoemaker 10b6bb5548 Refactor certificate revocation and OCSP generation workflows
* Moves revocation from the CA to the OCSP-Updater, the RA will mark certificates as
  revoked then wait for the OCSP-Updater to create a new (final) revoked response
* Merges the ocspResponses table with the certificateStatus table and only use UPDATES
  to update the OCSP response (vs INSERT-only since this happens quite often and will
  lead to an extremely large table)
2015-10-08 18:55:11 -07:00
Jeff Hodges 0df44e5d90 clean up CSRs with capitalized letters
This change lowercases domains before they are stored in the database
and makes policy.WillingToIssue reject any domains with uppercase
letters.

Fixes #927.
2015-10-08 17:04:07 -07:00
Roland Shoemaker c0f5fd1bb6 Fix AddSCTReceipt RPC transit 2015-10-08 17:00:35 -07:00
Jacob Hoffman-Andrews 487d08ec2e Add rate limiting by registration IP. 2015-10-08 15:47:08 -07:00
Jacob Hoffman-Andrews acdb1fa91b Merge branch 'master' into issued-names-limit-2
Conflicts:
	mocks/mocks.go
	rpc/rpc-wrappers.go
	sa/storage-authority.go
2015-10-07 17:20:36 -07:00
Richard Barnes b01e99ea04 Merge branch 'master' into golint 2015-10-07 10:42:36 -04:00
Richard Barnes b6469b4bba Merge branch 'master' into golint 2015-10-06 23:04:23 -04:00
Jacob Hoffman-Andrews e0cdd13bbb Merge branch 'master' into issued-names-limit-2 2015-10-06 16:10:29 -07:00
bifurcation f210ee0a9f Merge branch 'master' into sig-reuse 2015-10-06 18:01:50 -04:00
Jeff Hodges 06879cb44f remove some allocations from B64enc codepath
B64enc makes some nasty allocations through its use of strings.Replace
in unpad. This changes that strings.Replace into a simple for-loop.

B64enc gets used in many places, including the rpc library on every
request and response. While we should probably not use it in the rpc
library (#909), there are enough other places it's used (now or in the near
future) that make this valuable.

Was a performance problem found during early load-testing (#20) of the
CA. More to come.
2015-10-06 00:31:51 -07:00
Richard Barnes f064c6d5c7 Merge branch 'master' to 'sig-reuse' 2015-10-05 23:16:16 -04:00
bifurcation 90050e91f5 Merge branch 'master' into golint 2015-10-05 19:23:24 -04:00
Richard Barnes 4405bc5dbc Address @jsha comments 2015-10-05 19:23:31 -04:00
Jeff Hodges 5217af94b0 allow whitelisting by a specific reg id
Currently, the whitelisted registration ID is one that is impossible for the
database to return. Once the partner's registration is in place, we can
deploy a change to it.

Fixes #810
2015-10-05 14:11:38 -07:00
bifurcation e7f47d4f09 Merge branch 'master' into golint 2015-10-05 00:14:29 -04:00
Roland Shoemaker 5d4fccabeb Merge master 2015-10-04 21:08:51 -07:00
Roland Shoemaker 4a98145992 Review fixes 2015-10-04 21:05:44 -07:00
Jacob Hoffman-Andrews 1d91d81158 Implement rate limiting by domain name. 2015-10-04 21:04:26 -07:00
Richard Barnes 961e392521 Merge branch 'master' into sig-reuse 2015-10-04 23:25:54 -04:00
Richard Barnes f3a40ac76c Address @jcjones comments 2015-10-04 23:24:06 -04:00
Richard Barnes 0f3f766d26 Fix golint in ./core 2015-10-04 20:07:13 -04:00
Jacob Hoffman-Andrews 6906e395a4 Pass RateLimitedError properly through RPC layer. 2015-10-03 22:59:28 -07:00
Richard Barnes 9414b1a37e Address @jmhodges comments and make tests pass 2015-10-03 14:47:17 -04:00
Richard Barnes 3f7247a80d Change to KeyAuthorization in sa 2015-10-03 13:18:33 -04:00
Richard Barnes a7a0f8d235 Change to KeyAuthorization in core 2015-10-03 12:58:05 -04:00
Richard Barnes eb42a08258 Make RA check sanity and make tests pass 2015-10-03 10:41:23 -04:00
Richard Barnes b4d45321a8 Have the client provide the authorized key object 2015-10-02 13:45:32 -04:00
Richard Barnes 4c20bfe310 Merge master to sig-reuse 2015-10-01 18:58:35 -07:00
Richard Barnes 367973122e Change 'TO DELETE' comments to something more useful 2015-10-01 18:48:15 -07:00
Richard Barnes 72bbc8fd1f Move UnsafeSetToken to /test/ 2015-10-01 18:27:17 -07:00
Jeff Hodges a07e3b4e13 Merge branch 'master' into paranoid-key 2015-10-01 16:17:32 -07:00
Jeff Hodges d433062f16 Merge branch 'master' into issued-names-count 2015-10-01 14:19:14 -07:00
Jacob Hoffman-Andrews 6963811ab5 Merge remote-tracking branch 'le/master' into paranoid-key
Conflicts:
	core/util.go
2015-10-01 14:13:05 -07:00
Jacob Hoffman-Andrews 685c6e4206 Use stored key to verify JWS POSTs
instead of submitted key. This minimizes the chances of unexpected JWK fields in
the submitted key altering its interpretation without altering the lookup in the
registrations table.

In the process, fix handling of NoSuchRegistration responses.

Fixes https://github.com/letsencrypt/boulder/issues/865.
2015-09-29 23:37:16 -07:00
Richard Barnes 0f4ebae6e0 Address @bifurcation comments 2015-09-29 09:33:44 -04:00
Richard Barnes ea50be6c50 Change 00 to 01, and drop the underscore 2015-09-29 08:57:43 -04:00
Jacob Hoffman-Andrews f476432449 Store a DB of issued names.
Add counting for issued names within a given time period.

