This is a sort of proof of concept of the Redis interaction, which will
evolve into a tool for inspection and manual repair of missing entries,
if we find ourselves needing to do that.
The important bits here are rocsp/rocsp.go and
cmd/rocsp-tool/main.go. Also, the newly-vendored Redis client.
Update zlint from v3.2.0 to just past v3.3.0, pulling in both an update
to the zlint interface and a number of new and improved checks. In
particular, pull in `lint_dnsname_contains_prohibited_reserved_label`,
which checks that DNSNames do not begin with any two characters followed
by two dashes, unless those two leading characters are "xn".
Also, update our few custom lints to match the new zlint v3.3.0
interface.
Fixes#5720
Replace `core.Empty` with `google.protobuf.Empty` in all of our gRPC
methods which consume or return an empty protobuf. The golang core
proto libraries provide an empty message type, so there is no need
for us to reinvent the wheel.
This change is backwards-compatible and does not require a special
deploy. The protobuf message descriptions of `core.Empty` and
`google.protobuf.Empty` are identical, so their wire-formats are
indistinguishable and therefore interoperable / cross-compatible.
Fixes#5443
Use the built-in grpc-go client and server interceptor chaining
utilities, instead of the ones provided by go-grpc-middleware.
Simplify our interceptors to call their handlers/invokers directly,
instead of delegating to the metrics interceptor, and add the
metrics interceptor to the chains instead.
Add Honeycomb tracing to all Boulder components which act as
HTTP servers, gRPC servers, or gRPC clients. Add many values
which we currently emit to logs to the trace spans. Add a way to
configure the Honeycomb integration to our config files, and by
default configure all of our tests to "mute" (send nothing).
Followup changes will refine the configuration, attempt to reduce
the new dependency load, and introduce better sampling.
Part of https://github.com/letsencrypt/dev-misc-tickets/issues/218
protoc now generates grpc code in a separate file from protobuf code.
Also, grpc servers are now required to embed an "unimplemented"
interface from the generated .pb.go file, which provides forward
compatibility.
Update the generate.go files since the invocation for protoc has changed
with the split into .pb.org and _grpc.pb.go.
Fixes#5368
Update the pinned version of zlint from v2.2.1 to v3.1.0.
Also update the relevant path from v2 to v3 in both go.mod
and in individual imports. Update the vendored files to match.
No changes from v2.2.1 to v3.1.0 appear to affect the lints
we directly care about (e.g. those that we explicitly ignore).
Fixes#5206
Replace the few instances where we were relying on CFSSL utilities: for
OIDs and "helper" methods (parsing private keys and parsing SCT lists)
with our own code. Then delete all vendored CFSSL code.
Based on #5347Fixes#5115
Make the `NonCFSSLSigner` code path the only code path through the CA.
Remove all code related to the old, CFSSL-based code path. Update tests
to supply (or mock) issuers of the new kind. Remove or simplify a few
tests that were testing for behavior only exhibited by the old code
path, such as incrementing certain metrics. Remove code from `//cmd/`
for initializing the CFSSL library. Finally, mark the `NonCFSSLSigner`
feature flag itself as deprecated.
Delete the portions of the vendored CFSSL code which were only used
by these deleted code paths. This does not remove the CFSSL library
entirely, the rest of the cleanup will follow shortly.
Part of #5115
Remove mock-vendor, which ensured that mockgen was
available, because we no longer use mockgen. As a result,
remove mockgen from our docker build script. Finally, make
the mock package an indirect dependency since we are no
longer using it directly.
Delete the PublisherClientWrapper and PublisherServerWrapper. Update
various structs and functions to expect a pubpb.PublisherClient instead
of a core.Publisher; these two interfaces differ only in that the
auto-generated PublisherClient takes a variadic CallOptions parameter.
Update all mock publishers in tests to match the new interface. Finally,
delete the now-unused core.Publisher interface and some already-unused
mock-generating code.
This deletes a single sanity check (for a nil SCT even when there is a
nil error), but that check was redundant with an identical check in the
only extant client code in ctpolicy.go.
Fixes#5323
This health service implements the gRPC Health Checking
Protocol, as defined in
https://github.com/grpc/grpc/blob/master/doc/health-checking.md
and as implemented by the gRPC authors in
https://pkg.go.dev/google.golang.org/grpc/health@v1.29.0
It simply instantiates a health service, and attaches it to the same
gRPC server that is handling requests to the primary (e.g. CA) service.
When the main service would be shut down (e.g. because it caught a
signal), it also sets the status of the service to NOT_SERVING.
This change also imports the health client into our grpc client,
ensuring that all of our grpc clients use the health service to inform
their load-balancing behavior.
This will be used to replace our current usage of polling the debug
port to determine whether a given service is up and running. It may
also be useful for more comprehensive checks and blackbox probing
in the future.
Part of #5074
This brings in the following changes to zlint:
https://github.com/zmap/zlint/compare/v2.1.0...9ab0643
Importantly, this prevents the cert lifetime lint from triggering on
CA certs, and removes the OCSP url requirement lint entirely.
This version contains
go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
which fixes CVE-2020-14040. All tests pass at tag v0.3.3 in the upstream repo.
Fixes#4877.
Updates publicsuffix-go to master (983d101) since it doesn't regularly
tag releases. This also pulls in a related update to x/net. All tests
pass.
Fixes#4818
There are some changes to the code generated in the latest version, so
this modifies every .pb.go file.
Also, the way protoc-gen-go decides where to put files has changed, so
each generate.go gets the --go_opt=paths=source_relative flag to
tell protoc to continue placing output next to the input.
Remove staticcheck from build.sh; we get it via golangci-lint now.
Pass --no-document to gem install fpm; this is recommended in the fpm docs.
This commit updates the `github.com/weppos/publicsuffix-go` dependency
to 8a37cc7, the tip of master at the time of writing, to pull in new PSL
data.
Upstream unit tests are confirmed to pass:
```
~/go/src/github.com/weppos/publicsuffix-go$ git log --pretty=format:'%h' -n 1
a723c5d
~/go/src/github.com/weppos/publicsuffix-go$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.008s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.005s
? github.com/weppos/publicsuffix-go/publicsuffix/generator [no test files]
```
In 0804e97 we updated `github.com/go-sql-driver/mysql` to a pinned
commit (b4242bab7dc5) newer than the latest tagged release (v1.4.1) to
avoid needing to pull in an extra dep. that was removed since v1.4.1.
Unfortunately for reasons that are not perfectly clear updating
`github.com/google/certificate-transparency-go` is preferring v1.4.1
over the pseudo-version made from the commit newer than v1.4.1 that we
previously pinned.
Since there is movement on making a v1.5.0 go-sql-driver mysql release
tag and we can likely get ct-go to use that we'll temporarily accept
this downgrade to update ct-go.
Unit tests are confirmed to pass:
```
~/go/src/github.com/go-sql-driver/mysql$ git log --pretty=format:'%h' -n 1
72cd26f
~/go/src/github.com/go-sql-driver/mysql$ go test ./...
ok github.com/go-sql-driver/mysql 0.081s
```
Note: This dep bump introduces a harmless, but annoying, error log
to our service startup output of the form:
> E203318 boulder-ra 2PvBvwg [AUDIT] ccResolverWrapper: error parsing service config: no JSON service config provided
We previously addressed this with the upstream project
(30f4150eec)
but the problem has returned. Filed https://github.com/letsencrypt/boulder/issues/4628
as a follow-up to chase this down.
Unit tests are confirmed to pass:
```
~/go/src/google.golang.org/grpc$ git log --pretty=format:'%h' -n 1
1a3960e
~/go/src/google.golang.org/grpc$ go test ./...
