letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
2,009 Commits 89 Branches 416 Tags 101 MiB
Commit Graph

58 Commits

Author SHA1 Message Date
Jacob Hoffman-Andrews 903f39508e Vendorize publicsuffix. 2015-10-04 21:04:29 -07:00
Roland Shoemaker 2d0dee4ce1 Daemonize the OCSP updater tool so we are constantly updating OCSP responses. 
also moves the first OCSP responses generation from the CA to the OCSP updater. This patch lays the
ground work for moving CT submission and adding CT backfill to the OCSP updater.
 2015-10-01 16:36:51 -07:00
Jeff Hodges 7a3d5ebb26 Merge branch 'master' into update-cfssl 2015-10-01 15:41:27 -07:00
Jacob Hoffman-Andrews 1975e417e0 Update CFSSL. 
This pulls in a few cfssl upstream fixes:

cloudflare/cfssl#347: Fix CKA_ALWAYS_AUTHENTICATE check
cloudflare/cfssl#344: Allow client to specify full serial.
cloudflare/cfssl#340: OCSP doesn't include CA when unnecessary.

This also updates boulder-ca to use the new full-serial API in CFSSL.

I have run tests for cfssl and they pass:

cd ~/go/packages/src/github.com/cloudflare/cfssl/
go test ./...
 2015-10-01 13:45:59 -07:00
Jeff Hodges 51367dd231 Merge branch 'master' into cert-limit 2015-09-24 15:25:01 -07:00
Jeff Hodges f70562fcd4 cfssl/pkcs11key: handle invalid attribute well 
Corrects code written in #848.
 2015-09-24 14:55:52 -07:00
Roland Shoemaker 6f41cc9e39 Add issuance rate limiting based on total number of certificates issued in a window 
Since the issuance count requires a full table scan a RA process local cache of the
count is kept and expired after 30 minutes.
 2015-09-24 12:54:38 -07:00
Jacob Hoffman-Andrews bc5d50f8f2 Don't error out on CKR_ATTRIBUTE_TYPE_INVALID. 
Some HSMs return this error when trying to check for the CKA_ALWAYS_AUTHENTICATE
attribute.
 2015-09-24 12:18:03 -07:00
Roland Shoemaker 91724296a8 Use facebooks gracefully shutting down HTTP server for WFE & OCSP-Responder 2015-09-21 20:43:38 -07:00
Jacob Hoffman-Andrews d05b9b833f Update cfssl to latest master. 
This pulls in the pkcs11key change from
https://github.com/cloudflare/cfssl/pull/330, and updates the Boulder code to
match.

Note: This change overwrites the local changes to our vendored CFSSL made in
https://github.com/letsencrypt/boulder/pull/784. That's intentional: The
upstream changes in https://github.com/cloudflare/cfssl/pull/330 accomplish the
same thing, more cleanly.
 2015-09-20 20:44:44 -07:00
Jacob Hoffman-Andrews 43217216c7 use slot ids in the cfssl pkcs11 api 
It was using TokenLabels solely to select slots but those can have duplicates
on the same HSM. Instead, use slot IDs with them.
 2015-09-11 17:02:48 -07:00
Richard Barnes 6391112f42 godep update golang.org/x/crypto/ocsp 2015-08-29 15:04:44 -04:00
Roland Shoemaker 98ac983df2 Vendor jmhodges/clock 2015-08-28 13:02:35 -07:00
Jacob Hoffman-Andrews 0e0f709cfe Update CFSSL. 
This pulls in https://github.com/cloudflare/cfssl/pull/312, which fixes a bug
that was causing us to generate not-yet-valid OCSP.
 2015-08-19 22:05:05 -07:00
Roland Shoemaker c3db8092eb Merge pull request #618 from letsencrypt/forgot_fuzz_test 
add missed github.com/miekg/dns/fuzz_test.go
 2015-08-13 23:01:18 -07:00
Jeff Hodges 75615aa60c add missed github.com/miekg/dns/fuzz_test.go 
I missed this when updating github.com/miekg/dns in #615.
 2015-08-13 22:39:32 -07:00
Jeff Hodges f7ebed875c update github.com/miekg/dns 
This is needed for the race condition that errors in our test suite on
Go 1.5rc1 that was fixed in https://github.com/miekg/dns/pull/245
 2015-08-13 14:50:58 -07:00
Richard Barnes 4aef1ad2fb godep update golang.org/x/crypto/ocsp 2015-08-12 08:52:55 -07:00
Richard Barnes 48e6f45bf5 Updating go-jose to address panics 2015-07-30 13:45:19 -04:00
Richard Barnes 76a2e15958 Godep refresh after landing changes in github.com/letsencrypt/go-jose 2015-07-29 13:56:49 -04:00
Richard Barnes e60df240d8 Update DVSNI and DNS challenges 2015-07-29 12:19:12 -04:00
Romain Fliedel d115e5cb60 Resync with latest letsencrypt/go-jose to fix jwk encoding. 2015-07-28 16:25:30 +02:00
Jacob Hoffman-Andrews 9423467142 Switch to our own fork of go-jose. 
This is the result of `godep save -r ./...` and
`git rm -r -f Godeps/_workspace/src/github.com/square`

Our fork is currently at the head of go-jose when Richard made the local nonce
changes, with the nonce changes added on top. In other words, the newly created
files are exactly equal to the deleted files.

