Commit Graph

1793 Commits

Author SHA1 Message Date
マルコメ adf1d06d64
add `syntax` parser directive to Dockerfile (#8055)
As recommended by https://docs.docker.com/build/concepts/dockerfile/#dockerfile-syntax
2025-03-11 17:09:11 -07:00
Aaron Gable 077c3c5db1
Remove go1.23 from CI and update go.mod to go1.24 (#8052)
We have upgraded to go1.24.1 in production, and no longer need to test
go1.23.x. Updating the version in our go.mod also allows us to begin
using x509.Certificate.Policies instead of .PolicyIdentifiers.
2025-03-11 12:45:03 -07:00
Aaron Gable dc14caf907
Add MPICFullResults feature flag to turn off VA early return (#8046)
Add a new "MPICFullResults" feature flag. When this flag is enabled in
the VA, it will wait for all Remote VAs to return their results for both
Domain Control Validation and CAA checking, rather than short-circuiting
as soon as it has seen enough results to know whether corroboration will
or will not be achieved.

We make this change because waiting for these to return honestly doesn't
take that long, because we do validation (although not CAA rechecking)
asynchronously, and because it improves the quality of our MPIC quorum
summary logs (so we don't always say only 3/4 concurred because the
fourth was cancelled).

Fixes https://github.com/letsencrypt/boulder/issues/7809
2025-03-11 08:49:05 -07:00
Aaron Gable df23344dbf
Update CI to go1.23.7 and go1.24.1 (#8051)
These versions contain security fixes to the net/http package, but not
to the parts of it which we use.
2025-03-10 11:28:31 -07:00
Aaron Gable 2ac1ac0f39
WFE: Don't remove contacts on empty update-account request (#8049)
When we receive an update-account request which is not empty, but
doesn't contain the "contact" field, don't assume that they want to
remove their contacts. Only remove contacts if the "contact" field is
present, but empty.

Add a unit test and an integration test which will catch regressions in
this behavior.
2025-03-07 14:54:15 -08:00
Samantha Frank f8d1d85349
wfe: Remove SendContacts call from updateAccount (#8048)
PR #8018 integrated the email-exporter service with WFE, updating
wfe.NewAccount and wfe.updateAccount to submit valid email contacts to
the Salesforce Pardot API. However, our new_or_updated_contact metric
shows that (account) contact updates currently exceed the highest
Salesforce tier’s daily submission limit by several times.

This change can be reverted if additional filtering logic reduces
updated (+ new) account contacts below the daily submission limit.
2025-03-07 15:33:31 -05:00
Jacob Hoffman-Andrews 98b6d3f8bf
crl-updater: remove deprecated options (#8021)
Note: the issues listed in the TODOs (#6438 and #7023) are already
closed.
2025-03-07 11:27:49 -08:00
Aaron Gable 12e660874d
Reduce flakiness in crl-updater integration tests (#8044)
Remove crl-updater from the list of services run by startservers.py, so
that it isn't running at the same time as the crl-updater instances run
by specific integration tests. In return, add a new integration test
which starts crl-updater and waits for it to listen on its debug port,
just like startservers does.

Also make the existing crl-updater integration tests more robust and
more parallelizable by having them always reset the leasedUntil column
before executing the updater, instead of requiring each individual test
to perform that reset.

Fixes https://github.com/letsencrypt/boulder/issues/7590
2025-03-07 09:38:02 -08:00
Jacob Hoffman-Andrews 7aebcb1aeb
ra: deprecate UnsplitIssuance flag (#8043)
Remove some RA tests that were checking for errors specific to the split
issuance flow. Make one of the tests test GetSCTs directly, which makes
for a much nicer test!
2025-03-06 13:43:06 -08:00
Samantha Frank b1e4721d1a
cmd/email-exporter: Initial implementation and integration with WFE (#8018)
Add a new boulder service, email-exporter, which uses the Pardot API
client added in #8016 and the email.Exporter gRPC service added in
#8017.

Add pardot-test-srv, a test-only service for mocking communication with
Salesforce OAuth and Pardot APIs in non-production environments. Since
Salesforce does not provide Pardot functionality in developer sandboxes,
pardot-test-srv must run in all non-production environments (e.g.,
sre-development and staging).

Integrate the email-exporter service with the WFE and modify
WFE.NewAccount and WFE.UpdateAccount to submit valid email contacts.
Ensure integration tests verify that contacts eventually reach
pardot-test-srv.

Update configuration where necessary to:
- Build pardot-test-srv as a standalone binary.
- Bring up pardot-test-srv and cmd/email-exporter for integration
testing.
- Integrate WFE with cmd/email-exporter when running test/config-next.

Closes #7966
2025-03-06 15:20:55 -05:00
Aaron Gable a00821ada6
Scale ARI suggested window to cert lifetime (#8024)
Compute the width of the ARI suggested renewal window as 2% of the
validity period. This means that 90-day certificates have their
suggested window shrink slightly from 48 hours to 43.2 hours, and gives
six-day (160h) certs a suggested window 3.2 hours wide.

Also move the center of that window to the midpoint of the certificate
validity period for certs which are valid for less than 10 days, so that
operators have (proportionally) a little more time to respond to renewal
issues.

Fixes https://github.com/letsencrypt/boulder/issues/7996
2025-03-05 15:32:25 -08:00
Aaron Gable 28b49a82d4
SA: Improve concurrency robustness of CRL leasing transactions (#8030)
In a few places within the SA, we use explicit transactions to wrap
read-then-update style operations. Because we set the transaction
isolation level on a per-session basis, these transactions do not in
fact change their isolation level, and therefore generally remain at the
default isolation level of REPEATABLE READ.

Unfortunately, we cannot resolve this simply by converting the SELECT
statements into SELECT...FOR UPDATE statements: although this would fix
the issue by making those queries into locking statements, it also
triggers what appears to be an InnoDB bug when many transactions all
attempt to select-then-insert into a table with both a primary key and a
separate unique key, as the crlShards table has. This causes the
integration tests in GitHub Actions, which run with an empty database
and therefore use the needToInsert codepath instead of the update
codepath, to consistently flake.

Instead, resolve the issue by having the UPDATE statements specify that
the value of the leasedUntil column is still the same as was read by the
initial SELECT. Although two crl-updaters may still attempt these
transactions concurrently, the UPDATE statements will still be fully
sequenced, and the latter one will fail.