First part of https://github.com/letsencrypt/boulder/issues/864.
2015-09-28 19:37:50 -07:00
Richard Barnes f579863e0e Purge SimpleHTTP and DVSNI from VA 2015-09-28 14:34:03 -04:00
Richard Barnes c1c3d1e871 Changes to core, sa, policy 2015-09-28 10:51:55 -04:00
Richard Barnes 1a9fd9b455 Update to latest ACME spec 2015-09-28 10:10:06 -04:00
Richard Barnes 54c924b436 Merge branch 'master' into sig-reuse 2015-09-27 18:29:14 -04:00
Roland Shoemaker 96afd94e88 Review fixes
* Rewrite JSONDuration as ConfigDuration that can handle both JSON and YAML unmarshaling
* Factor out RPC certificate count request struct
* Return 429 to WFE on rate limit exceeded
* Fix wonky RateLimitPolicy comment
2015-09-25 14:39:53 -07:00
Roland Shoemaker 6e3f0e18c6 Merge branch 'master' into cert-limit 2015-09-25 14:08:09 -07:00
Roland Shoemaker 6f41cc9e39 Add issuance rate limiting based on total number of certificates issued in a window
Since the issuance count requires a full table scan a RA process local cache of the
count is kept and expired after 30 minutes.
2015-09-24 12:54:38 -07:00
Jacob Hoffman-Andrews af7f4eb32f Remove GetCertificateByShortSerial. 2015-09-22 16:59:38 -07:00
Jacob Hoffman-Andrews 73216a461d Also check length >= 32. 2015-09-22 14:27:38 -07:00
Jacob Hoffman-Andrews 668ccc2d97 Merge github.com:letsencrypt/boulder into longserial 2015-09-22 14:04:19 -07:00
Jacob Hoffman-Andrews c858b4d430 Consolidate serial number validity checking.
Also, set the requirement to be hexadecimal and <36 characters, rather than
exactly 36 characters.
2015-09-22 14:03:29 -07:00
Roland Shoemaker 7369fb89e1 Better private network blocking 2015-09-21 17:02:48 -07:00
Jacob Hoffman-Andrews 02314f4041 Implement the new 144-bit mostly-random serial.
To keep the change small, I have not yet completely removed the
GetCertificateByShortSerial method from interfaces and the RPC. I will do taht
in a follow up change.
2015-09-21 13:10:16 -07:00
Roland Shoemaker ff6eca7a29 Submit all issued certificates to configured CT logs
Adds a new service, Publisher, which exists to submit issued certificates to various Certificate Transparency logs. Once submitted the Publisher will also parse and store the returned SCT (Signed Certificate Timestamp) receipts that are used to prove inclusion in a specific log in the SA database. A SA migration adds the new SCT receipt table.

The Publisher only exposes one method, SubmitToCT, which is called in a goroutine by ca.IssueCertificate as to not block any other issuance operations. This method will iterate through all of the configured logs attempting to submit the certificate, and any required intermediate certificates, to them. If a submission to a log fails it will be retried the pre-configured number of times and will either use a back-off set in a Retry-After header or a pre-configured back-off between submission attempts.

This changeset is the first of a number of changes ending with serving SCT receipts in OCSP responses and purposefully leaves out the following pieces for follow-up PRs.

* A fake CT server for integration testing
* A external tool to search the database for certificates lacking a full set of SCT receipts
* A method to construct X.509 v3 extensions containing receipts for the OCSP responder
* Returned SCT signature verification (beyond just checking that the signature is of the correct type so we aren't just serving arbitrary binary blobs to clients)

Resolves #95.
2015-09-17 18:11:05 -07:00
Jacob Hoffman-Andrews 71c682179e Switch to authorizationLifetime 2015-09-11 16:36:56 -04:00
Richard Barnes 275b086acc Merge branch 'master' into sig-reuse 2015-09-11 15:24:43 -04:00
Richard Barnes b89b5ac980 Switch authzKeys from client- to server-provided 2015-09-11 15:23:34 -04:00
Jacob Hoffman-Andrews e3c226a84e Remove earliestExpiry from IssueCertificate call. 2015-09-11 15:09:11 -04:00
Roland Bracewell Shoemaker d55e0e0d8d Merge branch 'master' into fix-wfe-test-better 2015-09-11 11:58:28 -07:00
Jacob Hoffman-Andrews 875a71e53e Fix WFE test properly.
The WFE test relies on a pre-generated cert. Since there are some sanity checks
on the dates in certs, we were getting errors during the test.

One quick fix is to have those sanity checks rely on RA's clock object, which
can be replaced with a fake for testing. In order to do that, I had to move the
sanity check (MatchesCSR) into the registration authority package, where it
makes more sense anyhow.

I also removed a handful of equality testing functions in objects.go that were
only used by MatchesCSR and whose purpose is better served by reflect.DeepEqual.
This was to avoid having to also move those equality testing functions into the
registration authority.
2015-09-11 13:17:18 -04:00
Richard Barnes f08e824018 Val -> AuthzKeys in Challenges 2015-09-10 21:28:39 -04:00
Jeff Hodges 6945bdc86c Merge branch 'master' into fix-docker 2015-09-10 14:30:58 -07:00
Jacob Hoffman-Andrews 253d700d06 Merge branch 'master' into challenge-display-uri
Conflicts:
	cmd/boulder-ra/main.go
	ra/registration-authority.go
	ra/registration-authority_test.go
2015-09-10 15:44:21 -04:00
Jacob Hoffman-Andrews 998ffc79cb Do GoodKey checking in WFE. 2015-09-09 20:30:55 -04:00
Jacob Hoffman-Andrews ffcd1c866d Make challenge URI a display-time property.
Challenge URIs should be determined by the WFE at fetch time, rather than stored
alongside the challenge in the DB. This simplifies a lot of the logic, and
allows to to remove a code path in NewAuthorization where we create an
authorization, then immediately save it with modifications to the challenges.

This change also gives challenges their own endpoint, which contains the
challenge id rather than the challenge's offset within its parent authorization.
This is also a first step towards replacing UpdateAuthorization with
UpdateChallenge: https://github.com/letsencrypt/boulder/issues/760.
2015-09-09 16:23:45 -04:00
Jacob Hoffman-Andrews 19c68a01e0 Fix Docker setup.
Add an easy script to build and run the Docker instance.
Update some out-of-date information in the README.
Add goose to the Docker image.
Remove unnecessary go install step from Dockerfile.

Allow dns-test-srv to return a hardcoded address other than localhost. This was
preventing a Dockerized Boulder from answering requests from a letsencrypt
client on the host.

Change allowLoopbackAddresses to allowRestrictedAddresses and make it cover all
the private IPv4 ranges. The host IP in Docker is commonly in the 172.* range.

Fix a couple of references to lets-encrypt-preview.

This was inspired by investigation into https://github.com/letsencrypt/boulder/issues/756.
To try and reproduce, I tried running Boulder inside a container, and found some
broken things.
2015-09-08 23:31:04 -04:00
Roland Shoemaker e5e947ee09 Better construction 2015-09-03 21:00:51 -07:00
Roland Shoemaker 3da1081b02 Merge branch 'master' into block-more 2015-09-03 20:47:34 -07:00
Jacob Hoffman-Andrews 2a8804b792 Merge branch 'master' into test-js-content-length
Conflicts:
	wfe/web-front-end_test.go
2015-09-02 23:23:53 -04:00
Roland Shoemaker 37517052c7 Add checks for addresses in the loopback block and a bool to allow them for testing 2015-09-02 15:25:21 -07:00
Jeff Hodges be44b0bf50 drop unused status column from certificates
Also, use certificateStatus's status in the expiration-mailer join.