ok google.golang.org/grpc 18.163s
? google.golang.org/grpc/backoff [no test files]
? google.golang.org/grpc/balancer [no test files]
? google.golang.org/grpc/balancer/base [no test files]
ok google.golang.org/grpc/balancer/grpclb 15.491s
? google.golang.org/grpc/balancer/grpclb/grpc_lb_v1 [no test files]
ok google.golang.org/grpc/balancer/roundrobin 0.349s
? google.golang.org/grpc/balancer/weightedroundrobin [no test files]
? google.golang.org/grpc/benchmark [no test files]
? google.golang.org/grpc/benchmark/benchmain [no test files]
? google.golang.org/grpc/benchmark/benchresult [no test files]
? google.golang.org/grpc/benchmark/client [no test files]
ok google.golang.org/grpc/benchmark/flags 0.001s
? google.golang.org/grpc/benchmark/grpc_testing [no test files]
ok google.golang.org/grpc/benchmark/latency 1.005s
ok google.golang.org/grpc/benchmark/primitives 0.001s [no tests to run]
? google.golang.org/grpc/benchmark/server [no test files]
? google.golang.org/grpc/benchmark/stats [no test files]
? google.golang.org/grpc/benchmark/worker [no test files]
? google.golang.org/grpc/binarylog/grpc_binarylog_v1 [no test files]
? google.golang.org/grpc/channelz/grpc_channelz_v1 [no test files]
ok google.golang.org/grpc/channelz/service 0.009s
ok google.golang.org/grpc/codes 0.002s
? google.golang.org/grpc/connectivity [no test files]
ok google.golang.org/grpc/credentials 0.017s
ok google.golang.org/grpc/credentials/alts 0.003s
? google.golang.org/grpc/credentials/alts/internal [no test files]
ok google.golang.org/grpc/credentials/alts/internal/authinfo 0.003s
ok google.golang.org/grpc/credentials/alts/internal/conn 0.079s
ok google.golang.org/grpc/credentials/alts/internal/handshaker 0.039s
ok google.golang.org/grpc/credentials/alts/internal/handshaker/service 0.007s
? google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp [no test files]
? google.golang.org/grpc/credentials/alts/internal/testutil [no test files]
? google.golang.org/grpc/credentials/google [no test files]
ok google.golang.org/grpc/credentials/internal 0.005s
? google.golang.org/grpc/credentials/oauth [no test files]
? google.golang.org/grpc/encoding [no test files]
? google.golang.org/grpc/encoding/gzip [no test files]
ok google.golang.org/grpc/encoding/proto 0.025s
? google.golang.org/grpc/examples/features/authentication/client [no test files]
? google.golang.org/grpc/examples/features/authentication/server [no test files]
? google.golang.org/grpc/examples/features/cancellation/client [no test files]
? google.golang.org/grpc/examples/features/cancellation/server [no test files]
? google.golang.org/grpc/examples/features/compression/client [no test files]
? google.golang.org/grpc/examples/features/compression/server [no test files]
? google.golang.org/grpc/examples/features/deadline/client [no test files]
? google.golang.org/grpc/examples/features/deadline/server [no test files]
? google.golang.org/grpc/examples/features/debugging/client [no test files]
? google.golang.org/grpc/examples/features/debugging/server [no test files]
? google.golang.org/grpc/examples/features/encryption/ALTS/client [no test files]
? google.golang.org/grpc/examples/features/encryption/ALTS/server [no test files]
? google.golang.org/grpc/examples/features/encryption/TLS/client [no test files]
? google.golang.org/grpc/examples/features/encryption/TLS/server [no test files]
? google.golang.org/grpc/examples/features/errors/client [no test files]
? google.golang.org/grpc/examples/features/errors/server [no test files]
? google.golang.org/grpc/examples/features/interceptor/client [no test files]
? google.golang.org/grpc/examples/features/interceptor/server [no test files]
? google.golang.org/grpc/examples/features/keepalive/client [no test files]
? google.golang.org/grpc/examples/features/keepalive/server [no test files]
? google.golang.org/grpc/examples/features/load_balancing/client [no test files]
? google.golang.org/grpc/examples/features/load_balancing/server [no test files]
? google.golang.org/grpc/examples/features/metadata/client [no test files]
? google.golang.org/grpc/examples/features/metadata/server [no test files]
? google.golang.org/grpc/examples/features/multiplex/client [no test files]
? google.golang.org/grpc/examples/features/multiplex/server [no test files]
? google.golang.org/grpc/examples/features/name_resolving/client [no test files]
? google.golang.org/grpc/examples/features/name_resolving/server [no test files]
? google.golang.org/grpc/examples/features/proto [no test files]
? google.golang.org/grpc/examples/features/proto/echo [no test files]
? google.golang.org/grpc/examples/features/reflection/server [no test files]
? google.golang.org/grpc/examples/features/retry/client [no test files]
? google.golang.org/grpc/examples/features/retry/server [no test files]
? google.golang.org/grpc/examples/features/wait_for_ready [no test files]
? google.golang.org/grpc/examples/helloworld/greeter_client [no test files]
? google.golang.org/grpc/examples/helloworld/greeter_server [no test files]
? google.golang.org/grpc/examples/helloworld/helloworld [no test files]
ok google.golang.org/grpc/examples/helloworld/mock_helloworld 0.003s
? google.golang.org/grpc/examples/route_guide/client [no test files]
ok google.golang.org/grpc/examples/route_guide/mock_routeguide 0.005s
? google.golang.org/grpc/examples/route_guide/routeguide [no test files]
? google.golang.org/grpc/examples/route_guide/server [no test files]
ok google.golang.org/grpc/grpclog 0.003s
? google.golang.org/grpc/grpclog/glogger [no test files]
ok google.golang.org/grpc/health 0.063s
? google.golang.org/grpc/health/grpc_health_v1 [no test files]
? google.golang.org/grpc/internal [no test files]
? google.golang.org/grpc/internal/backoff [no test files]
? google.golang.org/grpc/internal/balancerload [no test files]
ok google.golang.org/grpc/internal/binarylog 0.026s
ok google.golang.org/grpc/internal/buffer 0.002s
ok google.golang.org/grpc/internal/cache 0.653s
ok google.golang.org/grpc/internal/channelz 0.005s
? google.golang.org/grpc/internal/envconfig [no test files]
? google.golang.org/grpc/internal/grpcrand [no test files]
ok google.golang.org/grpc/internal/grpcsync 0.002s
ok google.golang.org/grpc/internal/grpctest 0.002s
ok google.golang.org/grpc/internal/leakcheck 4.083s
ok google.golang.org/grpc/internal/proto/grpc_service_config 0.002s
ok google.golang.org/grpc/internal/resolver/dns 1.620s
? google.golang.org/grpc/internal/resolver/passthrough [no test files]
? google.golang.org/grpc/internal/syscall [no test files]
ok google.golang.org/grpc/internal/testutils 0.002s
ok google.golang.org/grpc/internal/transport 81.078s
ok google.golang.org/grpc/internal/wrr 0.008s
? google.golang.org/grpc/interop [no test files]
? google.golang.org/grpc/interop/alts/client [no test files]
? google.golang.org/grpc/interop/alts/server [no test files]
? google.golang.org/grpc/interop/client [no test files]
? google.golang.org/grpc/interop/fake_grpclb [no test files]
? google.golang.org/grpc/interop/grpc_testing [no test files]
? google.golang.org/grpc/interop/http2 [no test files]
? google.golang.org/grpc/interop/server [no test files]
? google.golang.org/grpc/keepalive [no test files]
ok google.golang.org/grpc/metadata 0.004s
ok google.golang.org/grpc/naming 0.156s
? google.golang.org/grpc/peer [no test files]
ok google.golang.org/grpc/reflection 0.010s
? google.golang.org/grpc/reflection/grpc_reflection_v1alpha [no test files]
? google.golang.org/grpc/reflection/grpc_testing [no test files]
? google.golang.org/grpc/reflection/grpc_testingv3 [no test files]
? google.golang.org/grpc/resolver [no test files]
? google.golang.org/grpc/resolver/dns [no test files]
? google.golang.org/grpc/resolver/manual [no test files]
? google.golang.org/grpc/resolver/passthrough [no test files]
? google.golang.org/grpc/serviceconfig [no test files]
ok google.golang.org/grpc/stats 0.046s
? google.golang.org/grpc/stats/grpc_testing [no test files]
ok google.golang.org/grpc/status 0.008s
? google.golang.org/grpc/stress/client [no test files]
? google.golang.org/grpc/stress/grpc_testing [no test files]
? google.golang.org/grpc/stress/metrics_client [no test files]
? google.golang.org/grpc/tap [no test files]
ok google.golang.org/grpc/test 30.190s
ok google.golang.org/grpc/test/bufconn 0.204s
? google.golang.org/grpc/test/codec_perf [no test files]
? google.golang.org/grpc/test/go_vet [no test files]
? google.golang.org/grpc/test/grpc_testing [no test files]
? google.golang.org/grpc/xds/experimental [no test files]
ok google.golang.org/grpc/xds/internal 0.003s
ok google.golang.org/grpc/xds/internal/balancer 5.113s
ok google.golang.org/grpc/xds/internal/balancer/edsbalancer 1.264s
ok google.golang.org/grpc/xds/internal/balancer/lrs 0.246s
ok google.golang.org/grpc/xds/internal/balancer/orca 0.002s
ok google.golang.org/grpc/xds/internal/client 0.004s
? google.golang.org/grpc/xds/internal/proto [no test files]
? google.golang.org/grpc/xds/internal/proto/udpa/data/orca/v1 [no test files]
? google.golang.org/grpc/xds/internal/proto/udpa/service/orca/v1 [no test files]
? google.golang.org/grpc/xds/internal/proto/udpa/type/v1 [no test files]
ok google.golang.org/grpc/xds/internal/resolver 0.004s
```
Updates https://github.com/letsencrypt/boulder/issues/4548
Unit tests are confirmed to pass:
```
~/go/src/github.com/miekg/pkcs11$ git log --pretty=format:'%h' -n 1
210dc1e
~/go/src/github.com/miekg/pkcs11$ go test ./...
ok github.com/miekg/pkcs11 0.645s
? github.com/miekg/pkcs11/p11 [no test files]
```
Unit tests are confirmed to pass:
```
~/go/src/golang.org/x/crypto$ git log --pretty=format:'%h' -n 1
e1110fd
~/go/src/golang.org/x/crypto$ go test ./...
ok golang.org/x/crypto/acme 6.879s
ok golang.org/x/crypto/acme/autocert 1.213s
? golang.org/x/crypto/acme/autocert/internal/acmetest [no test files]
? golang.org/x/crypto/acme/internal/acmeprobe [no test files]
ok golang.org/x/crypto/argon2 0.084s
ok golang.org/x/crypto/bcrypt 2.224s
ok golang.org/x/crypto/blake2b 0.049s
ok golang.org/x/crypto/blake2s 0.034s
ok golang.org/x/crypto/blowfish 0.005s
ok golang.org/x/crypto/bn256 0.311s
ok golang.org/x/crypto/cast5 2.527s
ok golang.org/x/crypto/chacha20 0.013s
ok golang.org/x/crypto/chacha20poly1305 0.423s
ok golang.org/x/crypto/cryptobyte 0.002s
? golang.org/x/crypto/cryptobyte/asn1 [no test files]
ok golang.org/x/crypto/curve25519 0.017s
ok golang.org/x/crypto/ed25519 0.047s
? golang.org/x/crypto/ed25519/internal/edwards25519 [no test files]
ok golang.org/x/crypto/hkdf 0.009s
ok golang.org/x/crypto/internal/subtle 0.011s
ok golang.org/x/crypto/md4 0.001s
ok golang.org/x/crypto/nacl/auth 4.920s
ok golang.org/x/crypto/nacl/box 0.019s
ok golang.org/x/crypto/nacl/secretbox 0.002s
ok golang.org/x/crypto/nacl/sign 0.002s
ok golang.org/x/crypto/ocsp 0.020s
ok golang.org/x/crypto/openpgp 3.302s
ok golang.org/x/crypto/openpgp/armor 0.001s
ok golang.org/x/crypto/openpgp/clearsign 13.182s
ok golang.org/x/crypto/openpgp/elgamal 0.008s
? golang.org/x/crypto/openpgp/errors [no test files]
ok golang.org/x/crypto/openpgp/packet 0.115s
ok golang.org/x/crypto/openpgp/s2k 5.114s
ok golang.org/x/crypto/otr 0.163s
ok golang.org/x/crypto/pbkdf2 0.025s
ok golang.org/x/crypto/pkcs12 0.036s
ok golang.org/x/crypto/pkcs12/internal/rc2 0.001s
ok golang.org/x/crypto/poly1305 0.025s
ok golang.org/x/crypto/ripemd160 0.018s
ok golang.org/x/crypto/salsa20 0.029s
ok golang.org/x/crypto/salsa20/salsa 0.009s
ok golang.org/x/crypto/scrypt 0.384s
ok golang.org/x/crypto/sha3 0.121s
ok golang.org/x/crypto/ssh 2.779s
ok golang.org/x/crypto/ssh/agent 0.460s
ok golang.org/x/crypto/ssh/knownhosts 0.018s
ok golang.org/x/crypto/ssh/terminal 0.006s
ok golang.org/x/crypto/ssh/test 2.059s
ok golang.org/x/crypto/tea 0.003s
ok golang.org/x/crypto/twofish 0.013s
ok golang.org/x/crypto/xtea 0.009s
ok golang.org/x/crypto/xts 0.001s
```
Unit tests are confirmed to pass:
```
~/go/src/golang.org/x/net$ git log --pretty=format:'%h' -n 1
2180aed
~/go/src/golang.org/x/net$ go test ./...