Part of https://github.com/letsencrypt/boulder/issues/8031
2025-03-03 15:29:57 -08:00
Samantha Frank e6c812a3db
va/ra: Deprecate EnforceMultiCAA and EnforceMPIC (#8025)
Replace DCV and CAA checks (PerformValidation and IsCAAValid) in
va/va.go and va/caa.go with their MPIC compliant counterparts (DoDCV and
DoCAA) in va/vampic.go. Deprecate EnforceMultiCAA and EnforceMPIC and
default code paths as though they are both true. Require that RIR and
Perspective be set for primary and remote VAs.

Fixes #7965
Fixes #7819
2025-03-03 16:33:27 -05:00
Aaron Gable a2141cb695
RA: Control MaxNames via profile (#8019)
Add MaxNames to the set of things that can be configured on a
per-profile basis. Remove all references to the RA's global maxNames,
replacing them with reference's to the current profile's maxNames. Add
code to the RA's main() to copy a globally-configured MaxNames into each
profile, for deployability.

Also remove any understanding of MaxNames from the WFE, as it is
redundant with the RA and is not configured in staging or prod. Instead,
hardcode the upper limit of 100 into the ratelimit package itself.

Fixes https://github.com/letsencrypt/boulder/issues/7993
2025-02-27 15:51:00 -06:00
Jacob Hoffman-Andrews 692bd53ae5
ca: unsplit issuance flow (#8014)
Add a new RPC to the CA: `IssueCertificate` covers issuance of both the
precertificate and the final certificate. In between, it calls out to
the RA's new method `GetSCTs`.

The RA calls the new `CA.IssueCertificate` if the `UnsplitIssuance`
feature flag is true.

The RA had a metric that counted certificates by profile name and hash.
Since the RA doesn't receive a profile hash in the new flow, simply
record the total number of issuances.

Fixes https://github.com/letsencrypt/boulder/issues/7983
2025-02-24 11:37:17 -08:00
Aaron Gable d9433fe293
Remove 'RETURNING' functionality from MultiInserter (#7740)
Deprecate the "InsertAuthzsIndividually" feature flag, which has been
set to true in both Staging and Production. Delete the code guarded
behind that flag being false, namely the ability of the MultiInserter to
return the newly-created IDs from all of the rows it has inserted. This
behavior is being removed because it is not supported in MySQL / Vitess.

Fixes https://github.com/letsencrypt/boulder/issues/7718

---

> [!WARNING]
> ~~Do not merge until IN-10737 is complete~~
2025-02-19 14:37:22 -08:00
Aaron Gable 212a66ab49
Update go versions in CI and release (#7971)
Update from go1.23.1 to go1.23.6 for our primary CI and release builds.
This brings in a few security fixes that aren't directly relevant to us.

Add go1.24.0 to our matrix of CI and release versions, to prepare for
switching to this next major version in prod.
2025-02-19 14:37:01 -08:00
Aaron Gable eab90ee2f5
Remove unused non-ACME /get/ paths for orders and authzs (#8010)
These paths receive (literally) zero traffic, and they require the WFE
to duplicate the RA's authorization lifetime configuration. Since that
configuration is now per-profile, the WFE can no longer easily replicate
it, and the resulting staleness calculations will be wrong. Remove the
duplicated configuration, remove the unused endpoints that rely on it,
and remove the staleness-checking code which supported those endpoints.

Leave the non-ACME /get/ endpoint for certificates in place, because
checking staleness for those does not require any additional
configuration, and having a non-ACME serial-based API for certificates
is a good thing.

Fixes https://github.com/letsencrypt/boulder/issues/8007
2025-02-14 10:21:00 -08:00
Jacob Hoffman-Andrews e0e5a17899
crl: add cache control headers (#8011)
The crl-storer passes along Cache-Control and Expires from the
crl-updater (because the crl-updater knows the UpdatePeriod).

The crl-updater calculates the Expires header based on when it expects
to update the CRL, plus a margin of error.

Fixes #8004
2025-02-13 14:20:29 -08:00
Jacob Hoffman-Andrews a8b2fd6960
test: increase pkilint timeout (#8008)
Increase pkilint timeout from 200ms to 2s. In #8006 I found that errors
were stemming from timeouts talking to the bpkilint container. These
probably showed up in TestRevocation particularly because that
integration test now issues for many certificates in parallel. Pkilint's
slowness, combined with the relatively small number of cores in CI,
probably resulted in some requests taking too long.
2025-02-12 10:10:02 -08:00
Aaron Gable 63a0e500ed
Create profiles integration test (#8003)
This wasn't previously possible because eggsampler/acme didn't support
profiles until late last week.
2025-02-11 15:47:41 -08:00
Aaron Gable a9e3ad1143
CA: Require RA to always provide profile name (#7991)
Deprecate the CA's DefaultCertificateProfileName config key, now that
default profile selection is being handled by the RA instead.

Part of https://github.com/letsencrypt/boulder/issues/7986
2025-02-11 13:10:29 -08:00
James Renken 64f4aabbf3
admin: Remove deprecated debugAddr (#7999)
The parameter was removed in production in IN-10874.

Followup to #7838, #7840
2025-02-10 12:26:57 -08:00
James Renken f6c748c1c3
WFE/nonce: Remove deprecated NoncePrefixKey field (#7825)
Remove the deprecated WFE & nonce config field `NoncePrefixKey`, which
has been replaced by `NonceHMACKey`.

<del>DO NOT MERGE until:</del>
- <del>#7793 (in `release-2024-11-18`) has been deployed, AND:</del>
- <del>`NoncePrefixKey` has been removed from all running configs.</del>

Fixes #7632
2025-02-06 15:32:49 -08:00
Jacob Hoffman-Andrews eda496606d
crl-updater: split temporal/explicit sharding by serial (#7990)
When we turn on explicit sharding, we'll change the CA serial prefix, so
we can know that all issuance from the new prefixes uses explicit
sharding, and all issuance from the old prefixes uses temporal sharding.
This lets us avoid putting a revoked cert in two different CRL shards
(the temporal one and the explicit one).

To achieve this, the crl-updater gets a list of temporally sharded
serial prefixes. When it queries the `certificateStatus` table by date
(`GetRevokedCerts`), it will filter out explicitly sharded certificates:
those that don't have their prefix on the list.

Part of #7094
2025-02-04 11:45:46 -05:00
Aaron Gable 2f8c6bc522
RA: Use Validation Profiles to determine order/authz lifetimes (#7989)
Add three new fields to the ra.ValidationProfile structure, representing
the profile's pending authorization lifetime (used to assign an
expiration when a new authz is created), valid authorization lifetime
(used to assign an expiration when an authz is successfully validated),
and order lifetime (used to assign an expiration when a new order is
created). Remove the prior top-level fields which controlled these
values across all orders.

