Commit Graph

4 Commits

Author SHA1 Message Date
James Renken 0a27cba9f4
WFE/nonce: Add NonceHMACKey field (#7793)
Add a new WFE & nonce config field, `NonceHMACKey`, which uses the new
`cmd.HMACKeyConfig` type. Deprecate the `NoncePrefixKey` config field.

Generalize the error message when validating `HMACKeyConfig` in
`config`.

Remove the deprecated `UseDerivablePrefix` config field, which is no
longer used anywhere.

Part of #7632
2024-11-13 10:31:28 -05:00
James Renken 707b734a75
Remove outdated limitation in TestNonceBalancer (#7694)
Also fix minor typos in comments.

Part of https://github.com/letsencrypt/boulder/issues/7696
2024-09-04 13:35:20 -07:00
Samantha 33109ce384
test: Fix naming of integration test config structs (#7020)
Significantly differentiate configuration struct naming in the
integration package.
2023-08-01 16:24:42 -07:00
Samantha b141fa7c78
WFE: Correct Error Handling for Nonce Redemption RPCs with Unknown Prefixes (#7004)
Fix an issue related to the custom gRPC Picker implementation introduced
in #6618. When a nonce contained a prefix not associated with a known
backend, the Picker would continuously rebuild, re-resolve DNS, and
eventually throw a 500 "Server Error" at RPC timeout. The Picker now
promptly returns a 400 "Bad Nonce" error as expected, in response the
requesting client should retry their request with a fresh nonce.

Additionally:
- WFE unit tests use derived nonces when `"BOULDER_CONFIG_DIR" ==
"test/config-next"`.
- `Balancer.Build()` in "noncebalancer" forces a rebuild until non-zero
backends are available. This matches the
[balancer/roundrobin](d524b40946/balancer/roundrobin/roundrobin.go (L49-L53))
implementation.
- Nonces with no matching backend increment "jose_errors" with label
`"type": "JWSInvalidNonce"` and "nonce_no_backend_found".
- Nonces of incorrect length are now rejected at the WFE and increment
"jose_errors" with label `"type": "JWSMalformedNonce"` instead of
`"type": "JWSInvalidNonce"`.
- Nonces not encoded as base64url are now rejected at the WFE and
increment "jose_errors" with label `"type": "JWSMalformedNonce"` instead
of `"type": "JWSInvalidNonce"`.

Fixes #6969
Part of #6974
2023-07-28 12:07:52 -04:00