ok golang.org/x/net/bpf 0.494s
ok golang.org/x/net/context 0.058s
ok golang.org/x/net/context/ctxhttp 0.104s
? golang.org/x/net/dict [no test files]
ok golang.org/x/net/dns/dnsmessage 0.074s
ok golang.org/x/net/html 0.097s
ok golang.org/x/net/html/atom 0.002s
ok golang.org/x/net/html/charset 0.020s
ok golang.org/x/net/http/httpguts 0.028s
ok golang.org/x/net/http/httpproxy 0.003s
ok golang.org/x/net/http2 125.352s
ok golang.org/x/net/http2/h2c 0.015s
? golang.org/x/net/http2/h2i [no test files]
ok golang.org/x/net/http2/hpack 0.042s
ok golang.org/x/net/icmp 0.002s
ok golang.org/x/net/idna 0.012s
? golang.org/x/net/internal/iana [no test files]
ok golang.org/x/net/internal/socket 4.560s
ok golang.org/x/net/internal/socks 0.222s
ok golang.org/x/net/internal/sockstest 0.015s
ok golang.org/x/net/internal/timeseries 0.020s
ok golang.org/x/net/ipv4 0.053s
ok golang.org/x/net/ipv6 0.043s
ok golang.org/x/net/nettest 1.057s
ok golang.org/x/net/netutil 0.819s
ok golang.org/x/net/proxy 0.039s
ok golang.org/x/net/publicsuffix 0.146s
ok golang.org/x/net/trace 0.007s
ok golang.org/x/net/webdav 0.091s
ok golang.org/x/net/webdav/internal/xml 0.010s
ok golang.org/x/net/websocket 0.026s
ok golang.org/x/net/xsrftoken 0.019s
```
Unit tests are confirmed to pass:
```
~/go/src/gopkg.in/yaml.v2$ git log --pretty=format:'%h' -n 1
f90ceb4
~/go/src/gopkg.in/yaml.v2$ go test ./...
ok gopkg.in/yaml.v2 2.873s
```
Unit tests confirmed to pass:
```
~/go/src/github.com/golang/mock$ git log --pretty=format:'%h' -n 1
d74b935
~/go/src/github.com/golang/mock$ go test ./...
go: downloading golang.org/x/tools v0.0.0-20190425150028-36563e24a262
go: extracting golang.org/x/tools v0.0.0-20190425150028-36563e24a262
go: finding golang.org/x/tools v0.0.0-20190425150028-36563e24a262
ok github.com/golang/mock/gomock 0.003s
? github.com/golang/mock/gomock/internal/mock_gomock [no test files]
ok github.com/golang/mock/mockgen 0.008s
ok github.com/golang/mock/mockgen/internal/tests/aux_imports_embedded_interface 0.002s
? github.com/golang/mock/mockgen/internal/tests/aux_imports_embedded_interface/faux [no test files]
? github.com/golang/mock/mockgen/internal/tests/copyright_file [no test files]
? github.com/golang/mock/mockgen/internal/tests/custom_package_name/client/v1 [no test files]
ok github.com/golang/mock/mockgen/internal/tests/custom_package_name/greeter 0.003s
? github.com/golang/mock/mockgen/internal/tests/custom_package_name/validator [no test files]
? github.com/golang/mock/mockgen/internal/tests/dot_imports [no test files]
? github.com/golang/mock/mockgen/internal/tests/empty_interface [no test files]
ok github.com/golang/mock/mockgen/internal/tests/generated_identifier_conflict 0.006s
? github.com/golang/mock/mockgen/internal/tests/import_source [no test files]
? github.com/golang/mock/mockgen/internal/tests/import_source/definition [no test files]
? github.com/golang/mock/mockgen/internal/tests/internal_pkg [no test files]
? github.com/golang/mock/mockgen/internal/tests/internal_pkg/subdir/internal/pkg [no test files]
? github.com/golang/mock/mockgen/internal/tests/internal_pkg/subdir/internal/pkg/reflect_output [no test files]
? github.com/golang/mock/mockgen/internal/tests/internal_pkg/subdir/internal/pkg/source_output [no test files]
ok github.com/golang/mock/mockgen/internal/tests/mock_in_test_package 0.045s [no tests to run]
ok github.com/golang/mock/mockgen/internal/tests/test_package 0.002s [no tests to run]
ok github.com/golang/mock/mockgen/internal/tests/unexported_method 0.002s
? github.com/golang/mock/mockgen/internal/tests/vendor_dep [no test files]
? github.com/golang/mock/mockgen/internal/tests/vendor_dep/source_mock_package [no test files]
? github.com/golang/mock/mockgen/internal/tests/vendor_pkg [no test files]
ok github.com/golang/mock/mockgen/model 0.007s
ok github.com/golang/mock/sample 0.003s
ok github.com/golang/mock/sample/concurrent 0.002s
? github.com/golang/mock/sample/concurrent/mock [no test files]
? github.com/golang/mock/sample/imp1 [no test files]
? github.com/golang/mock/sample/imp2 [no test files]
? github.com/golang/mock/sample/imp3 [no test files]
? github.com/golang/mock/sample/imp4 [no test files]
? github.com/golang/mock/sample/mock_user [no test files]
```
Incorporates square/go-jose#282.
$ go test gopkg.in/square/go-jose.v2
go: finding gopkg.in/square/go-jose.v2 v2.4.1
ok gopkg.in/square/go-jose.v2 46.790s
* deps: update publicsuffix-go to 342bab7
This updates `github.com/weppos/publicsuffix-go` to 342bab7, the tip of
master at the time of writing.
Unit tests are confirmed to pass:
```
~/go/src/github.com/weppos/publicsuffix-go$ git log --pretty=format:'%h' -n 1
342bab7
~/go/src/github.com/weppos/publicsuffix-go$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.023s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.015s
? github.com/weppos/publicsuffix-go/publicsuffix/generator [no test files]
```
* deps: update zmap/zlint to 71201e7
This updates `github.com/zmap/zlint` to 71201e7, the tip of master at
the time of writing.
Unit tests are confirmed to pass:
```
~/go/src/github.com/zmap/zlint$ git log --pretty=format:'%h' -n 1
71201e7
~/go/src/github.com/zmap/zlint$ go test ./...
ok github.com/zmap/zlint 0.205s
? github.com/zmap/zlint/cmd/zlint [no test files]
? github.com/zmap/zlint/cmd/zlint-gtld-update [no test files]
ok github.com/zmap/zlint/lints 0.214s
ok github.com/zmap/zlint/util 0.014s
```
This is a breaking API change: pkcs11key now takes as input a public key rather than
a private key label. In order to find the private key, it first finds the public key's CKA_ID
in the token, then looks for a private key with the same CKA_ID. From ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30b-d6.pdf:
> The CKA_ID field is intended to distinguish among multiple keys. In
the case of public and private keys, this field assists in handling
multiple keys held by the same subject; the key identifier for a
public key and its corresponding private key should be the same.
This does require that both the public key and private key are present and have
appropriate CKA_IDs set. I've verified this is the case in prod. In our integration
testing environment it was not the case, so I've tweaked entrypoint.sh to load
public keys into SoftHSM and set their CKA_ID.
The initial part of this change was written by @cpu. I've reviewed and approved
those commits.
* cmd: update prometheus.NewProcessCollector args.
There's a new struct `prometheus.ProcessCollectorOpts` that is expected
to be used as the sole argument to `prometheus.NewProcessCollector`. We
don't need to specify `os.Getpid` as the `PidFn` of the struct because
the default is to assume `os.Getpid`. Similarly we don't need to set the
namespace to `""` explicitly, it is the default.
* SA: reimplement db metrics as custom collector.
The modern Prometheus golang API supports translating between legacy
metric sources on the fly with a custom collector. We can use this
approach to collect the metrics from `gorp.DbMap`'s via the `sql.DB`
type's `Stats` function and the returned `sql.DbStats` struct.
This is a cleaner solution overall (we can lose the DB metrics updating
go routine) and it avoids the need to use the now-removed `Set` method
of the `prometheus.Counter` type.
* test: Update CountHistogramSamples.
The `With` function of `prometheus.HistogramVec` types we tend to use as
the argument to `test.CountHistogramSamples` changed to return
a `prometheus.Observer`. Since we only use this function in test
contexts, and only with things that cast back to
a `prometheus.Histogram` we take that approach to fix the problem
without updating call-sites.
This updates the `github.com/eggsampler/acme` dependency used in our Go-based
integration tests to v3. Notably this fixes a data race we encountered in CI.
With the data race fixed this branch can also revert
54a798b7f6 and resolve
https://github.com/letsencrypt/boulder/issues/4542
I ran a `go mod tidy` to cleanup the old `v2` copy of the dep and it also
removed a few stale cfssl/mysql items from the `go.mod`.
Upstream library's tests are confirmed to pass:
```
~/go/src/github.com/eggsampler/acme$ git log --pretty=format:'%h' -n 1
b581dc6
~/go/src/github.com/eggsampler/acme$ make pebble
mkdir -p /home/daniel/go/src/github.com/letsencrypt/pebble
git clone --depth 1 https://github.com/letsencrypt/pebble.git /home/daniel/go/src/github.com/letsencrypt/pebble \
|| (cd /home/daniel/go/src/github.com/letsencrypt/pebble; git checkout -f master && git reset --hard HEAD && git pull -q)
fatal: destination path '/home/daniel/go/src/github.com/letsencrypt/pebble' already exists and is not an empty directory.
Already on 'master'
Your branch is up-to-date with 'le/master'.
HEAD is now at 6c2d514 wfe: compare Identifier.Type with acme.IndentifierIP (#287)
docker-compose -f /home/daniel/go/src/github.com/letsencrypt/pebble/docker-compose.yml up -d
Creating network "pebble_acmenet" with driver "bridge"
Creating pebble_challtestsrv_1 ... done
Creating pebble_pebble_1 ... done
while ! wget --delete-after -q --no-check-certificate "https://localhost:14000/dir" ; do sleep 1 ; done
go clean -testcache
go test -race -coverprofile=coverage_18.txt -covermode=atomic github.com/eggsampler/acme/v3
ok github.com/eggsampler/acme/v3 24.292s coverage: 83.0% of statements
docker-compose -f /home/daniel/go/src/github.com/letsencrypt/pebble/docker-compose.yml down
Stopping pebble_pebble_1 ... done
Stopping pebble_challtestsrv_1 ... done
Removing pebble_pebble_1 ... done
Removing pebble_challtestsrv_1 ... done
Removing network pebble_acmenet
```
Updates `github.com/weppos/publicsuffix-go` to 3dd5f42, and
`github.com/zmap/zlint` to eea5fe8. Both hashes are the tip of master at
the time of writing.