Add a "defaultProfileName" field to the RA as well, to facilitate
looking up a default set of lifetimes when the order doesn't specify a
profile. If this default name is explicitly configured, always provide
it to the CA when requesting issuance, so we don't have to duplicate the
default between the two services.

Modify the RA's config struct in a corresponding way: add three new
fields to the ValidationProfiles structure, and deprecate the three old
top-level fields. Also upgrade the ra.NewValidationProfile constructor
to handle these new fields, including doing validation on their values.

Fixes https://github.com/letsencrypt/boulder/issues/7605
2025-02-04 11:44:43 -05:00
Jacob Hoffman-Andrews f11475ccc3
issuance: add CRLDistributionPoints to certs (#7974)
The CRLDP is included only when the profile's
IncludeCRLDistributionPoints field is true.

Introduce a new config field for issuers, CRLShards. If
IncludeCRLDistributionPoints is true and this is zero, issuance will
error.

The CRL shard is assigned at issuance time based on the (random) low
bits of the serial number.

Part of https://github.com/letsencrypt/boulder/issues/7094
2025-01-30 14:39:22 -08:00
Aaron Gable c5a28cd26d
WFE: Refuse to finalize orders with unrecognized profiles (#7988)
The current profiles draft
(https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/00/) says:

> If a server receives a request to finalize an Order whose profile the
> CA is no longer willing to issue under, it MUST respond with a
> problem document of type "invalidProfile".  The server SHOULD attempt
> to avoid this situation, e.g. by ensuring that all Orders for a
> profile have expired before it stops issuing under that profile.

Add types and helper functions representing this new error type to the
berrors, probs, and web packages. Update the WFE code which rejects
new-order requests with unrecognized profiles to use these new types,
and add similar code to the WFE's finalize path. Update the unit and
integration tests to reflect the fact that we now configure at least one
profile in both Staging and Prod (tracked in IN-10574).
2025-01-30 14:10:02 -08:00
Jacob Hoffman-Andrews 55b8cbef6c
tests: increase wfe log level (#7982)
We've been seeing some flaky integration tests where issuance fails. The
integration test only has access to the generic user-facing error. The
real error is available as `InternalError` in the WFE logs, but we need
a higher log level to see it.
2025-01-27 11:24:08 -08:00
Jacob Hoffman-Andrews a8074d2e9d
test: add more testing for CRL revocation (#7957)
In revocation_test.go, fetch all CRLs, and look for revoked certificates
on both CRLs and OCSP.

Make s3-test-srv listen on all interfaces, so the CRL URLs in the CA
config work.

Add IssuerNameIDs to the CRL URLs in ca.json, to match how those CRLs
are uploaded to S3.

Make TestRevocation parallel. Speedup from ~60s to ~3s.

Increase ocsp-responder's allowed parallelism to account for parallel
test. Also, add "maxInflightSignings" to config/ since it's in prod.
"maxSigningWaiters" is not yet in prod, so don't move that field.

Add a mutex around running crl-updater, and decrease the log level so
errors stand out more when they happen.
2025-01-23 18:49:55 -08:00
Samantha Frank ca73500467
integration: Fix typo in TestReRevocation (#7970) 2025-01-22 13:50:48 -08:00
Aaron Gable 6b1e7f04e8
SA: Clean up pre-profile order schema and feature flag (#7953)
Deprecate the MultipleCertificateProfiles feature flag, which has been
enabled in both Staging and Prod. Delete all code protected by that flag
being false, namely the orderModelv1 type and its support code. Update
the config schema to match the config-next schema.

Fixes https://github.com/letsencrypt/boulder/issues/7324
Fixes https://github.com/letsencrypt/boulder/issues/7408
2025-01-17 17:15:01 -08:00
Aaron Gable dbe2fe24a4
Remove unused keys from CA config (#7948)
Remove the singular Profile field from the CA config, as it has been
replaced by the plural CertProfiles key. Remove the Expiry, Backdate,
LintConfig, and IgnoredLints keys from the top-level CA config, as they
are now also configured on a per-profile basis. Remove the LifespanCRL
key from the CA config, as it is now configured within the CRLProfile.
For all of the above, remove transitional fallbacks from within
//ca/main.go.

These config changes were deployed to production in IN-10568, IN-10506,
and IN-10045.

Fixes https://github.com/letsencrypt/boulder/issues/7414
Fixes https://github.com/letsencrypt/boulder/issues/7159
2025-01-17 16:30:58 -08:00
Matthew McPherrin ace233cbdc
Update admin-revoker certs to be admin (#7947)
The admin and admin-revoker tools shared certs. admin-revoker is gone,
so update the certs to use the admin name only.
2025-01-17 16:02:20 -05:00
Samantha Frank dfdf554f76
config: Use hex-encoding for HMACKey (#7950) 2025-01-15 14:28:09 -05:00
Matthew McPherrin bb9d82b85f
Remove the dead admin-revoker tool (#7941)
The admin-revoker tool is dead. Long live the admin tool.

There's a number places that still reference admin-revoker, including
Boulder's ipki and the revocation source in the database which are still
used, even if the tool is gone. But nothing actually using the tool.
2025-01-13 17:05:15 -08:00
Matthew McPherrin 8a01611b70
Switch to loglist3 package for parsing CT log list (#7930)
The schema tool used to parse log_list_schema.json doesn't work well
with the updated schema. This is going to be required to support
static-ct-api logs from current Chrome log lists.

Instead, use the loglist3 package inside the certificate-transparency-go
project, which Boulder already uses for CT submission otherwise.

As well, the Log IDs and keys returned from loglist3 have already been
base64 decoded, so this re-encodes them to minimize the impact on the
rest of the codebase and keep this change small.

The test log_list.json file needed to be made a bit more realistic for
loglist3 to parse without base64 or date parsing errors.
2025-01-10 13:29:40 -08:00
James Renken e4668b4ca7
Deprecate DisableLegacyLimitWrites & UseKvLimitsForNewOrder flags; remove code using certificatesPerName & newOrdersRL tables (#7858)
Remove code using `certificatesPerName` & `newOrdersRL` tables.

Deprecate `DisableLegacyLimitWrites` & `UseKvLimitsForNewOrder` flags.

Remove legacy `ratelimit` package.