Fixes #694.
Fixes #713.
2015-09-01 15:53:27 -07:00
Roland Bracewell Shoemaker fe00decc92 Merge pull request #697 from letsencrypt/revoke-split
Split RA revoke method
2015-09-01 14:08:33 -07:00
Jeff Hodges dedb5f96a7 clean up some pointer type conversions
I grepped around and only found these.
2015-08-31 23:51:43 -07:00
Roland Shoemaker d11d1ed774 Rename admin-revoker RA call 2015-08-30 22:33:36 -07:00
Jacob Hoffman-Andrews 9fa1e02d7d Require content length. 2015-08-30 12:59:43 -04:00
Jacob Hoffman-Andrews 5afb1187bf Merge pull request #664 from letsencrypt/sig-misuse
Mitigate signature misuse vulnerability
2015-08-28 16:18:56 -07:00
Richard Barnes 3d540ff481 Addressing review comments 2015-08-28 11:21:13 -04:00
Roland Shoemaker 82ea4aba31 Rest of RPC layer and splitting 2015-08-28 00:00:03 -07:00
Roland Shoemaker 3df37cc3db Merge branch 'master' into cert-checker 2015-08-27 23:26:46 -07:00
Roland Shoemaker a4aa450ee6 Switch to custom revocation code type 2015-08-27 17:09:41 -07:00
Roland Shoemaker d6b09c2cf9 Clean up 2015-08-27 14:50:00 -07:00
Roland Shoemaker 0f1efe55ae Log information about revocation procedure 2015-08-27 13:00:55 -07:00
Richard Barnes c552984784 Merge master 2015-08-25 19:21:02 -04:00
Richard Barnes c7eaece4da Have RA reject update by a different account key. 2015-08-25 17:50:26 -04:00
Richard Barnes 8868ac9dad Remove explicit account key from VA calls 2015-08-25 16:32:32 -04:00
Richard Barnes fd8f8eb446 Add account key to challenge object 2015-08-25 15:27:27 -04:00
Jeff Hodges 7b6f2894f7 add goose as the migration tool
This has required some substantive changes to the tests. Where
previously the foreign key constraints did not exist in the tests, now
that we use the actual production schema, they do. This has mostly led
to having to create real Registrations in the sa, ca, and ra tests. Long
term, it would be nice to fake this out better instead of needing a real
sa in the ca and ra tests.

The "goose" being referred to is <https://bitbucket.org/liamstask/goose>.

Database migrations are stored in a _db directory inside the relevant
owner service (namely, ca/_db, and sa/_db, today).

An example of migrating up with goose:

    goose -path ./sa/_db -env test up

An example of creating a new migration with goose:

    goose -path ./sa/_db -env test create NameOfNewMigration sql

Notice the "sql" at the end. It would be easier for us to manage sql
migrations. I would like us to stick to only them. In case we do use Go
migrations in the future, the underscore at the beginning of "_db" will
at least prevent build errors when using "..." with goose-created Go
files. Goose-created Go migrations do not compile with the go tool but
only with goose.

Fixes #111
Unblocks #623
2015-08-25 12:02:31 -07:00
Roland Shoemaker 37b28a20c0 Merge master 2015-08-24 12:20:26 -07:00
Roland Shoemaker 725e0e30da Merge branch 'master' into fixed-505 2015-08-21 14:12:36 -07:00
Roland Shoemaker c40cfd4164 Process all certs from the last 90 days, still need to cleanup and write out the report 2015-08-20 13:59:40 -07:00
Roland Shoemaker 015e089b7d Review fixes pt. 2 2015-08-18 13:33:25 -07:00
Roland Shoemaker d56c99ff71 Remove db struct tags 2015-08-15 16:03:58 -07:00
Roland Shoemaker 3d5185d0db Merge branch 'master' into fixed-505 2015-08-13 22:50:13 -07:00
Roland Shoemaker f15402282c Review rework
Refactor DNS problem details use

Actually store and log resolved addresses

Less convuluted get adresses function/usage

Store redirects, reconstruct transport on redirect, add redirect + lookup tests

Add another test

Review fixes

Initial bulk of review fixes (cleanups inc)

Comment cleanup

Add some more tests

Cleanups

Give addrFilter a type and add the config wiring

Expose filters

LookupHost cleanups

Remove Resolved Addresses and Redirect chain from replies to client without breaking RPC layer

Switch address/redirect logging method, add redirect loop checking + test

Review fixes + remove IPv6

Remove AddressFilter remnant + constant-ize the VA timeout

Review fixes pt. 1

Initialize validation record

Don't blank out validation reocrds

Add validation record sanity checking

Switch to shared struct

Check port is in valid range

Review fixes
2015-08-13 22:49:33 -07:00
Roland Shoemaker 9a328b4fd1 Log IPs in a better place, by storing them in the challenge objects! 2015-08-13 22:45:19 -07:00
Roland Shoemaker 1d863fca32 Merge master 2015-08-13 20:52:18 -07:00
Roland Shoemaker 5be6e588ee Initial work 2015-08-13 20:24:25 -07:00
Jeff Hodges 24dca1a758 remove some no longer used db struct tags 2015-08-13 14:29:53 -07:00
Roland Shoemaker bcb0ecb3ba Revert "Resolve and store IP addresses for SimpleHTTP and DVSNI validation (also store redirect chains)" 2015-08-13 13:00:37 -07:00
Roland Shoemaker 71e62bce13 Merge pull request #505 from letsencrypt/store-ips
Resolve and store IP addresses for SimpleHTTP and DVSNI validation (also store redirect chains)
2015-08-13 11:13:59 -07:00
Roland Shoemaker c448c01d70 Add concat test 2015-08-12 18:47:09 -07:00
Roland Shoemaker eefa8005c4 Fix LookupTXT 2015-08-12 17:21:08 -07:00
Roland Shoemaker 4a26a515c9 Switch to shared struct 2015-08-10 16:20:11 -07:00
Jeremy Gillula d7b0b11648 Fixing more merge issues 2015-08-10 12:19:04 -07:00
Jeremy Gillula e9b24cfafd Merge remote-tracking branch 'origin/master' into existing-cert
Conflicts:
	cmd/boulder-ra/main.go
	cmd/boulder/main.go
	cmd/shell.go
	core/objects.go
	policy/policy-authority_test.go
	test/boulder-config.json
2015-08-10 12:02:01 -07:00
Roland Shoemaker 212bf67670 Add validation record sanity checking 2015-08-07 16:41:40 -07:00
Roland Shoemaker 3d540cf4b4 Merge branch 'master' into store-ips 2015-08-07 15:09:43 -07:00
Roland Shoemaker c41cda04f7 Review fixes pt. 1 2015-08-07 15:09:08 -07:00
Jeff Hodges 390464ddf4 correct unique indexing of Registrations
Fixes #579 (which blocks #132).