Unit tests are confirmed to pass:
```
~/go/src/github.com/weppos/publicsuffix-go$ git log --pretty=format:'%h' -n 1
3dd5f42
~/go/src/github.com/weppos/publicsuffix-go$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.008s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.005s
? github.com/weppos/publicsuffix-go/publicsuffix/generator [no test files]
~/go/src/github.com/zmap/zlint$ git log --pretty=format:'%h' -n 1
eea5fe8
~/go/src/github.com/zmap/zlint$ go test ./...
ok github.com/zmap/zlint 0.240s
? github.com/zmap/zlint/cmd/zlint [no test files]
? github.com/zmap/zlint/cmd/zlint-gtld-update [no test files]
ok github.com/zmap/zlint/lints 0.156s
ok github.com/zmap/zlint/util 0.020s
```
The most recent tagged release of mysql is v1.4.1, from a year ago. It
also happens to pull in an unwanted dependency (appengine) that the
latest commit does not.
Tests pass:
$ go test -count=1 github.com/go-sql-driver/mysql
ok github.com/go-sql-driver/mysql 0.068s
Fixes#4530
Newer Go versions seem to give a different psuedoversion for this
dependency at the same commit than when we initially switched to Go
modules for Boulder. Fixing the psuedoversion now so it won't trip up
future updates unexpectedly.
This branch also updates the WFE2 parseJWS function to match the error string fixed in the upstream project for the case where a JWS EC public key fails to unmarshal due to an incorrect length.
Resolves#4300
In f32fdc4 the Boulder logging framework was updated to emit a CRC32-IEEE
checksum in log lines. The `log-validator` command verifies these checksums in
one of two ways:
1. By running as a daemon process, tailing logs and verifying checksums as they
arrive.
2. By running as a one-off command, verifying checksums of every line in a log
file on disk.
Integrates the cfssl/ocsp responder code directly into boulder. I've tried to
pare down the existing code to only the bits we actually use and have removed
some generic interfaces in places in favor of directly using our boulder
specific interfaces.
Fixes#4427.
A unit test is included to verify that a TLS-ALPN-01 challenge to
a TLS 1.3 only server doesn't succeed when the `GODEBUG` value to
disable TLS 1.3 in `docker-compose.yml` is set. Without this env var
the test fails on the Go 1.13 build because of the new default:
```
=== RUN TestTLSALPN01TLS13
--- FAIL: TestTLSALPN01TLS13 (0.04s)
tlsalpn_test.go:531: expected problem validating TLS-ALPN-01 challenge against a TLS 1.3 only server, got nil
FAIL
FAIL github.com/letsencrypt/boulder/va 0.065s
```
With the env var set the test passes, getting the expected connection
problem reporting a tls error:
```
=== RUN TestTLSALPN01TLS13
2019/09/13 18:59:00 http: TLS handshake error from 127.0.0.1:51240: tls: client offered only unsupported versions: [303 302 301]
--- PASS: TestTLSALPN01TLS13 (0.03s)
PASS
ok github.com/letsencrypt/boulder/va 1.054s
```
Since we plan to eventually enable TLS 1.3 support and the `GODEBUG`
mechanism tested in the above test is platform-wide vs package
specific I decided it wasn't worth the time investment to write a
similar HTTP-01 unit test that verifies the TLS 1.3 behaviour on a
HTTP-01 HTTP->HTTPS redirect.
Resolves https://github.com/letsencrypt/boulder/issues/4415
This change adds two tables and two methods in the SA, to store precertificates
and serial numbers.
In the CA, when the feature flag is turned on, we generate a serial number, store it,
sign a precertificate and OCSP, store them, and then return the precertificate. Storing
the serial as an additional step before signing the certificate adds an extra layer of
insurance against duplicate serials, and also serves as a check on database availability.
Since an error storing the serial prevents going on to sign the precertificate, this decreases
the chance of signing something while the database is down.
Right now, neither table has read operations available in the SA.
To make this work, I needed to remove the check for duplicate certificateStatus entry
when inserting a final certificate and its OCSP response. I also needed to remove
an error that can occur when expiration-mailer processes a precertificate that lacks
a final certificate. That error would otherwise have prevented further processing of
expiration warnings.
Fixes#4412
This change builds on #4417, please review that first for ease of review.
This test adds support in ct-test-srv for rejecting precertificates by
hostname, in order to artificially generate a condition where a
precertificate is issued but no final certificate can be issued. Right
now the final check in the test is temporarily disabled until the
feature is fixed.
Also, as our first Go-based integration test, this pulls in the
eggsampler/acme Go client, and adds some suport in integration-test.py.
This also refactors ct-test-srv slightly to use a ServeMux, and fixes
a couple of cases of not returning immediately on error.
* deps: update github.com/zmap/zlint to latest.
This captures a new lint (`e_subject_printable_string_badalpha`) that
addresses a historic Let's Encrypt incident related to the allowed
PrintableString character set. It also pulls in minor housekeeping
related to consistently prefixing lint names with their respective lint
result level.
* review: fix expected lint name in TestIgnoredLint.
The upstream `zlint` project added a missing `w_` prefix on the
`ct_sct_policy_count_unsatisifed` lint that needed to be reflected in
expected test output.
* deps: update github.com/zmap/zlint to latest.
Update the `github.com/zmap/zlint` dependency to b126a9b. This captures
a small fix to the `ct_sct_policy_count_unsatisfied` lint that ensures
it isn't run for precertificates.
* config: remove ct_sct_policy_count_unsatisfied from ignored_lints.
With the latest `zlint` the `ct_sct_policy_count_unsatisfied` lint won't
flag precertificates as having an info-level lint result for missing
SCTs. With that fix in place we no longer have to ignore this lint in
the config-next CA configs that enable preissuance linting.
This will unblock pre-issuance linting support by updating the
`github.com/cloudflare/cfssl` dependency to the `1.3.4` tag which
notably includes the zlint integration developed in
cloudflare/cfssl#1015
Notably this brings in:
* A mild perf. boost from an updated transitive zcrypto dep and a reworked util func.
* A new KeyUsage lint for ECDSA keys.
* Updated gTLD data.
* A required `LintStatus` deserialization fix that will unblock a CFSSL update.
The `TestIgnoredLint` unit test is updated to no longer expect a warning from the
` w_serial_number_low_entropy` lint. This lint was removed in the upstream project.
Also excises the existing bad padding metrics code, adds a special error for when we encounter badly padded keys, and adds a test for the new special error.
Fixes#4070 and fixes#3964.
Because the package versions in go.mod match what we use in Godeps.json,
there are no substantive code diffs. However, there are some tiny
differences resulting from how go mod vendors things differently than
godep:
go mod does not preserve executable permissions on shell scripts
Some packages have import lines like:
package ocsp // import "golang.org/x/crypto/ocsp"
godep used to remove the comment from these lines, but go mod vendor does not.
This introduces several indirect dependencies that we didn't have
before. This is because godep used to operate at a package level, but
go mod operates at a module (~= repository) level. So if we used a
given repository, but didn't use all of its packages, we wouldn't
previously care about the transitive dependencies of the packages we
weren't using. However, in the go mod world, once we care about the
repository, we care about all of that repository's transitive
dependencies. AFAICT this doesn't affect vendoring.
Fixes#4116
Update `github.com/weppos/publicsuffix-go` dependency to
7c1d5dc, the tip of master at the time of writing.
Unit tests are confirmed to pass:
```
$> git log --pretty=format:%h -n 1
7c1d5dc
$> go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.004s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.005s
```
Fingers-crossed this is the last Godeps.json update before the modules
switch.
This reomves a dependency on gogo/protobuf.
```
$ go test -count=1 github.com/cloudflare/cfssl/{auth,certdb,certdb/dbconf,certdb/sql,config,crypto/pkcs7,csr,errors,helpers,helpers/derhelpers,info,log,ocsp,ocsp/config,signer,signer/local}
ok github.com/cloudflare/cfssl/auth 0.032s
? github.com/cloudflare/cfssl/certdb [no test files]
ok github.com/cloudflare/cfssl/certdb/dbconf 0.005s
ok github.com/cloudflare/cfssl/certdb/sql 0.430s
ok github.com/cloudflare/cfssl/config 0.018s
? github.com/cloudflare/cfssl/crypto/pkcs7 [no test files]
ok github.com/cloudflare/cfssl/csr 8.343s
ok github.com/cloudflare/cfssl/errors 0.012s
ok github.com/cloudflare/cfssl/helpers 0.125s
ok github.com/cloudflare/cfssl/helpers/derhelpers 0.007s
? github.com/cloudflare/cfssl/info [no test files]
ok github.com/cloudflare/cfssl/log 0.018s
ok github.com/cloudflare/cfssl/ocsp 0.093s
? github.com/cloudflare/cfssl/ocsp/config [no test files]
ok github.com/cloudflare/cfssl/signer 0.016s
ok github.com/cloudflare/cfssl/signer/local 0.621s
```
$ go test -count=1 golang.org/x/net/{bpf,context,context/ctxhttp,http/httpguts,http2,http2/hpack,idna,internal/iana,internal/socket,internal/timeseries,ipv4,ipv6,trace} golang.org/x/sys/unix golang.org/x/crypto/...
ok golang.org/x/net/bpf 0.464s
ok golang.org/x/net/context 0.064s
ok golang.org/x/net/context/ctxhttp 0.109s
ok golang.org/x/net/http/httpguts 0.008s
ok golang.org/x/net/http2 83.376s
ok golang.org/x/net/http2/hpack 0.049s
ok golang.org/x/net/idna 0.003s
? golang.org/x/net/internal/iana [no test files]
ok golang.org/x/net/internal/socket 0.003s
ok golang.org/x/net/internal/timeseries 0.017s
ok golang.org/x/net/ipv4 0.022s
ok golang.org/x/net/ipv6 0.015s
ok golang.org/x/net/trace 0.010s
ok golang.org/x/sys/unix 0.576s
ok golang.org/x/crypto/acme 4.417s
ok golang.org/x/crypto/acme/autocert 0.222s
? golang.org/x/crypto/acme/autocert/internal/acmetest [no test files]
ok golang.org/x/crypto/argon2 0.072s
ok golang.org/x/crypto/bcrypt 2.331s
ok golang.org/x/crypto/blake2b 0.041s
ok golang.org/x/crypto/blake2s 0.068s
ok golang.org/x/crypto/blowfish 0.007s
ok golang.org/x/crypto/bn256 0.355s
ok golang.org/x/crypto/cast5 3.829s
ok golang.org/x/crypto/chacha20poly1305 0.047s
ok golang.org/x/crypto/cryptobyte 0.003s
? golang.org/x/crypto/cryptobyte/asn1 [no test files]
ok golang.org/x/crypto/curve25519 0.026s
ok golang.org/x/crypto/ed25519 0.121s
? golang.org/x/crypto/ed25519/internal/edwards25519 [no test files]
ok golang.org/x/crypto/hkdf 0.030s
ok golang.org/x/crypto/internal/chacha20 0.091s
ok golang.org/x/crypto/internal/subtle 0.013s
ok golang.org/x/crypto/md4 0.001s
ok golang.org/x/crypto/nacl/auth 1.805s
ok golang.org/x/crypto/nacl/box 0.017s
ok golang.org/x/crypto/nacl/secretbox 0.016s
ok golang.org/x/crypto/nacl/sign 0.022s
ok golang.org/x/crypto/ocsp 0.029s
ok golang.org/x/crypto/openpgp 7.507s
ok golang.org/x/crypto/openpgp/armor 0.022s
ok golang.org/x/crypto/openpgp/clearsign 21.458s
ok golang.org/x/crypto/openpgp/elgamal 0.009s
? golang.org/x/crypto/openpgp/errors [no test files]
ok golang.org/x/crypto/openpgp/packet 0.227s
ok golang.org/x/crypto/openpgp/s2k 8.758s
ok golang.org/x/crypto/otr 0.396s
ok golang.org/x/crypto/pbkdf2 0.060s
ok golang.org/x/crypto/pkcs12 0.069s
ok golang.org/x/crypto/pkcs12/internal/rc2 0.003s
ok golang.org/x/crypto/poly1305 0.012s
ok golang.org/x/crypto/ripemd160 0.043s
ok golang.org/x/crypto/salsa20 0.006s
ok golang.org/x/crypto/salsa20/salsa 0.002s
ok golang.org/x/crypto/scrypt 0.626s
ok golang.org/x/crypto/sha3 0.168s
ok golang.org/x/crypto/ssh 1.290s
ok golang.org/x/crypto/ssh/agent 0.597s
ok golang.org/x/crypto/ssh/knownhosts 0.004s
ok golang.org/x/crypto/ssh/terminal 0.008s
ok golang.org/x/crypto/ssh/test 0.081s
ok golang.org/x/crypto/tea 0.002s
ok golang.org/x/crypto/twofish 0.023s
ok golang.org/x/crypto/xtea 0.009s
ok golang.org/x/crypto/xts 0.001s
This is part of #4116 since the modules system wants higher versions of these.