Delete these RA test cases:

- `TestAuthzFailedRateLimitingNewOrder` (rl:
`FailedAuthorizationsPerDomainPerAccount`)
- `TestCheckCertificatesPerNameLimit` (rl: `CertificatesPerDomain`)
- `TestCheckExactCertificateLimit` (rl: `CertificatesPerFQDNSet`)
- `TestExactPublicSuffixCertLimit` (rl: `CertificatesPerDomain`)

Rate limits in NewOrder are now enforced by the WFE, starting here:
5a9b4c4b18/wfe2/wfe.go (L781)

We collect a batch of transactions to check limits, check them all at
once, go through and find which one(s) failed, and serve the failure
with the Retry-After that's furthest in the future. All this code
doesn't really need to be tested again; what needs to be tested is that
we're returning the correct failure. That code is
`NewOrderLimitTransactions`, and the `ratelimits` package's tests cover
this.

The public suffix handling behavior is tested by
`TestFQDNsToETLDsPlusOne`:
5a9b4c4b18/ratelimits/utilities_test.go (L9)

Some other RA rate limit tests were deleted earlier, in #7869.

Part of #7671.
2025-01-10 12:50:57 -08:00
Jacob Hoffman-Andrews ef6593d06b
ra, wfe: use TimestampsForWindow to check renewal (#7888)
And in the RA, log the notBefore of the previous issuance.

To make this happen, I had to hoist the "check for previous certificate"
up a level into `issueCertificateOuter`. That meant I also had to hoist
the "split off a WithoutCancel context" logic all the way up to
`FinalizeOrder`.
2025-01-06 10:16:53 -08:00
Aaron Gable 0e5e1e98d1
Upgrade zlint v3.6.4 (#7897)
This brings in several new and useful lints. It also brings in one CABF
BR lint which we have to ignore in our default profile which includes
the Subject Key Identifier extension:
"w_ext_subject_key_identifier_not_recommended_subscriber". In our modern
profile which omits several fields, we have to ignore the opposite
RFC5280 lint "w_ext_subject_key_identifier_missing_sub_cert".

Release notes: https://github.com/zmap/zlint/releases/tag/v3.6.4
Changelog: https://github.com/zmap/zlint/compare/v3.6.0...v3.6.4
Note that the majority of the ~400 file changes are merely copyright
date changes.

The corresponding production config changes tracked in IN-10466 are
complete.
2024-12-18 11:41:12 -08:00
Aaron Gable 0c658f202a
Fix error when deactivating an account (#7899)
The RA's DeactivateAccount method expects the account provided to it by
the WFE to still have status Valid. The new WFE deactivation code was
hardcoding the status to Deactivated. Fix the WFE to pass the account's
current status instead.

Add an integration test to confirm both the breakage and the fix. Also
leave behind some TODOs to simplify this codepath further, and not
require the status to be provided at all.

Part of #5554
2024-12-18 10:06:08 -08:00
Matthew McPherrin ba624ac5be
Log the flakinessrate at ct-test-srv startup (#7896)
This is useful for checking configurations via logs.
2024-12-17 16:48:03 -08:00
Matthew McPherrin 5b945107bd
Publish ct-test-srv container on releases (#7891)
This can replace the old ct-test-srv container at https://registry.hub.docker.com/r/letsencrypt/ct-test-srv
2024-12-17 15:25:11 -08:00
Jacob Hoffman-Andrews 2678e68806
test: move "make build" for webpki into generate.sh (#7885)
webpki.go was discarding stdout when "make build" failed. We can make it
print stdout in that context, but it's more straightforward to run "make
build" from the shell script that calls webpki.go, where its stdout will
naturally be emitted.

Inspired by a recent CI run where there was a straightforward build
failure in some of Boulder's code, but it was masked by an error running
webpki.go in the `bsetup` container.
2024-12-13 15:19:22 -08:00
James Renken 62f1a26ccf
wfe: Use separate UpdateRegistrationContact & UpdateRegistrationKey methods (#7827)
Fixes #7716
Part of #5554
2024-12-13 11:41:59 -05:00
Samantha Frank 1ddd4633f5
DB: Promote pausing schema from config-next to config (#7878) 2024-12-11 14:38:55 -05:00
James Renken 1b7b9a776b
cmd: Make a debug listen address optional (#7840)
Remove `debugAddr` from the `admin` tool, which doesn't use it - or need
it, now that `newStatsRegistry` via `StatsAndLogging` doesn't require
it.

Remove `debugAddr` from `config-next/sfe.json`, as we usually set it on
the CLI instead.

Fixes #7838
2024-12-10 12:25:12 -08:00
Samantha Frank dda8acc34a
RA/VA: Add MPIC compliant DCV and CAA checks (#7870)
Today, we have VA.PerformValidation, a method called by the RA at
challenge time to perform DCV and check CAA. We also have VA.IsCAAValid,
a method invoked by the RA at finalize time when a CAA re-check is
necessary. Both of these methods can be executed on remote VA
perspectives by calling the generic VA.performRemoteValidation.

This change splits VA.PerformValidation into VA.DoDCV and VA.DoCAA,
which are both called on remote VA perspectives by calling the generic
VA.doRemoteOperation. VA.DoDCV, VA.DoCAA, and VA.doRemoteOperation
fulfill the requirements of SC-067 V3: Require Multi-Perspective
Issuance Corroboration by:

- Requiring at least three distinct perspectives, as outlined in the
"Phased Implementation Timeline" in BRs section 3.2.2.9 ("Effective
March 15, 2025").
- Ensuring that the number of non-corroborating (failing) perspectives
remains below the threshold defined by the "Table: Quorum Requirements"
in BRs section 3.2.2.9.
- Ensuring that corroborating (passing) perspectives reside in at least
2 distinct Regional Internet Registries (RIRs) per the "Phased
Implementation Timeline" in BRs section 3.2.2.9 ("Effective March 15,
2026").
- Including an MPIC summary consisting of: passing perspectives, failing
perspectives, passing RIRs, and a quorum met for issuance (e.g., 2/3 or
3/3) in each validation audit log event, per BRs Section 5.4.1,
Requirement 2.8.

When the new SeparateDCVAndCAAChecks feature flag is enabled on the RA,
calls to VA.IsCAAValid (during finalization) and VA.PerformValidation
(during challenge) are replaced with calls to VA.DoCAA and a sequence of
VA.DoDCV followed by VA.DoCAA, respectively.