This changes the SA to use a unique index on the sha256 of a
Registration's JWK's public key data instead of on the full serialized
JSON of the JWK. This corrects multiple problems:

 1. MySQL/Mariadb no longer complain about key's being larger than the
 largest allowed key size in an index
 2. We no longer have to worry about large keys not being seen as unique
 3. We no longer have to worry about the JWK's JSON being serialized with its inner keys in different orders and causing incorrectly empty queries or non-unique writes.

This change also hides the details of how Registrations are stored in
the database from the other services outside of SA. This will give us
greater flexibility if we need to move them to another database, or
change their schema, etc.

Also, adds some tests for NoSuchRegistration in the SA.
2015-08-06 14:19:19 -07:00
Jeff Hodges 0f03494d56 use pointer to AcmeURL everywhere
This has the benefit of not requiring us to copy very fat url.URL
objects when we pass them to funcs or call their methods.
2015-08-05 18:23:38 -07:00
Roland Shoemaker 8d046a6e0d Review fixes + remove IPv6 2015-08-05 13:47:59 -07:00
Jeremy Gillula 1ee8a9d755 Fixing some more small code style issues--changes should only be cosmetic 2015-08-04 14:06:08 -07:00
Jeremy Gillula 70347b4f9a Fixing "go fmt" errors 2015-08-04 13:57:54 -07:00
Jeremy Gillula ec409463db Adding the schemas for the external certs and the identifiers to db_schema-main.sql, and also removing the lastUpdate timestamp from the code and the import format document (since we don't really need it for anything). 2015-08-04 13:45:07 -07:00
Roland Shoemaker 8805f7e6e9 Switch address/redirect logging method, add redirect loop checking + test 2015-08-03 20:31:32 -07:00
Roland Shoemaker aeba06dcd9 Remove Resolved Addresses and Redirect chain from replies to client without breaking RPC layer 2015-08-03 11:02:23 -07:00
Roland Shoemaker 881ce95a5e LookupHost cleanups 2015-07-31 21:42:07 -07:00
Roland Shoemaker 778c0daae5 Expose filters 2015-07-31 16:19:25 -07:00
Roland Shoemaker 5a1a3c7e0d Give addrFilter a type and add the config wiring 2015-07-31 15:47:03 -07:00
Roland Shoemaker 94095796b9 Cleanups 2015-07-31 14:40:54 -07:00
Roland Shoemaker bc4069db05 Add some more tests 2015-07-31 13:46:24 -07:00
Roland Shoemaker 0041283960 Comment cleanup 2015-07-31 11:32:53 -07:00
Roland Shoemaker e12564bb11 Initial bulk of review fixes (cleanups inc) 2015-07-30 18:09:16 -07:00
Roland Shoemaker f5acc4e260 Merge master 2015-07-30 14:07:03 -07:00
bifurcation 46573e93a2 Merge pull request #497 from letsencrypt/update-challenges
Update challenges to match the spec
2015-07-30 15:06:32 -04:00
Richard Barnes 652702bd7f Merge master 2015-07-30 13:47:10 -04:00
Roland Shoemaker 726d59cb52 Merge master 2015-07-29 16:35:37 -07:00
Richard Barnes 5ea17d980a Merge master 2015-07-29 16:37:39 -04:00
Roland Shoemaker 272fbbd480 Merge pull request #541 from r0ro/remove-authz-newcert
Remove the need for a client to send authorizations url when requesting new certificate
2015-07-29 13:10:46 -07:00
Roland Shoemaker 6777b276a7 Merge branch 'master' into store-ips 2015-07-29 12:24:20 -07:00
Richard Barnes 08c86e560e Fix test failures in core 2015-07-29 14:40:41 -04:00
Richard Barnes f506da377a Clean up Challenge.MergeResponse 2015-07-29 12:59:52 -04:00
Richard Barnes 4f95f66f98 Remove AcmeJWS and move everything over to LE fork of go-jose 2015-07-29 12:44:39 -04:00
Richard Barnes 9e87cef807 Further test fixes 2015-07-29 12:20:00 -04:00
Richard Barnes de5c50739a Mostly fixed tests 2015-07-29 12:19:12 -04:00
Richard Barnes e60df240d8 Update DVSNI and DNS challenges 2015-07-29 12:19:12 -04:00
Richard Barnes 4cac9da9fd Refactor simpleHttp challenge 2015-07-29 12:18:09 -04:00
Richard Barnes 26b140b0cc Removing unused literals and exposing more error info 2015-07-29 11:17:26 -04:00
Richard Barnes 965be920a6 Enforce 'resource' field 2015-07-29 10:19:14 -04:00
Roland Shoemaker 27708be2c3 Merge pull request #532 from tomclegg/cname-nxdomain
Fix authz always failing when CAA record is not present + fix CAA lookup algorithm per RFC
2015-07-28 20:58:17 -07:00
Tom Clegg 4f177d34af Return actual rtt for nxdomain/nxrrset responses, not 0. 2015-07-28 23:28:19 -04:00
Jeremy Gillula 289dfeabe6 Fixing go formatting issues (ran go fmt on the files below) 2015-07-28 17:07:36 -07:00
Jeremy Gillula 65c923d547 we now ignore duplicate additions and require three different command line args 2015-07-28 14:03:56 -07:00
Romain Fliedel 36cba96fb2 update tests after jwk encoding fix. 2015-07-28 16:25:30 +02:00
Tom Clegg 1993dc44c6 Allow DNS cache to follow CNAME/DNAME for us when looking up CAA.
Only if the cache returns nothing for the CNAME query do we need to
look up CNAME/DNAME explicitly, in order to check CAAs on the parent
of the CNAME target rather than the parent of the original name.
2015-07-27 22:10:44 -04:00
Roland Shoemaker abd06564ec Merge branch 'master' into mailer 2015-07-27 12:46:19 -07:00
Roland Shoemaker 145790d9c3 Review fixes 2015-07-27 12:46:09 -07:00
Romain Fliedel 2b275405c1 remove authorizations member for certificate request. 2015-07-27 20:26:56 +02:00
Romain Fliedel 4bbd0fdccd Remove the need for a client to submit authorization urls when requesting a certificate. 2015-07-27 20:26:56 +02:00
Jacob Hoffman-Andrews aef83a3d02 Change core.Certificate.DER to []byte.
Fixes https://github.com/letsencrypt/boulder/issues/519.