In a separate commit I will bring our own go-jose fork up to the remote head,
then update our deps.

Also note: Square's go-jose repo contains a `cipher` package. Since we don't
make any changes to that package, we leave it imported as-is.
 2015-07-24 14:39:00 -07:00
Jacob Hoffman-Andrews 8092b42dd6 Merge pull request #525 from letsencrypt/update-cfssl-nopkcs11 
Update cfssl to latest master.
 2015-07-24 11:56:51 -07:00
Jacob Hoffman-Andrews 194658f019 Update cfssl to latest master. 
This changes the default pkcs11 tag so pkcs11 is included by default.
This will let us remove -tags pkcs11 from our build scripts.
 2015-07-24 10:54:16 -07:00
Roland Shoemaker 5b019f5ea8 Update miekg/dns dependency 2015-07-22 12:37:50 -07:00
Roland Shoemaker bfccd10f22 Merge pull request #474 from letsencrypt/statsd-client-license 
Add go-statsd-client's LICENSE file.
 2015-07-16 12:54:14 -07:00
Jacob Hoffman-Andrews 230512981d Add cfssl and go-rc2 LICENSE files. 
Command used:
for n in */* ;
  do curl https://raw.githubusercontent.com/$n/master/LICENSE > $n/LICENSE;
  curl https://raw.githubusercontent.com/$n/master/LICENSE.md > $n/LICENSE.md;
done
 2015-07-16 08:24:19 -07:00
Jacob Hoffman-Andrews b46ce2aaaf Add go-statsd-client's LICENSE file. 
Godep doesn't automatically import these.
 2015-07-16 08:08:19 -07:00
Jacob Hoffman-Andrews e2791eb085 Merge pull request #438 from letsencrypt/401-va_mock_dns 
Don't use external DNS resolver in tests
 2015-07-08 16:59:23 -07:00
Roland Shoemaker 1fb48d1fd4 Extend DNS tests and fix miekg/dns bug 2015-07-07 22:31:44 +01:00
Jacob Hoffman-Andrews dd19f0a529 Update cfssl to latest master. 
Picks up fix for specifying User Notice policy qualifier.
Specify user notice in test configs.
 2015-07-02 19:36:50 -07:00
Roland Shoemaker d462d0af43 Purge CAA parsing code, update miekg/dns dep 2015-06-19 18:53:00 +01:00
Jacob Hoffman-Andrews 05f04709e9 Update cfssl dependency to latest master 
Also, remove dependency on cfssl CLI binary, and transitive dependency cf-tls.
These are no longer necessary now that we use the local signer. And the cf-tls
dependency had drifted out of date, causing build issues when I updated cfssl to
master.
 2015-06-17 09:26:52 -07:00
Roland Shoemaker b38ebe18fc Merge remote-tracking branch 'upstream/master' into better-caa 2015-06-10 15:57:05 -07:00
Roland Shoemaker 0265b6f5d0 Merge upstream/master and fix conflicts 2015-06-10 12:43:11 -07:00
Richard Barnes 8289a6d2fa Make tests pass 2015-06-09 17:43:16 -04:00
Richard Barnes d653f97cb8 Transition from random nonces to encrypted counters 2015-06-09 12:30:49 -04:00
Richard Barnes a620fe4583 Initial anti-replay mechanism 2015-06-08 15:02:39 -04:00
Jacob Hoffman-Andrews d80d301447 Update latest CFSSL to pick up OCSP config. 2015-06-03 16:51:23 -07:00
Richard Barnes c433da1a6f Properly updating this time 2015-05-30 12:09:06 -04:00
Richard Barnes db27ecf232 Patching OCSP library 2015-05-30 11:51:21 -04:00
Roland Shoemaker b2f1dd82b6 vendor miekg/dns dependency 2015-05-27 20:49:58 +01:00
Richard Barnes c4931286a5 First pass 2015-05-22 19:11:13 -04:00
Jacob Hoffman-Andrews 3eed9e3f7c Move to Square's go-jose library. 2015-05-13 17:36:38 -07:00
Roland Shoemaker 31d0b92f26 actually add the files 2015-05-02 16:01:40 -07:00
Roland Shoemaker 8a6748182e add gorp dep 2015-05-02 16:00:35 -07:00
Jacob Hoffman-Andrews 757d8616cc Update latest CFSSL to pick up whitelisting. 2015-04-17 11:42:38 -04:00
Jacob Hoffman-Andrews d609656e0f Clarify config loading errors. 2015-04-16 14:26:02 -04:00
Jacob Hoffman-Andrews 43877197b0 Whitelist certificate fields rather than Subject 
in cfssl.
 2015-04-15 18:33:25 -04:00