Fixes #7612
Fixes #7614
Fixes #7615
Fixes #7616
2024-12-10 11:26:08 -05:00
Samantha Frank 87104b0a3e
va: Check for RIR and Perspective mismatches at runtime when they're provided (#7841)
- Ensure the Perspective and RIR reported by each remoteVA in the
*vapb.ValidationResult returned by VA.PerformValidation, matches the
expected local configuration when that configuration is present.
- Correct "AfriNIC" to "AFRINIC", everywhere.


Part of https://github.com/letsencrypt/boulder/issues/7819
2024-12-06 14:27:28 -05:00
Aaron Gable 95e5f87f9e
Add feature flag to disable pending authz reuse (#7836)
Pending authz reuse is a nice-to-have feature because it allows us to
create fewer rows in the authz database table when creating new orders.
However, stats show that less than 2% of authorizations that we attach
to new orders are reused pending authzs. And as we move towards using a
more streamlined database schema to store our orders, authorizations,
and validation attempts, disabling pending authz reuse will greatly
simplify our database schema and code.

CPS Compliance Review: our CPS does not speak to whether or not we reuse
pending authorizations for new orders.
IN-10859 tracks enabling this flag in prod

Part of https://github.com/letsencrypt/boulder/issues/7715
2024-12-05 16:14:57 -08:00
Aaron Gable aac7c22946
Simplify RA pausing unit tests (#7868)
Greatly simplify the two RA unit tests covering failed validations and
account+identifier pausing. Most importantly, directly manipulate the
ratelimit backing store during test setup, to avoid having to "perform"
extra validations.

Fixes https://github.com/letsencrypt/boulder/issues/7812
2024-12-04 13:51:37 -08:00
Aaron Gable bac5602c6d
Always use INCRBY for redis rate limits (#7856)
Deprecate the IncrementRateLimits feature flag, and always use the redis
INCRBY instruction to update rate limit TATs.

Fixes https://github.com/letsencrypt/boulder/issues/7855
2024-12-02 15:25:33 -08:00
Samantha Frank d64132eebc
VA: Use performValidation for IsCAAValid remote checks (#7850)
- Remove undeployed feature flag MultiCAAFullResults
- Perform local CAA checks prior to initiating remote checks, instead of
starting remote checks and proceeding to perform local checks.
- Remove VA.IsCAAValid specific remote validation logic, use
VA.performRemoteOperation instead
- Refactor va.logRemoteResults to be easier to test and omit the RVA
problem
- Drive-by fix: Calculate logEvent.Latency with va.clk.Since() instead
of time.Since() like everything else in VA.performRemoteOperation
2024-11-28 15:24:47 -05:00
Samantha Frank 27a77142ad
VA: Make performRemoteValidation more generic (#7847)
- Make performRemoteValidation a more generic function that returns a
new remoteResult interface
- Modify the return value of IsCAAValid and PerformValidation to satisfy
the remoteResult interface
- Include compile time checks and tests that pass an arbitrary operation
2024-11-27 15:29:33 -05:00
Aaron Gable ded2e5e610
Remove logging of contact email addresses (#7833)
Fixes https://github.com/letsencrypt/boulder/issues/7801
2024-11-25 13:33:56 -08:00
Samantha Frank c3948314ff
va: Make the primary VA aware of the Perspective and RIR of each remote (#7839)
- Make the primary VA aware of the expected Perspective and RIR of each
remote VA.
- All Perspectives should be unique, have the primary VA check for
duplicate Perspectives at startup.
- Update test setup functions to ensure that each remote VA client and
corresponding inmem impl have a matching perspective and RIR.

Part of #7819
2024-11-25 13:02:03 -05:00
Samantha Frank 8bf13a90f4
VA: Make PerformValidation more like DoDCV (#7828)
- Remove Perspective and RIR from ValidationRecords
- Make ValidationResultToPB Perspective and RIR aware
- Update comment for VA.PerformValidation
- Make verificationRequestEvent more like doDCVAuditLog
- Update language used in problems created by performRemoteValidation to
be more like doRemoteDCV.
2024-11-20 14:13:55 -05:00
Samantha Frank a8cdaf8989
ratelimit: Remove legacy registrations per IP implementation (#7760)
Part of #7671
2024-11-19 18:39:21 -05:00
Jacob Hoffman-Andrews 577a1e38eb
va: prepare to require minimum of 3 RVAs (#7815)
To prepare for the MPIC requirement of having a minimum of 3
perspectives, I added code to `NewValidationAuthorityImpl` to error if
there aren't enough remote VAs configured _and_ the current VA is the
primary perspective. Then I fixed all the tests, which involved adding
some backends in the unittests, and spinning up `remoteva-c` in the
integration tests.

As a reminder, the `boulder va` command always considers itself the
primary perspective, while `boulder remoteva` gives itself a perspective
based on its config.

I wound up backing out the code in `NewValidationAuthorityImpl` because
right now our remote VAs are actually running the `boulder va` command,
so they would error out in prod, even though our actual primary
perspective does have enough backends. So this wound up as a test-only
change.
2024-11-19 10:23:32 -05:00
Jacob Hoffman-Andrews a46c388f66
va: compute maxRemoteFailures based on MPIC (#7810)
Previously this was a configuration field.

Ports `maxAllowedFailures()` from `determineMaxAllowedFailures()` in
#7794.

Test updates:
 
Remove the `maxRemoteFailures` param from `setup` in all VA tests.

Some tests were depending on setting this param directly to provoke
failures.

For example, `TestMultiVAEarlyReturn` previously relied on "zero allowed
failures". Since the number of allowed failures is now 1 for the number
of remote VAs we were testing (2), the VA wasn't returning early with an
error; it was succeeding! To fix that, make sure there are two failures.
Since two failures from two RVAs wouldn't exercise the right situation,
add a third RVA, so we get two failures from three RVAs.

Similarly, TestMultiCAARechecking had several test cases that omitted
this field, effectively setting it to zero allowed failures. I updated
the "1 RVA failure" test case to expect overall success and added a "2
RVA failures" test case to expect overall failure (we previously
expected overall failure from a single RVA failing).

In TestMultiVA I had to change a test for `len(lines) != 1` to
`len(lines) == 0`, because with more backends we were now logging more
errors, and finding e.g. `len(lines)` to be 2.
2024-11-18 15:36:09 -08:00
Jacob Hoffman-Andrews 56f0ed6419
wfe: orders link to authz IDs with acccount (#7790)
This means that most traffic will go to the authz URLs with account.
After this has been deployed for 30 days (the max lifetime of an order),
we can remove support for the old paths.