The previous type, JSONBuffer, was triggering a subtle bug when scanning
multiple rows from MySQL.  Since this struct is not serialized as JOSE it
doesn't need to have the JSONBuffer type.

The test for this fix is blocked on
https://github.com/letsencrypt/boulder/issues/132, so I filed a separate issue
to follow up with a test:
https://github.com/letsencrypt/boulder/issues/536
2015-07-26 01:34:02 -07:00
Tom Clegg a843772736 Follow CNAME and DNAME during CAA lookups, cf. RFC 6844. 2015-07-26 01:25:30 -04:00
Tom Clegg d30ea8a4b6 Distinguish between "lookup failed" and "CNAME does not exist" in LookupCNAME. 2015-07-25 05:47:15 -04:00
Roland Shoemaker 8a577df190 Merge master 2015-07-24 17:41:14 -07:00
Roland Shoemaker bd9286dd5b Merge branch 'master' into mailer 2015-07-24 16:36:50 -07:00
Jacob Hoffman-Andrews 9423467142 Switch to our own fork of go-jose.
This is the result of `godep save -r ./...` and
`git rm -r -f Godeps/_workspace/src/github.com/square`

Our fork is currently at the head of go-jose when Richard made the local nonce
changes, with the nonce changes added on top. In other words, the newly created
files are exactly equal to the deleted files.

In a separate commit I will bring our own go-jose fork up to the remote head,
then update our deps.

Also note: Square's go-jose repo contains a `cipher` package. Since we don't
make any changes to that package, we leave it imported as-is.
2015-07-24 14:39:00 -07:00
Jacob Hoffman-Andrews 620a012c62 Rewrite go-jose dependencies to our fork. 2015-07-24 14:16:01 -07:00
Roland Shoemaker 7f5da3b8bc Merge pull request #521 from letsencrypt/remove_v
remove incorrect uses of %v, use specific verbs
2015-07-24 13:00:29 -07:00
Roland Shoemaker a960fa0393 Store redirects, reconstruct transport on redirect, add redirect + lookup tests 2015-07-24 12:05:27 -07:00
Jeff Hodges 8975601d5e correct bodyStr->body 2015-07-23 17:41:15 -07:00
Roland Shoemaker 6c2f3ea8cc Merge branch 'master' into mailer 2015-07-23 15:33:43 -07:00
Roland Shoemaker b5f519d22d Rework how the expiration mailer looks for certificates 2015-07-23 15:33:28 -07:00
Roland Shoemaker 5face2bf08 Merge master 2015-07-23 00:13:24 -07:00
Jacob Hoffman-Andrews 941df62ad4 Switch to AuditObject for CSR logging.
This allows us to log the remote address and registration object along with the
CSR.

Also, restore part of a comment on CertificateRequest that was deleted.
2015-07-22 16:32:11 -07:00
Jacob Hoffman-Andrews 6952aebeb3 Record initial application CSR.
Fixes https://github.com/letsencrypt/boulder/issues/493.
Also, modify MockSyslogWriter so that it implements the SyslogWriter interface
(no pointer receivers).
2015-07-22 15:34:59 -07:00
Roland Shoemaker 31f0674f03 Replace net.LookupMX with core.LookupMX using defined resolver 2015-07-21 22:36:29 -07:00
Roland Shoemaker d0049adb4c Log IPs in a better place, by storing them in the challenge objects! 2015-07-21 19:45:40 -07:00
Richard Barnes d8a12d8073 Addressing @bifurcation comments 2015-07-21 16:42:23 +02:00
Jeremy Gillula 867ce685f8 First cut of command-line tool for importing certs from other external sources like the SSL Observatory, Certificate Transparency, and scans.io 2015-07-15 18:38:35 -07:00
Roland Shoemaker 0cea5dffd0 Remove dangling timeout workarounds 2015-07-08 22:11:56 +01:00
Roland Shoemaker a767daed4d Rebase on #438 and cleanup 2015-07-08 22:07:21 +01:00
Roland Shoemaker 3aa6befb0b Review fixes 2015-07-08 20:57:58 +01:00
Roland Shoemaker 34bd2a2915 Review fixes 2015-07-08 20:56:59 +01:00
Roland Shoemaker b8bc60ddfb Remove core.DNSSECProblem definition 2015-07-08 20:52:40 +01:00
Roland Shoemaker cb1ddfaf78 Add parseDNSError method and use it to provide better problem detail, also add test workaround for timeouts until #401 is fixed 2015-07-08 20:52:40 +01:00
Roland Shoemaker dfed747a99 Put LookupHost back, and re-add checks to validateSimpleHTTP and validateDvsni 2015-07-08 20:48:42 +01:00
Roland Shoemaker a4eaf65741 Clarify comments 2015-07-08 20:48:42 +01:00
Roland Shoemaker 2d339651d7 Remove LookupDNSSEC and LookupHosts methods, and their usage, log SERVFAIL from resolver and query type it came from, ignore SERVFAIL from LookupCAA 2015-07-08 20:47:46 +01:00
Roland Shoemaker 624581518d Consistent domain usage, DNSResolver comment, and empty CAA test 2015-07-07 22:31:44 +01:00
Roland Shoemaker 1fb48d1fd4 Extend DNS tests and fix miekg/dns bug 2015-07-07 22:31:44 +01:00
Roland Shoemaker 94a77b421d Remove debug statement 2015-07-07 22:31:44 +01:00
Roland Shoemaker f6248ef279 Flesh out DNS mock methods, and move them to their own sub-module instead of under test/ to avoid import loop, Add Loopback DNS resolver for core/dns_test.go 2015-07-07 22:31:44 +01:00
Richard Barnes ebaad0f727 Add nonce error propagation to nonce.go 2015-06-23 12:14:23 -07:00
Jacob Hoffman-Andrews 5e11d333d4 Add implementation of ChallengesFor ProofOfPosession.f 2015-06-22 18:01:18 -07:00
Jacob Hoffman-Andrews 70bb5e8364 Add a PA test. 2015-06-22 16:33:09 -07:00
Jacob Hoffman-Andrews c301b87e3d Merge branch 'master' into existing-cert 2015-06-22 14:54:28 -07:00
J.C. Jones d712bcc8a8 Fixes #382: Log more consistently 2015-06-20 10:48:14 -07:00
Brad Warren c092d41348 Merge remote-tracking branch 'upstream/master' into errors 2015-06-19 13:25:38 -07:00
Brad Warren cd1acd0462 Merge remote-tracking branch 'upstream/master' into errors 2015-06-19 12:51:19 -07:00
Brad Warren 9312fb7eae Allowed for more detailed error messages: 2015-06-19 12:51:09 -07:00
Roland Shoemaker 1b65434256 Merge master 2015-06-19 20:16:16 +01:00
Roland Shoemaker ccb46eb967 Fix comment typo 2015-06-19 20:10:22 +01:00
Roland Shoemaker cd10bd4726 Add DNSSEC check for A/AAAA records to validateSimpleHTTP and validateDvsni 2015-06-19 20:03:27 +01:00
Roland Shoemaker 2ed840e4c3 Add better CNAME/CAA comments 2015-06-19 19:18:18 +01:00
Roland Shoemaker 948cca7172 Consolidate CAA functions into va/validation-authority.go and core/dns.go 2015-06-19 19:06:50 +01:00
Roland Shoemaker d6ed289e05 Remove duplicate error check 2015-06-18 16:36:39 -07:00
Roland Shoemaker 7e4b52e69a Merge pull request #369 from bradmw/errors
Validation Errors
2015-06-18 16:33:30 -07:00
James 'J.C.' Jones 4e7818ac7f Merge pull request #370 from letsencrypt/dns_lookuptxt_error_nilptr
Fix null pointer panic when LookupTXT fails at the DNS Resolver
2015-06-18 16:03:39 -07:00
Jacob Hoffman-Andrews d6e64835cc Store data on existing certs. 2015-06-18 15:35:23 -07:00
J.C. Jones 1b484608f4 Fix null pointer panic when LookupTXT fails at the DNS Resolver
Seen in https://travis-ci.org/letsencrypt/boulder/builds/67439063