golang.org/x/text -> v0.3.0
google.golang.org/grpc -> v1.20.0
google.golang.org/genproto -> master
$ go test google.golang.org/genproto/googleapis/rpc/status
? google.golang.org/genproto/googleapis/rpc/status [no test
files]
$ go test golang.org/x/text/{secure/bidirule,transform,unicode/bidi,unicode/norm}
-count=1
ok golang.org/x/text/secure/bidirule 0.016s
ok golang.org/x/text/transform 0.041s
ok golang.org/x/text/unicode/bidi 0.007s
ok golang.org/x/text/unicode/norm 1.800s
$ go test google.golang.org/grpc/{,balancer{,/base,/roundrobin},codes,connectivity,credentials,encoding,encoding/proto,grpclog,internal{,/backoff,/channelz,/envconfig,/grpcrand,/transport},keepalive,metadata,naming,peer,resolver{,/dns,/passthrough},stats,status,tap}
ok google.golang.org/grpc 22.494s
? google.golang.org/grpc/balancer [no test files]
? google.golang.org/grpc/balancer/base [no test files]
ok google.golang.org/grpc/balancer/roundrobin (cached)
ok google.golang.org/grpc/codes (cached)
? google.golang.org/grpc/connectivity [no test files]
ok google.golang.org/grpc/credentials 0.015s
? google.golang.org/grpc/encoding [no test files]
ok google.golang.org/grpc/encoding/proto 0.056s
ok google.golang.org/grpc/grpclog 0.001s
? google.golang.org/grpc/internal [no test files]
? google.golang.org/grpc/internal/backoff [no test files]
ok google.golang.org/grpc/internal/channelz 0.034s
? google.golang.org/grpc/internal/envconfig [no test files]
? google.golang.org/grpc/internal/grpcrand [no test files]
ok google.golang.org/grpc/internal/transport 81.123s
? google.golang.org/grpc/keepalive [no test files]
ok google.golang.org/grpc/metadata 0.005s
ok google.golang.org/grpc/naming 0.187s
? google.golang.org/grpc/peer [no test files]
? google.golang.org/grpc/resolver [no test files]
ok google.golang.org/grpc/resolver/dns 1.594s
? google.golang.org/grpc/resolver/passthrough [no test files]
ok google.golang.org/grpc/stats 0.036s
ok google.golang.org/grpc/status 0.002s
? google.golang.org/grpc/tap [no test files]
Precursor to #4116. Since some of our dependencies impose a minimum
version on these two packages higher than what we have in Godeps, we'll
have to bump them anyhow. Bumping them independently of the modules
update should keep things a little simpler.
In order to get protobuf tests to pass, I had to update protoc-gen-go in
boulder-tools. Now we download a prebuilt binary instead of using the
Ubuntu package, which is stuck on 3.0.0. This also meant I needed to
re-generate our pb.go files, since the new version generates somewhat
different output.
This happens to change the tag for pbutil, but it's not a substantive change - they just added a tagged version where there was none.
$ go test github.com/miekg/dns/...
ok github.com/miekg/dns 4.675s
ok github.com/miekg/dns/dnsutil 0.003s
ok github.com/golang/protobuf/descriptor (cached)
ok github.com/golang/protobuf/jsonpb (cached)
? github.com/golang/protobuf/jsonpb/jsonpb_test_proto [no test files]
ok github.com/golang/protobuf/proto (cached)
? github.com/golang/protobuf/proto/proto3_proto [no test files]
? github.com/golang/protobuf/proto/test_proto [no test files]
ok github.com/golang/protobuf/protoc-gen-go (cached)
? github.com/golang/protobuf/protoc-gen-go/descriptor [no test files]
ok github.com/golang/protobuf/protoc-gen-go/generator (cached)
ok github.com/golang/protobuf/protoc-gen-go/generator/internal/remap (cached)
? github.com/golang/protobuf/protoc-gen-go/grpc [no test files]
? github.com/golang/protobuf/protoc-gen-go/plugin [no test files]
ok github.com/golang/protobuf/ptypes (cached)
? github.com/golang/protobuf/ptypes/any [no test files]
? github.com/golang/protobuf/ptypes/duration [no test files]
? github.com/golang/protobuf/ptypes/empty [no test files]
? github.com/golang/protobuf/ptypes/struct [no test files]
? github.com/golang/protobuf/ptypes/timestamp [no test files]
? github.com/golang/protobuf/ptypes/wrappers [no test files]
This commit updates the `github.com/weppos/publicsuffix-go` dependency
to 34e9f38 - the tip of master at the time of writing.
Unit tests are confirmed to pass:
```
~/go/src/github.com/weppos/publicsuffix-go$ git log --pretty=format:'%h' -n 1
34e9f38
~/go/src/github.com/weppos/publicsuffix-go$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.005s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.006s
```
Update the `github.com/weppos/publicsuffix-go` dependency to 26bf87f,
the tip of master at the time of writing.
Unit tests are confirmed to pass:
```
~/go/src/github.com/weppos/publicsuffix-go$ git log --pretty=format:'%h' -n 1
26bf87f
~/go/src/github.com/weppos/publicsuffix-go$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.005s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.005s
```
The vendored copy of `github.com/zmap/zlint` is updated to
f38bd22 - the tip of master at the time of writing.
This pulls in a new deprecated gTLD: `.active`.
Unit tests are confirmed to pass:
```
~/go/src/github.com/zmap/zlint$ git log --pretty=format:'%h' -n 1
f38bd22
~/go/src/github.com/zmap/zlint$ go test ./...
ok github.com/zmap/zlint 0.220s
? github.com/zmap/zlint/cmd/zlint [no test files]
? github.com/zmap/zlint/cmd/zlint-gtld-update [no test files]
ok github.com/zmap/zlint/lints 0.270s
ok github.com/zmap/zlint/util 0.015s
```
The vendored copy of `github.com/zmap/zlint` is updated to b2aa746 - the
tip of master at the time of writing.
This pulls in two deprecated gTLDs (`.zippo`, `.epost`).
```
~/go/src/github.com/zmap/zlint$ git log --pretty=format:'%h' -n 1
b2aa746
~/go/src/github.com/zmap/zlint$ go test ./...
ok github.com/zmap/zlint 0.212s
? github.com/zmap/zlint/cmd/zlint [no test files]
? github.com/zmap/zlint/cmd/zlint-gtld-update [no test files]
ok github.com/zmap/zlint/lints 0.210s
ok github.com/zmap/zlint/util 0.006s
```
The vendored copy of `github.com/zmap/zlint` is updated to fbc0b69 - the
tip of master at the time of writing.
This pulls in a deprecated gTLD (`.blanco`).
Unit tests are confirmed to pass:
```
~/go/src/github.com/zmap/zlint$ git log --pretty=format:'%h' -n 1
fbc0b69
~/go/src/github.com/zmap/zlint$ go test ./...
ok github.com/zmap/zlint 0.215s
? github.com/zmap/zlint/cmd/zlint [no test files]
? github.com/zmap/zlint/cmd/zlint-gtld-update [no test files]
ok github.com/zmap/zlint/lints 0.270s
ok github.com/zmap/zlint/util 0.007s
```
The vendored copy of `github.com/zmap/zlint` is updated to bb32118 - the
tip of master at the time of writing.
This pulls in an updated `gtld_map.go` and a few new lints.
Unit tests are confirmed to pass:
```
$ go test ./...
ok github.com/zmap/zlint (cached)
? github.com/zmap/zlint/cmd/zlint [no test files]
? github.com/zmap/zlint/cmd/zlint-gtld-update [no test files]
ok github.com/zmap/zlint/lints (cached)
ok github.com/zmap/zlint/util (cached)
```
1. Updates both boulder tools images to use an update `pebble-challtestsrv`
2. Updates the Go 1.11.3 boulder tools image to Go 1.11.4
3. Updates the vendored `challtestsrv` dep to 1.0.2
This fixes a panic in the `challtestsrv` library and prepares us to move directly
to 1.11.4 after we've resolved the outstanding issues keeping us on the 1.10.x
stream in prod/staging.
There are no unit tests to run for item 3.
Now that Pebble has a `pebble-challtestsrv` we can remove the `challtestrv`
package and associated command from Boulder. I switched CI to use
`pebble-challtestsrv`. Notably this means that we have to add our expected mock
data using the HTTP management interface. The Boulder-tools images are
regenerated to include the `pebble-challtestsrv` command.
Using this approach also allows separating the TLS-ALPN-01 and HTTPS HTTP-01
challenges by binding each challenge type in the `pebble-challtestsrv` to
different interfaces both using the same VA
HTTPS port. Mock DNS directs the VA to the correct interface.
The load-generator command that was previously using the `challtestsrv` package
from Boulder is updated to use a vendored copy of the new
`github.org/letsencrypt/challtestsrv` package.
Vendored dependencies change in two ways:
1) Gomock is updated to the latest release (matching what the Bouldertools image
provides)
2) A couple of new subpackages in `golang.org/x/net/` are added by way of
transitive dependency through the challtestsrv package.