Part of #7683
2024-11-15 10:34:14 -08:00
James Renken 0a27cba9f4
WFE/nonce: Add NonceHMACKey field (#7793)
Add a new WFE & nonce config field, `NonceHMACKey`, which uses the new
`cmd.HMACKeyConfig` type. Deprecate the `NoncePrefixKey` config field.

Generalize the error message when validating `HMACKeyConfig` in
`config`.

Remove the deprecated `UseDerivablePrefix` config field, which is no
longer used anywhere.

Part of #7632
2024-11-13 10:31:28 -05:00
Jacob Hoffman-Andrews 5be3e99a4d
features: remove deprecated features (#7805)
Fixes #7802
2024-11-13 10:22:32 -05:00
Kruti Sutaria a79a830f3b
ratelimits: Auto pause zombie clients (#7763)
- Added a new key-value ratelimit
`FailedAuthorizationsForPausingPerDomainPerAccount` which is incremented
each time a client fails a validation.
- As long as capacity exists in the bucket, a successful validation
attempt will reset the bucket back to full capacity.
- Upon exhausting bucket capacity, the RA will send a gRPC to the SA to
pause the `account:identifier`. Further validation attempts will be
rejected by the [WFE](https://github.com/letsencrypt/boulder/pull/7599).
- Added a new feature flag, `AutomaticallyPauseZombieClients`, which
enables automatic pausing of zombie clients in the RA.
- Added a new RA metric `paused_pairs{"paused":[bool],
"repaused":[bool], "grace":[bool]}` to monitor use of this new
functionality.
- Updated `ra_test.go` `initAuthorities` to allow accessing the
`*ratelimits.RedisSource` for checking that the new ratelimit functions
as intended.

Co-authored-by: @pgporada 

Fixes https://github.com/letsencrypt/boulder/issues/7738

---------

Co-authored-by: Phil Porada <pporada@letsencrypt.org>
Co-authored-by: Phil Porada <philporada@gmail.com>
2024-11-08 13:51:41 -08:00
Aaron Gable 2603aa45a8
Remove weakKeyFile and blockedKeyFile support (#7783)
Goodkey has two ways to detect a key as weak: it runs a variety of
algorithmic checks (such as Fermat factorization and rocacheck), or the
key can be listed in a "weak key file". Similarly, it has two ways to
detect a key as blocked: it can call a generic function (which we use to
query our database), or the key can be listed in a "blocked key file".

This is two methods too many. Reliance on files of weak or blocked keys
introduces unnecessary complexity to both the implementation and
configuration of the goodkey package. Remove both "key file" options and
delete all code which supported them.

Also remove //test/block-a-key, as it was only used to generate these
test files.

IN-10762 tracked the removal of these files in prod.

Fixes https://github.com/letsencrypt/boulder/issues/7748
2024-11-06 10:48:39 -08:00
Aaron Gable 3b62e81999
Clean up migration to separate remoteva executable (#7787)
Fixes https://github.com/letsencrypt/boulder/issues/7733
2024-11-05 07:44:08 -08:00
Jacob Hoffman-Andrews 02685602a2
web: add feature flag PropagateCancels (#7778)
This allow client-initiated cancels to propagate through gRPC.

IN-10803 tracks the SRE-side changes to enable this flag.
2024-11-04 14:37:29 -08:00
Aaron Gable 21bc647fa5
Simplify TestTraces to reduce specificity (#7785)
TestTraces is designed to test whether our Open Telemetry tracing system
is working: that spans are being output, that they have the appropriate
parents, etc. It should not be testing whether Boulder took a specific
path through its code -- that's the domain of package-specific unit
tests. Simplify TestTraces to the point that it is asserting (nearly)
the bare minimum about the set of operations Boulder performs.
2024-11-04 12:02:57 -08:00
James Renken 4adc65fb7d
Rate limits: replace redis SET with INCRBY (#7782)
Add a new method, `BatchIncrement`, to issue `IncrBy` (instead of `Set`)
to Redis. This helps prevent the race condition that allows bursts of
near-simultaneous requests to, effectively, spend the same token.

Call this new method when incrementing an existing key. New keys still
need to use `BatchSet` because Redis doesn't have a facility to, within
a single operation, increment _or_ set a default value if none exists.

Add a new feature flag, `IncrementRateLimits`, gating the use of this
new method.

CPS Compliance Review: This feature flag does not change any behaviour
that is described or constrained by our CP/CPS. The closest relation
would just be API availability in general.

Fixes #7780
2024-11-04 11:20:44 -08:00
Samantha Frank 6c85b8d019
wfe/sa/features: Deprecate TrackReplacementCertificatesARI (#7766) 2024-10-24 13:38:33 -04:00
Samantha Frank e5edb7077f
wfe/features: Deprecate UseKvLimitsForNewOrder (#7765)
Default code paths that depended on this flag to be true.

Part of #5545
2024-10-23 18:13:24 -04:00
Samantha Frank 6692160ced
test-cli: Pass -v/--verbose flag to Go integration tests (#7754)
Also remove -o/--list-integration-tests, this flag isn't really that
useful.
2024-10-10 15:26:15 -04:00
Samantha Frank 37b85fbd38
VA/RVA: Add metadata necessary for the MPIC ballot (#7732)
- Add `Perspective` and `RIR` fields to the remote-va configuration
- Configure RVA ValidationAuthorityImpl instances with the contents of
the JSON configuration
- Configure VA ValidationAuthorityImpl instances with the constant
`va.PrimaryPerspective`
- Log `Perspective` for non-Primary Perspectives, per the MPIC
requirements in section 5.4.1 (2) vii of the BRs. Also log the RIR for
posterity.
- Introduce `ValidationResult` RPC fields `Perspective` and `Rir`, which
are not currently used but will be required for corroboration in #7616

Fixes https://github.com/letsencrypt/boulder/issues/7613
Part of https://github.com/letsencrypt/boulder/issues/7615
Part of https://github.com/letsencrypt/boulder/issues/7616
2024-10-10 09:37:55 -04:00
Samantha Frank 2e19a362ec
WFE/RA: Default codepaths to CheckRenewalExemptionAtWFE: true (#7745)
Also, remove redundant renewal checks in
`RA.checkNewOrdersPerAccountLimit()` and
`RA.checkCertificatesPerNameLimit()`.