(Update: Don't send a nil duration)
2015-06-18 15:25:10 -07:00
Brad Warren d7968f2163 Merge remote-tracking branch 'upstream/master' into errors 2015-06-18 14:49:33 -07:00
James 'J.C.' Jones 609b534e98 Merge pull request #366 from letsencrypt/match-ip-email
Check IPAddresses and EmailAddresses in Certificate.MatchesCSR
2015-06-18 14:36:16 -07:00
Brad Warren 38b8701ae9 Merge remote-tracking branch 'upstream/master' into errors 2015-06-18 14:10:43 -07:00
Brad Warren 93ff18b365 Finished addinig validation errors 2015-06-18 14:10:24 -07:00
Brad Warren f19cad3a04 Additional cleanup of error handling 2015-06-18 10:08:59 -07:00
Roland Shoemaker f89b32b420 Check IPAddresses and EmailAddresses in Certificate.MatchesCSR 2015-06-17 18:53:02 -07:00
Roland Shoemaker 403af37a39 Hide Authorization.Expires field when uninitialized 2015-06-17 18:34:30 -07:00
Brad Warren 6fac234036 Updated error messages and internal error handling 2015-06-17 10:56:46 -07:00
J.C. Jones 41f5788c77 Correct most `go lint` warnings. (274 -> 5) 2015-06-16 22:18:28 -05:00
J.C. Jones b24f6b23fe Moved to `miekg/dns` for the VA.
- Created some helper methods to run DNSSEC and reduce code reuse
- Support multiple DNS servers, but not in the Config file (yet)
- Fix typo; r=@rolandshoemaker
2015-06-16 19:37:15 -05:00
Brad Warren b094c81371 Merge remote-tracking branch 'upstream/master' into errors 2015-06-16 10:59:16 -07:00
J.C. Jones cc97492a54 Issue #11: Basic DNS Challenge support 2015-06-16 09:03:03 -05:00
Brad Warren 3ca3d9b283 Finished adding basic errors 2015-06-15 19:30:11 -07:00
Roland Shoemaker 01c41c1bd0 Merge pull request #354 from letsencrypt/344-internal_server_errors
Resolves Issue #344: Only send InternalServerError when needed
2015-06-15 15:57:04 -07:00
Jacob Hoffman-Andrews 80d5e50e42 Enable revocation by account key.
In addition to cert private key. This required modifying the GetCertificate*
functions to return core.Certificate instead of certificate bytes.
2015-06-15 12:33:50 -07:00
J.C. Jones 1474b7f21f Resolves Issue #344: Only send InternalServerError when needed
Basically, just send InternalServerError when it indicates an internal state
was broken.
2015-06-13 00:21:44 -05:00
Roland Shoemaker f4ee29d1d3 Change all references from SimpleHTTPS -> SimpleHTTP 2015-06-12 11:22:04 -07:00
Roland Shoemaker ef3adda09b Switch TLS to pointer 2015-06-11 22:08:38 -07:00
Roland Shoemaker c301125e93 Add TLS field to core.Challenge per spec 2015-06-11 17:12:50 -07:00
J.C. Jones 2ad15a4a85 Issue #309: Produce OCSP Responses immediately upon issuance, if at all possible.
This approach performs a best-effort generation of the first OCSP response during
certificate issuance. In the event that OCSP generation fails, it logs a warning at
the Boulder-CA console, but returns successfully since the Certificate was itself
issued.
2015-06-11 11:31:04 -05:00
Roland Shoemaker b38ebe18fc Merge remote-tracking branch 'upstream/master' into better-caa 2015-06-10 15:57:05 -07:00
bifurcation 676ebf721f Merge pull request #325 from letsencrypt/anti-replay
Add an anti-replay nonce facility
2015-06-10 16:55:20 -04:00
Roland Shoemaker 0265b6f5d0 Merge upstream/master and fix conflicts 2015-06-10 12:43:11 -07:00
Richard Barnes 801810d2bd Removing extraneous printfs 2015-06-10 15:28:25 -04:00
Richard Barnes 22bff4e537 Transition from random nonces to encrypted counters (for real) 2015-06-09 17:43:04 -04:00
J.C. Jones 76f7b1c1e4 Improve build identification
New example:

2015/06/09 09:20:13 Versions: boulder=(generate_ocsp +0c101f2 Tue Jun  9 16:20:06 UTC 2015) Golang=(devel +46b4f67 Thu Apr 16 20:01:13 2015 +0000) BuildHost=(user@vm.local)
2015-06-09 09:22:29 -07:00
Roland Shoemaker 603e625758 Remove debug statement 2015-06-08 18:09:02 -07:00
Roland Shoemaker bc2c28a5ce Check Challenge.Path isn't malformed in Challenge.IsSane 2015-06-08 18:02:01 -07:00
Roland Shoemaker 370b6f9bf9 Return error from core.GoodKey 2015-06-06 17:12:16 -07:00
Roland Shoemaker 75a40e3597 Fix typo 2015-06-06 06:15:19 -07:00
Roland Shoemaker bb5c042cef Fix tests and various other cleanup 2015-06-06 02:06:35 +01:00
Roland Shoemaker d6591ada58 Speed up test 2015-06-05 19:03:45 +01:00
Roland Shoemaker 0bfc50b7e5 Add check for max key size 2015-06-05 19:02:10 +01:00
James 'J.C.' Jones 6a4aa8de3c Merge pull request #304 from letsencrypt/296-ca_tx_move
Issue #296: Fix erroneous transaction handling in CA
2015-06-03 22:10:43 -07:00
James 'J.C.' Jones a3521bcb61 Merge pull request #277 from rolandshoemaker/check-cert
Check generated certificate matches CSR
2015-06-03 22:10:35 -07:00
J.C. Jones 27f5aebbcd Updates per review 2015-06-03 21:57:01 -07:00
J.C. Jones abdc174be8 Issue #296: Fix erroneous transaction handling in CA
- Moved the transaction handling up to the `certificate-authority.go` file
- Simplified `certificate-authority-data.go`
- Created a mocks file in `test/` and reworked RA and CA to use it
- More audit logging to CA
2015-06-03 19:23:24 -07:00
Roland Shoemaker 78e621c95f further review fixes 2015-06-03 00:27:08 +01:00
bifurcation 04479eca5c Merge pull request #291 from letsencrypt/fix-revocation
Revert change to revocation from #275
2015-06-02 17:52:35 -04:00
Jacob Hoffman-Andrews 7a60d431d6 Revert "Supporess the 'expires' field in public Authorizations"
This reverts commit d47b7c12ac.

Conflicts:
	core/objects.go
	wfe/web-front-end.go
2015-06-02 12:02:05 -07:00
Jacob Hoffman-Andrews 026cb424fc Revert "Replace RevokeCertficate with something more in line with the spec"
This reverts commit b1bad40fe6.