Unit tests are confirmed to pass for `gomock`:
```
~/go/src/github.com/golang/mock/gomock$ git log --pretty=format:'%h' -n 1
51421b9
~/go/src/github.com/golang/mock/gomock$ go test ./...
ok github.com/golang/mock/gomock 0.002s
? github.com/golang/mock/gomock/internal/mock_matcher [no test files]
```
For `/x/net` all tests pass except two `/x/net/icmp` `TestDiag.go` test cases
that we have agreed are OK to ignore.
Resolves https://github.com/letsencrypt/boulder/issues/3962 and
https://github.com/letsencrypt/boulder/issues/3951
This updates Boulder's vendored dependency for `github.com/google/certificate-transparency-go` to c25855a, the tip of master at the time of writing.
Unit tests are confirmed to pass:
```
$ git log --pretty=format:'%h' -n 1
c25855a
$ go test ./...
ok github.com/google/certificate-transparency-go (cached)
ok github.com/google/certificate-transparency-go/asn1 (cached)
ok github.com/google/certificate-transparency-go/client 22.985s
? github.com/google/certificate-transparency-go/client/configpb [no test files]
? github.com/google/certificate-transparency-go/client/ctclient [no test files]
ok github.com/google/certificate-transparency-go/ctpolicy (cached)
ok github.com/google/certificate-transparency-go/ctutil (cached)
? github.com/google/certificate-transparency-go/ctutil/sctcheck [no test files]
? github.com/google/certificate-transparency-go/ctutil/sctscan [no test files]
ok github.com/google/certificate-transparency-go/dnsclient (cached)
ok github.com/google/certificate-transparency-go/fixchain 0.091s
? github.com/google/certificate-transparency-go/fixchain/chainfix [no test files]
ok github.com/google/certificate-transparency-go/fixchain/ratelimiter (cached)
ok github.com/google/certificate-transparency-go/gossip (cached)
? github.com/google/certificate-transparency-go/gossip/gossip_server [no test files]
ok github.com/google/certificate-transparency-go/gossip/minimal 0.028s
? github.com/google/certificate-transparency-go/gossip/minimal/configpb [no test files]
? github.com/google/certificate-transparency-go/gossip/minimal/goshawk [no test files]
? github.com/google/certificate-transparency-go/gossip/minimal/gosmin [no test files]
ok github.com/google/certificate-transparency-go/gossip/minimal/x509ext (cached)
ok github.com/google/certificate-transparency-go/ingestor/ranges (cached)
ok github.com/google/certificate-transparency-go/jsonclient 0.007s
ok github.com/google/certificate-transparency-go/logid (cached)
ok github.com/google/certificate-transparency-go/loglist (cached)
? github.com/google/certificate-transparency-go/loglist/findlog [no test files]
ok github.com/google/certificate-transparency-go/loglist2 (cached)
? github.com/google/certificate-transparency-go/preload [no test files]
? github.com/google/certificate-transparency-go/preload/dumpscts [no test files]
? github.com/google/certificate-transparency-go/preload/preloader [no test files]
ok github.com/google/certificate-transparency-go/scanner 0.009s
? github.com/google/certificate-transparency-go/scanner/scanlog [no test files]
ok github.com/google/certificate-transparency-go/tls (cached)
ok github.com/google/certificate-transparency-go/trillian/ctfe (cached)
? github.com/google/certificate-transparency-go/trillian/ctfe/configpb [no test files]
? github.com/google/certificate-transparency-go/trillian/ctfe/ct_server [no test files]
? github.com/google/certificate-transparency-go/trillian/ctfe/testonly [no test files]
ok github.com/google/certificate-transparency-go/trillian/integration 0.023s
? github.com/google/certificate-transparency-go/trillian/integration/ct_hammer [no test files]
? github.com/google/certificate-transparency-go/trillian/migrillian [no test files]
? github.com/google/certificate-transparency-go/trillian/migrillian/configpb [no test files]
ok github.com/google/certificate-transparency-go/trillian/migrillian/core (cached)
? github.com/google/certificate-transparency-go/trillian/mockclient [no test files]
ok github.com/google/certificate-transparency-go/trillian/util (cached)
ok github.com/google/certificate-transparency-go/x509 (cached)
? github.com/google/certificate-transparency-go/x509/pkix [no test files]
? github.com/google/certificate-transparency-go/x509util [no test files]
? github.com/google/certificate-transparency-go/x509util/certcheck [no test files]
? github.com/google/certificate-transparency-go/x509util/crlcheck [no test files]
```
928ba98 is the tip of master at the time of writing. Notably this pulls in the removal of the `.statoil` gTLD [revoked by IANA](https://www.iana.org/reports/tld-transfer/20181003-statoil).
Unit tests are confirmed to pass:
```
$> git log --pretty=format:'%h' -n 1
928ba98
$> go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.006s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.005s
```
84b6b91 is the tip of master at the time of writing. Unit tests are
confirmed to pass:
```
$> git log --pretty=format:'%h' -n 1
84b6b91
$> go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.004s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.005s
```
Fixes#3837
```
$ go test google.golang.org/grpc/...
ok google.golang.org/grpc 24.275s
? google.golang.org/grpc/balancer [no test files]
? google.golang.org/grpc/balancer/base [no test files]
ok google.golang.org/grpc/balancer/grpclb 7.271s
? google.golang.org/grpc/balancer/grpclb/grpc_lb_v1 [no test files]
ok google.golang.org/grpc/balancer/roundrobin 0.427s
ok google.golang.org/grpc/benchmark 0.006s [no tests to run]
? google.golang.org/grpc/benchmark/benchmain [no test files]
? google.golang.org/grpc/benchmark/benchresult [no test files]
? google.golang.org/grpc/benchmark/client [no test files]
? google.golang.org/grpc/benchmark/grpc_testing [no test files]
ok google.golang.org/grpc/benchmark/latency 1.012s
ok google.golang.org/grpc/benchmark/primitives 0.036s [no tests to run]
? google.golang.org/grpc/benchmark/server [no test files]
? google.golang.org/grpc/benchmark/stats [no test files]
? google.golang.org/grpc/benchmark/worker [no test files]
? google.golang.org/grpc/binarylog/grpc_binarylog_v1 [no test files]
? google.golang.org/grpc/channelz/grpc_channelz_v1 [no test files]
ok google.golang.org/grpc/channelz/service 0.024s
ok google.golang.org/grpc/codes 0.006s
? google.golang.org/grpc/connectivity [no test files]
ok google.golang.org/grpc/credentials 0.014s
ok google.golang.org/grpc/credentials/alts 0.009s
? google.golang.org/grpc/credentials/alts/internal [no test files]
ok google.golang.org/grpc/credentials/alts/internal/authinfo 0.006s
ok google.golang.org/grpc/credentials/alts/internal/conn 0.133s
ok google.golang.org/grpc/credentials/alts/internal/handshaker 0.045s
ok google.golang.org/grpc/credentials/alts/internal/handshaker/service 0.013s
? google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp [no test files]
? google.golang.org/grpc/credentials/alts/internal/testutil [no test files]
? google.golang.org/grpc/credentials/google [no test files]
? google.golang.org/grpc/credentials/oauth [no test files]
? google.golang.org/grpc/encoding [no test files]
? google.golang.org/grpc/encoding/gzip [no test files]
ok google.golang.org/grpc/encoding/proto 0.075s
? google.golang.org/grpc/examples/helloworld/greeter_client [no test files]
? google.golang.org/grpc/examples/helloworld/greeter_server [no test files]
? google.golang.org/grpc/examples/helloworld/helloworld [no test files]
ok google.golang.org/grpc/examples/helloworld/mock_helloworld 0.011s
? google.golang.org/grpc/examples/oauth/client [no test files]
? google.golang.org/grpc/examples/oauth/server [no test files]
? google.golang.org/grpc/examples/route_guide/client [no test files]
ok google.golang.org/grpc/examples/route_guide/mock_routeguide 0.039s
? google.golang.org/grpc/examples/route_guide/routeguide [no test files]
? google.golang.org/grpc/examples/route_guide/server [no test files]
? google.golang.org/grpc/examples/rpc_errors/client [no test files]
? google.golang.org/grpc/examples/rpc_errors/server [no test files]
ok google.golang.org/grpc/grpclog 0.007s
? google.golang.org/grpc/grpclog/glogger [no test files]
ok google.golang.org/grpc/health 0.005s
? google.golang.org/grpc/health/grpc_health_v1 [no test files]
? google.golang.org/grpc/internal [no test files]
? google.golang.org/grpc/internal/backoff [no test files]
ok google.golang.org/grpc/internal/binarylog 0.006s
ok google.golang.org/grpc/internal/channelz 0.012s
? google.golang.org/grpc/internal/envconfig [no test files]
? google.golang.org/grpc/internal/grpcrand [no test files]
ok google.golang.org/grpc/internal/grpcsync 0.013s
ok google.golang.org/grpc/internal/leakcheck 4.052s
? google.golang.org/grpc/internal/syscall [no test files]
ok google.golang.org/grpc/internal/testutils 0.002s
ok google.golang.org/grpc/internal/transport 81.968s
? google.golang.org/grpc/interop [no test files]
? google.golang.org/grpc/interop/alts/client [no test files]
? google.golang.org/grpc/interop/alts/server [no test files]
? google.golang.org/grpc/interop/client [no test files]
? google.golang.org/grpc/interop/fake_grpclb [no test files]
? google.golang.org/grpc/interop/grpc_testing [no test files]
? google.golang.org/grpc/interop/http2 [no test files]
? google.golang.org/grpc/interop/server [no test files]
? google.golang.org/grpc/keepalive [no test files]
ok google.golang.org/grpc/metadata 0.006s
ok google.golang.org/grpc/naming 0.159s
? google.golang.org/grpc/peer [no test files]
ok google.golang.org/grpc/reflection 0.016s
? google.golang.org/grpc/reflection/grpc_reflection_v1alpha [no test files]
? google.golang.org/grpc/reflection/grpc_testing [no test files]
? google.golang.org/grpc/reflection/grpc_testingv3 [no test files]
? google.golang.org/grpc/resolver [no test files]
ok google.golang.org/grpc/resolver/dns 1.370s
? google.golang.org/grpc/resolver/manual [no test files]
? google.golang.org/grpc/resolver/passthrough [no test files]
ok google.golang.org/grpc/stats 0.104s
? google.golang.org/grpc/stats/grpc_testing [no test files]
ok google.golang.org/grpc/status 0.017s
? google.golang.org/grpc/stress/client [no test files]
? google.golang.org/grpc/stress/grpc_testing [no test files]
? google.golang.org/grpc/stress/metrics_client [no test files]
? google.golang.org/grpc/tap [no test files]
ok google.golang.org/grpc/test 33.866s
ok google.golang.org/grpc/test/bufconn 0.005s
? google.golang.org/grpc/test/codec_perf [no test files]
? google.golang.org/grpc/test/go_vet [no test files]
? google.golang.org/grpc/test/grpc_testing [no test files]
```
$ GORP_TEST_DIALECT=gomysql \
GORP_TEST_DSN="root@tcp(10.77.77.2:3306)/boulder_sa_integration" \
go test gopkg.in/go-gorp/gorp.v2
ok gopkg.in/go-gorp/gorp.v2 24.283s
Fixes#3890Fixes#3488
Part of #2819
Unit tests are confirmed to pass:
```
$> git rev-parse HEAD
34b7be2e59081f4bbe6970785e021e6bf0741f2a
$> go test ./...
ok github.com/zmap/zlint 0.224s
? github.com/zmap/zlint/cmd/zlint [no test files]
? github.com/zmap/zlint/cmd/zlint-gtld-update [no test files]
ok github.com/zmap/zlint/lints 0.121s
ok github.com/zmap/zlint/util 0.008s
```
This updates our zlint dependency to 8093f211c4 - the tip of master at the time of writing. Notably this brings in a gTLD map that has effective periods so cert-checker can catch issuance for removed gTLDs after their removal date.