Part of #7511
2024-10-07 15:12:30 -04:00
Phil Porada 56d392793a
Allow block-a-key to process private key files (#7737)
The CAB/F Debian weak keys (https://github.com/cabforum/Debian-weak-keys)
repository contains a bunch of DER encoded private keys that we should ensure
are blocked. I hacked up the block-a-key tool to output a base64 encoded SPKI
hash from an arbitrary PEM formatted private key file.
2024-10-07 14:56:14 -04:00
Aaron Gable 7b032a663f
Add feature flag to remove use of "INSERT RETURNING" in NewOrderAndAuthzs (#7739)
This is our only use of MariaDB's "INSERT ... RETURNING" syntax, which
does not exist in MySQL and Vitess. Add a feature flag which removes our
use of this feature, so that we can easily disable it and then re-enable
it if it turns out to be too much of a performance hit.

Also add a benchmark showing that the serial-insertion approach is
slower, but perhaps not debilitatingly so.

Part of https://github.com/letsencrypt/boulder/issues/7718
2024-10-04 14:56:44 -07:00
James Renken beddae5970
Introduce SerialPrefixHex field in CA (#7721)
Add a new SerialPrefixHex field to the CA's config, which takes a
two-character hexadecimal string to use as the serial prefix. This
matches the way that the OCSP Responder's acceptable serial prefixes are
configured, and is easier for human operators to configure than raw
integers.

At the same time, change the type of the CA's internal serial prefix
from `int` to `byte`, using the type system to enforce its 8-bit length.

Fixes #7213
2024-10-04 10:50:57 -07:00
Samantha Frank 2fa9fbcd23
SA: Add feature flag DisableLegacyLimitWrites (#7728) 2024-09-30 14:09:40 -04:00
Samantha Frank c034221f59
config: Default to checking renewal exemption at WFE (#7706)
Part of https://github.com/letsencrypt/boulder/issues/7511
2024-09-27 16:42:54 -04:00
Aaron Gable 990ad076b7
Update CI to go1.23.1, remove go1.22.5 (#7699)
https://go.dev/doc/devel/release#go1.23.1
2024-09-11 10:09:01 -04:00
James Renken 77fcc8f58a
Remove outdated integration test limitations (#7698)
Remove outdated limitations in TestIssuanceCertStorageFailed &
TestSubordinateCAChainsServedByWFE

Fixes https://github.com/letsencrypt/boulder/issues/7696
2024-09-04 17:10:58 -07:00
James Renken 707b734a75
Remove outdated limitation in TestNonceBalancer (#7694)
Also fix minor typos in comments.

Part of https://github.com/letsencrypt/boulder/issues/7696
2024-09-04 13:35:20 -07:00
Aaron Gable dad9e08606
Lay the groundwork for supporting IP identifiers (#7692)
Clean up how we handle identifiers throughout the Boulder codebase by
- moving the Identifier protobuf message definition from sa.proto to
core.proto;
- adding support for IP identifier to the "identifier" package;
- renaming the "identifier" package's exported names to be clearer; and
- ensuring we use the identifier package's helper functions everywhere
we can.

This will make future work to actually respect identifier types (such as
in Authorization and Order protobuf messages) simpler and easier to
review.

Part of https://github.com/letsencrypt/boulder/issues/7311
2024-08-30 11:40:38 -07:00
Aaron Gable da7865cb10
Add go1.23.0 to CI (#7665)
Begin testing on go1.23. To facilitate this, also update /x/net,
golangci-lint, staticcheck, and pebble-challtestsrv to versions which
support go1.23. As a result of these updates, also fix a handful of new
lint findings, mostly regarding passing non-static (i.e. potentially
user-controlled) format strings into Sprintf-style functions.

Additionally, delete one VA unittest that was duplicating the checks
performed by a different VA unittest, but with a context timeout bug
that caused it to break when go1.23 subtly changed DialContext behavior.
2024-08-23 14:56:53 -07:00
Aaron Gable cac431c661
WFE: Use RA.GetAuthorization to filter out disabled challenges (#7659)
Have the WFE ask the RA for authorizations, rather than asking the SA
directly. This extra layer of indirection allows us to filter out
challenges which have been disabled, so that clients don't think they
can attempt challenges that we have disabled.

Also shuffle the order of challenges within the authz objects rendered
by the API. We used to have code which does this at authz creation time,
but of course that was completely ineffectual once we stored the
challenges as just a bitmap in the database.

Update the WFE unit tests to mock RA.GetAuthorization instead of
SA.GetAuthorization2. This includes making the mock more accurate, so
that (e.g.) valid authorizations contain valid challenges, and the
challenges have their correct types (e.g. "http-01" instead of just
"http"). Also update the OTel tracing test to account for the new RPC.

Part of https://github.com/letsencrypt/boulder/issues/5913
2024-08-22 13:42:58 -07:00
Samantha Frank c9be034c00
ratelimits: Add a feature-flag which makes key-value implementation authoritative (#7666)
- Add feature flag `UseKvLimitsForNewOrder`
- Add feature flag `UseKvLimitsForNewAccount`
- Flush all Redis shards before running integration or unit tests, this
avoids false positives between local testing runs

Fixes #7664
Blocked by #7676
2024-08-22 15:56:30 -04:00
Samantha Frank 14c0b2c3bb
ratelimits: Check at NewOrder and SpendOnly later (#7669)
- Check `CertificatesPerDomain` at newOrder and spend at Finalize time.
- Check `CertificatesPerAccountPerDomain` at newOrder and spend at
Finalize time.
- Check `CertificatesPerFQDNSet` at newOrder and spend at Finalize time.
- Fix a bug
in`FailedAuthorizationsPerDomainPerAccountSpendOnlyTransaction()` which
results in failed authorizations being spent for the exact FQDN, not the
eTLD+1.
- Remove redundant "max names" check at transaction construction time
- Enable key-value rate limits in the RA
2024-08-15 19:08:17 -04:00
Samantha Frank 6a3e9d725b
ratelimits: Provide verbose user-facing rate limit errors (#7653)
- Instruct callers to call *Decision.Result() to check the result of
rate limit transactions
- Preserve the Transaction within the resulting *Decision
- Generate consistently formatted verbose errors using the metadata
found in the *Decision
- Fix broken key-value rate limits integration test in
TestDuplicateFQDNRateLimit

Fixes #7577
2024-08-12 16:14:15 -04:00
Aaron Gable 61b484c13b
Update to math/rand/v2 (#7657)
Replace all of Boulder's usage of the Go stdlib "math/rand" package with
the newer "math/rand/v2" package which first became available in go1.22.
This package has an improved API and faster performance across the
board.