Conflicts:
	wfe/web-front-end.go
2015-06-02 10:45:54 -07:00
Roland Shoemaker 51890a9626 Move cert-csr check to boulder/core and review fixes 2015-06-02 17:56:28 +01:00
Roland Shoemaker e5bf16711c Add generated cert checks 2015-06-01 14:00:49 +01:00
Richard Barnes bfd9e4ac20 Fixing JCJ nits 2015-06-01 02:11:10 -04:00
Richard Barnes b1bad40fe6 Replace RevokeCertficate with something more in line with the spec 2015-06-01 02:11:10 -04:00
Richard Barnes d47b7c12ac Supporess the 'expires' field in public Authorizations 2015-06-01 02:08:47 -04:00
Richard Barnes e8edbf5f21 Making capitalization consistent with Go standards 2015-06-01 02:08:47 -04:00
Richard Barnes acc6963a90 Some simplifications to good_key.go 2015-06-01 02:05:17 -04:00
Richard Barnes 9917ca17f6 Clean up TODOs 2015-06-01 02:05:17 -04:00
Richard Barnes c0bacc3fb6 Add more detailed error code reporting 2015-05-31 15:58:08 -04:00
Richard Barnes c3c52eda17 Merge branch 'master' into check-validity2 2015-05-31 13:32:44 -04:00
James 'J.C.' Jones 3e593d73c9 Merge pull request #262 from letsencrypt/ra-tests
Miscellaneous Fixes
2015-05-30 22:08:49 -07:00
Richard Barnes 9b747d08be More tests 2015-05-30 15:29:58 -04:00
Richard Barnes 7a09c78788 Issue #254 2015-05-30 13:21:36 -04:00
bifurcation 441ce328c7 Merge pull request #255 from letsencrypt/202-ocsp-responder
Issue #202: Initial OCSP Responder
2015-05-30 13:10:50 -04:00
Richard Barnes a684177a09 Issue #236 2015-05-30 11:08:18 -04:00
Jacob Hoffman-Andrews 9653974130 Remove spurious objects.go.orig. 2015-05-29 13:25:49 -07:00
Jacob Hoffman-Andrews 92967f03b6 go fmt 2015-05-29 13:11:57 -07:00
Jacob Hoffman-Andrews 6a6a8aa72d Merge branch 'master' into goodkey
Conflicts:
	ca/certificate-authority.go
	ra/registration-authority.go
	ra/registration-authority_test.go
2015-05-29 12:26:24 -07:00
Roland Shoemaker 8846fd2c90 Merge upstream/master 2015-05-29 09:36:46 +01:00
J.C. Jones 4518f0bf17 Migrate CADB to using GORP. 2015-05-28 23:11:03 -07:00
Richard Barnes 68fc8a8f4f More rebase 2015-05-28 20:35:29 -07:00
Richard Barnes 0d7555b7af Rebase on master 2015-05-28 20:34:47 -07:00
Richard Barnes b59682cb91 Add validity interval checking 2015-05-28 20:30:46 -07:00
J.C. Jones 8766edaa93 Issue #239 - Add a build ID method to WFE, and print Info on startup for all 2015-05-28 11:13:09 -07:00
J.C. Jones d1321f2d78 More RPC fixes for Issue #202
- NewPendingAuthorization now uses a core.Authorization object, so
  that foreign key constraints are followed
- core.Authorization now serializes RegistrationID to JSON, so it has to get
  blanked out in WFE before transmission to client.
- Remove ParsedCertificate from core.Certificate, as type x509.Certificate cannot
  be marshaled.
- Added AssertDeepEquals and AssertMarhsaledEquals to test-tools.go
- Caught several overloaded and misleadingly named errors in WFE
2015-05-28 11:05:55 -07:00
Roland Shoemaker 81c7466e97 add rpc-wrapper and interface code 2015-05-28 09:58:16 +01:00
J.C. Jones e4e52e7315 More work on Issue #202 for RPC functions
- Fix a bunch of typos in rpc-wrappers.go
- Unblank `id` in core.Registration JSON:
  - It's not spec, but it's not hurting anything, and we reveal it to clients anyway.
  - We need knowledge of the ID in RPC, so if we don't want to include this in the object, we need to make a transfer object to wrap it.
- Make the RPC logs much clearer as to who's talking to who
- Typo in WFE where we called a registration an authz
2015-05-27 23:37:12 -07:00
J.C. Jones af0f8446eb Issue #202, Periodic OCSP Signer Tool
- Move dbMap construction and type converter into individual files in the sa package.
- Add DB configuration for the OCSP tool to the boulder config:
  - left to the user if they want to use different boulder-config.json files
    for different purposes.
- Added updater to Makefile
- Fix trailing ',' in the Boulder config, add more panic logging
- Ignore .pem files produced by the integration test
- Change RPC to use per-instance named reply-to queues.
- Finish OCSP Updater logic
- Rework RPC for OCSP to use a transfer object (due to serialization problems of x509.Certificate)
2015-05-27 22:01:29 -07:00
J.C. Jones 343920cfe3 Fix integration test while running with MySQL
- Add SQL configuration options
- Increase the width of the authz and pending_authz tables' challenges field
- Make it configurable whether CREATE TABLE commands should run
2015-05-27 13:39:18 -07:00
J.C. Jones f15da06af7 Issue #238 - MySql column width too narrow
- Added SQL debug logging (SA option: "SQLDebug")
- Added timestamps to the log prints to stdout
- Ignore *.pem in test/js
- Modified start.sh to support environment overrides for BOULDER_CONFIG, like the AMQP mode
- Changed boulder-test-config to open the server on the loopback device, so as to not cause firewall prompts on each integration test run for those of us being restrictive
- Renamed "key" column to "jwk" in DB, to avoid keyword conflict
- Set MaxLength on "jwk" column to 512
2015-05-27 12:12:41 -07:00
Jacob Hoffman-Andrews 6c6199023d Merge pull request #231 from letsencrypt/230-unknown-key-type
Resolved Issue #230
2015-05-26 15:05:34 -07:00
J.C. Jones bc3acca096 Resolved Issue #230
- Move setting the core.Registration.Key field from RA.NewRegistration to
  WFE.NewRegistration to avoid a chicken-and-egg problem.
- Note: I kept the RPC wrapper object even though it now only has one field.
  Seems like it's a good practice to use wrapper objects, even though we don't
  everywhere.
2015-05-26 14:44:15 -07:00
Jacob Hoffman-Andrews 19fd285859 Merge pull request #223 from rolandshoemaker/revoker
admin-revoker tool
2015-05-26 14:37:33 -07:00
Roland Shoemaker e1eeebce52 Only run validations against updated challenges (instead of everything) 2015-05-26 17:08:49 +01:00
Roland Shoemaker d184862427 gofmt and move deniedCSR table creation back to SA 2015-05-25 01:17:28 +01:00
Roland Shoemaker 0ab71bed62 initial revoker work 2015-05-23 12:46:56 +01:00
James 'J.C.' Jones f63c8ec5ca Merge pull request #218 from letsencrypt/204_audit_challenges
Audit all Challenges (success/failure) in VA for Issue #204
2015-05-21 14:23:54 -07:00
J.C. Jones 1c9837ddf8 Audit all Challenges (success/failure) in VA for Issue #204
- Don't ignore entropy underruns in challenges.go
- Correct identity crisis in Policy Authority; hopefully it will remember.
- Add a method `AuditObject` in audit-logger and convert RA/VA to use it
- Fix json typo in registration-authority that caused empty audit logs
- Fix vet issue in WFE where RegID was being printed as a 32-bit int instead of 64-bit
- Unfix the issue in WFE where RegID isn't right, per PR #215
2015-05-21 13:58:40 -07:00
Roland Shoemaker 870f02917c check subscriber agreement in new/updated registrations 2015-05-18 20:56:51 -07:00
J.C. Jones 42302541bd Run `go fmt` for PR #186 2015-05-18 18:44:38 -07:00
Richard Barnes c3b312118e Add audit logging
- Auditing for general errors in executables
- Auditing for improper messages received by WFE
- Automatic audit wlogging of software errors
- Audit logging for mis-routed messages
- Audit logging for certificate requests
- Auditing for improper messages received by WFE
- Add audit events table
- Expect more details in TestRegistration in web-front-end_test.go
- Remove "extra" debug details from web-front-end.go per Issue #174
- Improve test coverage of web-front-end.go
- WFE audit updates for revocation support rebase
- Add audit messages to RPC for Improper Messages and Error Conditions
- Also note misrouted messages
2015-05-18 18:23:08 -07:00
Roland Shoemaker e1ba291019 Store registration ID with certificate 2015-05-16 13:47:51 -07:00
Roland Shoemaker faa1d5ac45 review cleanups 2015-05-16 13:25:36 -07:00
Roland Shoemaker e233fdaa61 switch authz and pending_authz to store registration ID instead of key (and update all the random stuff they touched) 2015-05-14 14:14:36 -07:00
James 'J.C.' Jones 6be5c4910e Merge pull request #185 from rolandshoemaker/deny-store
Store and check previously denied CSRs
2015-05-14 09:03:06 -07:00
Roland Shoemaker b9745cf894 check key is assosiated with existing registration in verifyPOST 2015-05-13 19:16:20 -07:00
Jacob Hoffman-Andrews aa8c20f84a Fixes in response to review feedback. 2015-05-13 17:36:39 -07:00
Jacob Hoffman-Andrews 3eed9e3f7c Move to Square's go-jose library. 2015-05-13 17:36:38 -07:00
Roland Shoemaker 5d5eea7071 switch to only store dns names 2015-05-13 12:08:50 -07:00
Roland Shoemaker 314fb5e9f6 add WFE mashaling test 2015-05-12 21:04:48 -07:00
Roland Shoemaker 07182500eb add missing rpc methods 2015-05-12 00:08:48 -07:00
Roland Shoemaker d95c552ab4 add denied csr table and AddDeniedCSR + AlreadyDeniedCSR methods for checking, added AddDeniedCSR to ra.NewCertificate 2015-05-11 23:02:39 -07:00
Roland Shoemaker 1bf93f42ec add anonymous tags to LockCol fields on core objects 2015-05-11 21:57:45 -07:00
Jacob Hoffman-Andrews 915956c779 Once, initialize small primes as big.Int 2015-05-09 11:54:34 -07:00
Jacob Hoffman-Andrews cb00816e48 Merge branch 'goodkey' of github.com:letsencrypt/boulder into goodkey
Conflicts:
	ca/certificate-authority.go
	core/good_key.go
	core/good_key_test.go
2015-05-09 11:48:32 -07:00
Jacob Hoffman-Andrews ea457f7167 Split out RSA/ECDSA functions. 2015-05-09 11:34:13 -07:00
Jacob Hoffman-Andrews 34a6e1511d Add good_key.go. 2015-05-09 11:24:47 -07:00
Jacob Hoffman-Andrews 8acae627eb Fix sanity checking for challenges.
Also add more debug logging.
2015-05-08 15:32:11 -07:00
jsha 8b1139be70 Merge pull request #149 from rolandshoemaker/gorp
Switch SQL backend to gorp
2015-05-08 09:47:46 -07:00