Unit tests are confirmed to pass:
```
$> git rev-parse HEAD
8093f211c43679b1ade744d238a02ba1f0c07371
$> go test ./...
ok github.com/zmap/zlint 0.284s
? github.com/zmap/zlint/cmd/zlint [no test files]
? github.com/zmap/zlint/cmd/zlint-gtld-update [no test files]
ok github.com/zmap/zlint/lints 0.165s
ok github.com/zmap/zlint/util 0.005s
```
Retains the existing logging of orphaned certs until we are confident that this
solution can fully replace it (even then we may want to keep it just for auditing etc).
Fixes#3636.
Fixes#3836.
```
$ ./test.sh
ok github.com/cloudflare/cfssl/api 1.023s coverage: 81.1% of statements
ok github.com/cloudflare/cfssl/api/bundle 1.464s coverage: 87.2% of statements
ok github.com/cloudflare/cfssl/api/certadd 16.766s coverage: 86.8% of statements
ok github.com/cloudflare/cfssl/api/client 1.062s coverage: 51.9% of statements
ok github.com/cloudflare/cfssl/api/crl 1.075s coverage: 75.0% of statements
ok github.com/cloudflare/cfssl/api/gencrl 1.038s coverage: 72.5% of statements
ok github.com/cloudflare/cfssl/api/generator 1.478s coverage: 33.3% of statements
ok github.com/cloudflare/cfssl/api/info 1.085s coverage: 84.1% of statements
ok github.com/cloudflare/cfssl/api/initca 1.050s coverage: 90.5% of statements
ok github.com/cloudflare/cfssl/api/ocsp 1.114s coverage: 93.8% of statements
ok github.com/cloudflare/cfssl/api/revoke 3.063s coverage: 75.0% of statements
ok github.com/cloudflare/cfssl/api/scan 2.988s coverage: 62.1% of statements
ok github.com/cloudflare/cfssl/api/sign 2.680s coverage: 83.3% of statements
ok github.com/cloudflare/cfssl/api/signhandler 1.114s coverage: 26.3% of statements
ok github.com/cloudflare/cfssl/auth 1.010s coverage: 68.2% of statements
ok github.com/cloudflare/cfssl/bundler 22.078s coverage: 84.5% of statements
ok github.com/cloudflare/cfssl/certdb/dbconf 1.013s coverage: 84.2% of statements
ok github.com/cloudflare/cfssl/certdb/ocspstapling 1.302s coverage: 69.2% of statements
ok github.com/cloudflare/cfssl/certdb/sql 1.223s coverage: 70.5% of statements
ok github.com/cloudflare/cfssl/cli 1.014s coverage: 62.5% of statements
ok github.com/cloudflare/cfssl/cli/bundle 1.011s coverage: 0.0% of statements [no tests to run]
ok github.com/cloudflare/cfssl/cli/crl 1.086s coverage: 57.8% of statements
ok github.com/cloudflare/cfssl/cli/gencert 7.927s coverage: 83.6% of statements
ok github.com/cloudflare/cfssl/cli/gencrl 1.064s coverage: 73.3% of statements
ok github.com/cloudflare/cfssl/cli/gencsr 1.058s coverage: 70.3% of statements
ok github.com/cloudflare/cfssl/cli/genkey 2.718s coverage: 70.0% of statements
ok github.com/cloudflare/cfssl/cli/ocsprefresh 1.077s coverage: 64.3% of statements
ok github.com/cloudflare/cfssl/cli/revoke 1.033s coverage: 88.2% of statements
ok github.com/cloudflare/cfssl/cli/scan 1.014s coverage: 36.0% of statements
ok github.com/cloudflare/cfssl/cli/selfsign 2.342s coverage: 73.2% of statements
ok github.com/cloudflare/cfssl/cli/serve 1.076s coverage: 38.2% of statements
ok github.com/cloudflare/cfssl/cli/sign 1.070s coverage: 54.8% of statements
ok github.com/cloudflare/cfssl/cli/version 1.011s coverage: 100.0% of statements
ok github.com/cloudflare/cfssl/cmd/cfssl 1.028s coverage: 0.0% of statements [no tests to run]
ok github.com/cloudflare/cfssl/cmd/cfssljson 1.012s coverage: 3.4% of statements
ok github.com/cloudflare/cfssl/cmd/mkbundle 1.011s coverage: 0.0% of statements [no tests to run]
ok github.com/cloudflare/cfssl/config 1.023s coverage: 67.7% of statements
ok github.com/cloudflare/cfssl/crl 1.054s coverage: 68.3% of statements
ok github.com/cloudflare/cfssl/csr 8.473s coverage: 89.6% of statements
ok github.com/cloudflare/cfssl/errors 1.014s coverage: 79.6% of statements
ok github.com/cloudflare/cfssl/helpers 1.216s coverage: 80.6% of statements
ok github.com/cloudflare/cfssl/helpers/derhelpers 1.017s coverage: 48.0% of statements
ok github.com/cloudflare/cfssl/helpers/testsuite 7.826s coverage: 65.8% of statements
ok github.com/cloudflare/cfssl/initca 151.314s coverage: 73.2% of statements
ok github.com/cloudflare/cfssl/log 1.013s coverage: 59.3% of statements
ok github.com/cloudflare/cfssl/multiroot/config 1.258s coverage: 77.4% of statements
ok github.com/cloudflare/cfssl/ocsp 1.353s coverage: 75.1% of statements
ok github.com/cloudflare/cfssl/revoke 1.149s coverage: 75.0% of statements
ok github.com/cloudflare/cfssl/scan 1.023s coverage: 1.1% of statements
skipped github.com/cloudflare/cfssl/scan/crypto/md5
skipped github.com/cloudflare/cfssl/scan/crypto/rsa
skipped github.com/cloudflare/cfssl/scan/crypto/sha1
skipped github.com/cloudflare/cfssl/scan/crypto/sha256
skipped github.com/cloudflare/cfssl/scan/crypto/sha512
skipped github.com/cloudflare/cfssl/scan/crypto/tls
ok github.com/cloudflare/cfssl/selfsign 1.098s coverage: 70.0% of statements
ok github.com/cloudflare/cfssl/signer 1.020s coverage: 19.4% of statements
ok github.com/cloudflare/cfssl/signer/local 4.886s coverage: 77.9% of statements
ok github.com/cloudflare/cfssl/signer/remote 2.500s coverage: 70.0% of statements
ok github.com/cloudflare/cfssl/signer/universal 2.228s coverage: 67.7% of statements
ok github.com/cloudflare/cfssl/transport 1.012s
ok github.com/cloudflare/cfssl/transport/ca/localca 1.046s coverage: 94.9% of statements
ok github.com/cloudflare/cfssl/transport/kp 1.050s coverage: 37.1% of statements
ok github.com/cloudflare/cfssl/ubiquity 1.037s coverage: 88.3% of statements
ok github.com/cloudflare/cfssl/whitelist 3.519s coverage: 100.0% of statements
...
$ go test ./... (master✱)
ok golang.org/x/crypto/acme 2.782s
ok golang.org/x/crypto/acme/autocert 2.963s
? golang.org/x/crypto/acme/autocert/internal/acmetest [no test files]
ok golang.org/x/crypto/argon2 0.047s
ok golang.org/x/crypto/bcrypt 4.694s
ok golang.org/x/crypto/blake2b 0.056s
ok golang.org/x/crypto/blake2s 0.050s
ok golang.org/x/crypto/blowfish 0.015s
ok golang.org/x/crypto/bn256 0.460s
ok golang.org/x/crypto/cast5 4.204s
ok golang.org/x/crypto/chacha20poly1305 0.560s
ok golang.org/x/crypto/cryptobyte 0.014s
? golang.org/x/crypto/cryptobyte/asn1 [no test files]
ok golang.org/x/crypto/curve25519 0.025s
ok golang.org/x/crypto/ed25519 0.073s
? golang.org/x/crypto/ed25519/internal/edwards25519 [no test files]
ok golang.org/x/crypto/hkdf 0.012s
ok golang.org/x/crypto/internal/chacha20 0.047s
ok golang.org/x/crypto/internal/subtle 0.011s
ok golang.org/x/crypto/md4 0.013s
ok golang.org/x/crypto/nacl/auth 9.226s
ok golang.org/x/crypto/nacl/box 0.016s
ok golang.org/x/crypto/nacl/secretbox 0.012s
ok golang.org/x/crypto/nacl/sign 0.012s
ok golang.org/x/crypto/ocsp 0.047s
ok golang.org/x/crypto/openpgp 8.872s
ok golang.org/x/crypto/openpgp/armor 0.012s
ok golang.org/x/crypto/openpgp/clearsign 16.984s
ok golang.org/x/crypto/openpgp/elgamal 0.013s
? golang.org/x/crypto/openpgp/errors [no test files]
ok golang.org/x/crypto/openpgp/packet 0.159s
ok golang.org/x/crypto/openpgp/s2k 7.597s
ok golang.org/x/crypto/otr 0.612s
ok golang.org/x/crypto/pbkdf2 0.045s
ok golang.org/x/crypto/pkcs12 0.073s
ok golang.org/x/crypto/pkcs12/internal/rc2 0.013s
ok golang.org/x/crypto/poly1305 0.016s
ok golang.org/x/crypto/ripemd160 0.034s
ok golang.org/x/crypto/salsa20 0.013s
ok golang.org/x/crypto/salsa20/salsa 0.013s
ok golang.org/x/crypto/scrypt 0.942s
ok golang.org/x/crypto/sha3 0.140s
ok golang.org/x/crypto/ssh 0.939s
ok golang.org/x/crypto/ssh/agent 0.529s
ok golang.org/x/crypto/ssh/knownhosts 0.027s
ok golang.org/x/crypto/ssh/terminal 0.016s
ok golang.org/x/crypto/tea 0.010s
ok golang.org/x/crypto/twofish 0.019s
ok golang.org/x/crypto/xtea 0.012s
ok golang.org/x/crypto/xts 0.016s
```
Notably this brings an [updated gTLD list](https://github.com/zmap/zlint/pull/233).