See https://go.dev/blog/randv2 and https://go.dev/blog/chacha8rand for
details.
2024-08-12 09:17:09 -07:00
Aaron Gable c9132baa37
Delete sa.GetPendingAuthorization2 (#7648)
This method's last caller was removed in
https://github.com/letsencrypt/boulder/pull/5862, when the ACMEv1
NewAuthorization code path was deleted. It has been dead code ever
since.
2024-08-07 09:33:37 -07:00
Aaron Gable 7b6935d223
Configure lints separately for each profile (#7636)
Move the two lint-configuration keys, LintConfig and IgnoreLints, from
the top-level CA.Issuance config stanza into each individual
CA.Issuance.CertProfiles stanza. This allows us to have
differently-configured lints for different profiles, to ensure that our
linting regime is as strict as possible.

Without this change, it would be necessary for us to ignore both the
"common name included" and the "no subject key id" lints at the
top-level, when in fact each of those warnings only triggers on one of
our two profiles.

Fixes https://github.com/letsencrypt/boulder/issues/7635
2024-08-01 10:01:46 -07:00
Samantha Frank c13591ab82
SFE: Call RA.UnpauseAccount and handle result (#7638)
Call `RA.UnpauseAccount` for valid unpause form submissions.

Determine and display the appropriate outcome to the Subscriber based on
the count returned by `RA.UnpauseAccount`:
- If the count is zero, display the "Account already unpaused" message.
- If the count equals the max number of identifiers allowed in a single
request, display a page explaining the need to visit the unpause URL
again.
- Otherwise, display the "Successfully unpaused all N identifiers"
message.

Apply per-request timeout from the SFE configuration.

Part of https://github.com/letsencrypt/boulder/issues/7406
2024-07-31 14:46:46 -04:00
Aaron Gable c6c7617851
Profiles: allow for omission of KU, EKU, and SKID (#7622)
Add three new keys to the CA's ProfileConfig:
- OmitKeyEncipherment causes the keyEncipherment Key Usage to be omitted
from certificates with RSA public keys. We currently include it for
backwards compatibility with TLS 1.1 servers that don't support modern
cipher suites, but this KU is completely useless as of TLS 1.3.
- OmitClientAuth causes the tlsClientAuthentication Extended Key Usage
to be omitted from all certificates. We currently include it to support
any subscribers who may be relying on it, but Root Programs are moving
towards single-purpose hierarchies and its inclusion is being
discouraged.
- OmitSKID causes the Subject Key Identifier extension to be omitted
from all certificates. We currently include this extension because it is
recommended by RFC 5280, but it serves little to no practical purpose
and consumes a large number of bytes, so it is now NOT RECOMMENDED by
the Baseline Requirements.

Make substantive changes to issuer.requestValid and issuer.Prepare to
implement the desired behavior for each of these options. Make a very
slight change to ra.matchesCSR to generally allow for serverAuth-only
EKUs. Improve the unit tests of both the //ca and //issuance packages to
cover the new behavior.

Part of https://github.com/letsencrypt/boulder/issues/7610
2024-07-31 11:08:11 -07:00
Aaron Gable cf8e5aa1b1
Use profile to determine backdate and validity (#7621)
One of our goals with profiles is to allow different profiles to have
different validity periods. While the profiles already had the ability
to enforce different maximum backdates and validities, the CA still had
separate global configuration for what the backdate and validity period
should actually be.

Move the computation of the notBefore and notAfter timestamps into the
issuance package, so that it can be based on the profile's configured
backdate and validity durations. Deprecate the global "backdate" and
"expiry" config fields, as they are no longer used. Finally, add more
validation for the profile's backdate and validity.

Part of https://github.com/letsencrypt/boulder/issues/7610
2024-07-25 13:47:51 -07:00
Samantha Frank 986c78a2b4
WFE: Reject new orders containing paused identifiers (#7599)
Part of #7406
Fixes #7475
2024-07-25 13:46:40 -04:00
Aaron Gable ff851f7107
WFE: Include profile name in returned Order json (#7626)
Integration testing revealed that the WFE was not rendering the profile
name in the Order JSON object. Fix the one spot where it was missed.

Part of https://github.com/letsencrypt/boulder/issues/7332
2024-07-24 14:30:24 -07:00
Aaron Gable 6b484f44ba
Profiles: replace AllowCommonName with OmitCommonName (#7620)
Add a new profile config key named "OmitCommonName" which, if set to
`true`, causes the issuance package to exclude the CN from the resulting
certificate even if the initiating IssuanceRequest specified one.
Deprecate the old "AllowCommonName" config key, so that it no longer has
any effect, rather than causing the issuance package to fully reject
IssuanceRequests containing a CN.

This allows for more graceful variation between profiles, since we know
that excluding the Common Name is always safe.

Part of https://github.com/letsencrypt/boulder/issues/7610
2024-07-24 11:44:26 -07:00
Aaron Gable 48439e4532
Advertise available profiles in directory resource (#7603)
Change the way profiles are configured at the WFE to allow them to be
accompanied by descriptive strings. Augment the construction of the
directory resource's "meta" sub-object to include these profile names
and descriptions.

This config swap is safe, since no Boulder WFE instance is configured
with `CertificateProfileNames` yet.

Fixes https://github.com/letsencrypt/boulder/issues/7602
2024-07-22 15:31:08 -07:00
Aaron Gable 848a9ea696
Deprecate AllowCTPoison and AllowSCTList profile settings (#7611)
These profile variables are set to "true" everywhere, and we have no
intention of ever setting them to "false" anywhere. Deprecate them so
that they can be removed in the future, and to reduce the chances of
confusion when new profile variables are introduced in the near future.

Part of https://github.com/letsencrypt/boulder/issues/7610
2024-07-22 15:27:56 -07:00
Aaron Gable a3e99432bb
goodkey: default to 110 rounds of Fermat factorization (#7579)
This change guarantees compliance with CA/BF Ballot SC-073 "Compromised
and Weak Keys", which requires that at least 100 rounds of Fermat
Factorization be attempted:

> Section 6.1.1.3 Subscriber Key Pair Generation
> The CA SHALL reject a certificate request if... The Public Key
corresponds to an industry-demonstrated weak Private Key. For requests
submitted on or after November 15, 2024,... In the case of Close Primes
vulnerability (https://fermatattack.secvuln.info/), the CA SHALL reject
weak keys which can be factored within 100 rounds using Fermat’s
factorization method.

We choose 110 rounds to ensure a margin above and beyond the requirements.

Fixes https://github.com/letsencrypt/boulder/issues/7558
2024-07-17 16:05:30 -07:00