Tests are confirmed to pass:
```
go test ./...
ok github.com/zmap/zlint 0.157s
? github.com/zmap/zlint/cmd/zlint [no test files]
ok github.com/zmap/zlint/lints 0.130s
ok github.com/zmap/zlint/util 0.005s
```
The previous update was just [9 days ago](https://github.com/letsencrypt/boulder/pull/3808). However, since we merged some changes into the PSL that are related to IANA TLDs I though about providing an immediate patch.
Tests are passing:
```
➜ ~ cd ~/go/src/github.com/weppos/publicsuffix-go
➜ publicsuffix-go git:(master) GOCACHE=off go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.021s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.034s
```
This commit updates the vendored `publicsuffix-go` dependency to [b8c0530](b8c0530c1a), the tip of master at the time of writing.
Unit tests confirmed to pass:
```
~/go/src/github.com/weppos/publicsuffix-go/publicsuffix$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.007s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.024s
```
Resolves#3807
Switch linting library to zmap/zlint.
```
github.com/zmap/zlint$ go test ./...
ok github.com/zmap/zlint 0.190s
? github.com/zmap/zlint/cmd/zlint [no test files]
ok github.com/zmap/zlint/lints 0.216s
ok github.com/zmap/zlint/util (cached)
```
This commit updates the `github.com/weppos/publicsuffix-go` dependency to
67ec7c1, the tip of master at the time of writing.
Unit tests are verified to pass:
```
$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix (cached)
ok github.com/weppos/publicsuffix-go/publicsuffix (cached)
```
Updates `golang.org/x/net` to master (d11bb6cd).
```
$ go test ./...
ok golang.org/x/net/bpf (cached)
ok golang.org/x/net/context (cached)
ok golang.org/x/net/context/ctxhttp (cached)
? golang.org/x/net/dict [no test files]
ok golang.org/x/net/dns/dnsmessage (cached)
ok golang.org/x/net/html (cached)
ok golang.org/x/net/html/atom (cached)
ok golang.org/x/net/html/charset (cached)
ok golang.org/x/net/http/httpguts (cached)
ok golang.org/x/net/http/httpproxy (cached)
ok golang.org/x/net/http2 (cached)
? golang.org/x/net/http2/h2i [no test files]
ok golang.org/x/net/http2/hpack (cached)
ok golang.org/x/net/icmp 0.199s
ok golang.org/x/net/idna (cached)
? golang.org/x/net/internal/iana [no test files]
? golang.org/x/net/internal/nettest [no test files]
ok golang.org/x/net/internal/socket (cached)
ok golang.org/x/net/internal/socks (cached)
ok golang.org/x/net/internal/sockstest (cached)
ok golang.org/x/net/internal/timeseries (cached)
ok golang.org/x/net/ipv4 (cached)
ok golang.org/x/net/ipv6 (cached)
ok golang.org/x/net/nettest (cached)
ok golang.org/x/net/netutil (cached)
ok golang.org/x/net/proxy (cached)
ok golang.org/x/net/publicsuffix (cached)
ok golang.org/x/net/trace (cached)
ok golang.org/x/net/webdav (cached)
ok golang.org/x/net/webdav/internal/xml (cached)
ok golang.org/x/net/websocket (cached)
ok golang.org/x/net/xsrftoken (cached)
```
Fixes#3692.
This PR updates the Boulder github.com/weppos/publicsuffix-go dependency to
weppos/publicsuffix-go@542377b - the tip of master at the time of writing.
Unit tests are confirmed to pass:
$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.005s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.022s
Notably this update adds the .sport TLD and we've had some requests to support issuance for domains under this newly created TLD.
* Update `globalsign/certlint` to d4a45be.
This commit updates the `github.com/globalsign/certlint` dependency to
the latest tip of master (d4a45be06892f3e664f69892aca79a48df510be0).
Unit tests are confirmed to pass:
```
$ go test ./...
ok github.com/globalsign/certlint 3.816s
ok github.com/globalsign/certlint/asn1 (cached)
? github.com/globalsign/certlint/certdata [no test files]
? github.com/globalsign/certlint/checks [no test files]
? github.com/globalsign/certlint/checks/certificate/aiaissuers [no
test files]
? github.com/globalsign/certlint/checks/certificate/all [no test
files]
? github.com/globalsign/certlint/checks/certificate/basicconstraints
[no test files]
? github.com/globalsign/certlint/checks/certificate/extensions [no
test files]
? github.com/globalsign/certlint/checks/certificate/extkeyusage [no
test files]
ok github.com/globalsign/certlint/checks/certificate/internal
(cached)
? github.com/globalsign/certlint/checks/certificate/issuerdn [no
test files]
? github.com/globalsign/certlint/checks/certificate/keyusage [no
test files]
? github.com/globalsign/certlint/checks/certificate/publickey [no
test files]
? github.com/globalsign/certlint/checks/certificate/publickey/goodkey
[no test files]
ok github.com/globalsign/certlint/checks/certificate/publicsuffix
(cached)
? github.com/globalsign/certlint/checks/certificate/revocation [no
test files]
? github.com/globalsign/certlint/checks/certificate/serialnumber
[no test files]
? github.com/globalsign/certlint/checks/certificate/signaturealgorithm
[no test files]
ok github.com/globalsign/certlint/checks/certificate/subject (cached)
ok github.com/globalsign/certlint/checks/certificate/subjectaltname
(cached)
? github.com/globalsign/certlint/checks/certificate/validity [no
test files]
? github.com/globalsign/certlint/checks/certificate/version [no test
files]
? github.com/globalsign/certlint/checks/certificate/wildcard [no
test files]
? github.com/globalsign/certlint/checks/extensions/adobetimestamp
[no test files]
? github.com/globalsign/certlint/checks/extensions/all [no test
files]
? github.com/globalsign/certlint/checks/extensions/authorityinfoaccess
[no test files]
? github.com/globalsign/certlint/checks/extensions/authoritykeyid
[no test files]
? github.com/globalsign/certlint/checks/extensions/basicconstraints
[no test files]
? github.com/globalsign/certlint/checks/extensions/crldistributionpoints
[no test files]
? github.com/globalsign/certlint/checks/extensions/ct [no test
files]
? github.com/globalsign/certlint/checks/extensions/extkeyusage [no
test files]
? github.com/globalsign/certlint/checks/extensions/keyusage [no test
files]
? github.com/globalsign/certlint/checks/extensions/nameconstraints
[no test files]
ok github.com/globalsign/certlint/checks/extensions/ocspmuststaple
(cached)
? github.com/globalsign/certlint/checks/extensions/ocspnocheck [no
test files]
? github.com/globalsign/certlint/checks/extensions/pdfrevocation
[no test files]
? github.com/globalsign/certlint/checks/extensions/policyidentifiers
[no test files]
? github.com/globalsign/certlint/checks/extensions/smimecapabilities
[no test files]
? github.com/globalsign/certlint/checks/extensions/subjectaltname
[no test files]
? github.com/globalsign/certlint/checks/extensions/subjectkeyid [no
test files]
ok github.com/globalsign/certlint/errors (cached)
? github.com/globalsign/certlint/examples/ct [no test files]
? github.com/globalsign/certlint/examples/specificchecks [no test
files]
```
* Certchecker: Remove OCSP Must Staple err ignore, fix typos.
This commit removes the explicit ignore for OCSP Must Staple errors that
was added when the upstream `certlint` package didn't understand that
PKIX extension. That problem was resolved and so we can remove the
ignore from `cert-checker`.
This commit also fixes two typos that were fixed upstream and needed to
be reflected in expected error messages in the `certlint` unit test.
* Certchecker: Ignore Certlint CN/SAN == PSL errors.
`globalsign/certlint`, used by `cmd/cert-checker` to vet certs,
improperly flags certificates that have subj CN/SANs equal to a private
entry in the public suffix list as faulty.
This commit adds a regex that will skip errors that match the certlint
PSL error string. Prior to this workaround the addition of a private PSL
entry as a SAN in the `TestCheckCert` test cert fails the test:
```
--- FAIL: TestCheckCert (1.72s)
main_test.go:221: Found unexpected problem 'Certificate subjectAltName
"dev-myqnapcloud.com" equals "dev-myqnapcloud.com" from the public
suffix list'.
```
With the workaround in place, the test passes again.
Pulls in SCT list serialization fix, unblocks #3521.
```
ok github.com/cloudflare/cfssl/api/client 1.137s coverage: 52.2% of statements
ok github.com/cloudflare/cfssl/api/crl 1.110s coverage: 75.0% of statements
ok github.com/cloudflare/cfssl/api/gencrl 1.062s coverage: 72.5% of statements
ok github.com/cloudflare/cfssl/api/generator 1.304s coverage: 33.3% of statements
ok github.com/cloudflare/cfssl/api/info 1.133s coverage: 84.1% of statements
ok github.com/cloudflare/cfssl/api/initca 1.068s coverage: 90.5% of statements
ok github.com/cloudflare/cfssl/api/ocsp 1.152s coverage: 93.8% of statements
ok github.com/cloudflare/cfssl/api/revoke 2.574s coverage: 75.0% of statements
ok github.com/cloudflare/cfssl/api/scan 2.885s coverage: 62.1% of statements
ok github.com/cloudflare/cfssl/api/sign 3.188s coverage: 83.3% of statements
ok github.com/cloudflare/cfssl/api/signhandler 1.179s coverage: 26.3% of statements
ok github.com/cloudflare/cfssl/auth 1.012s coverage: 68.2% of statements
ok github.com/cloudflare/cfssl/bundler 15.700s coverage: 84.5% of statements
ok github.com/cloudflare/cfssl/certdb/dbconf 1.016s coverage: 84.2% of statements
ok github.com/cloudflare/cfssl/certdb/ocspstapling 1.415s coverage: 69.2% of statements
ok github.com/cloudflare/cfssl/certdb/sql 1.248s coverage: 70.5% of statements
ok github.com/cloudflare/cfssl/cli 1.013s coverage: 61.9% of statements
ok github.com/cloudflare/cfssl/cli/bundle 1.012s coverage: 0.0% of statements [no tests to run]
ok github.com/cloudflare/cfssl/cli/crl 1.091s coverage: 57.8% of statements
ok github.com/cloudflare/cfssl/cli/gencert 11.960s coverage: 83.6% of statements
ok github.com/cloudflare/cfssl/cli/gencrl 1.089s coverage: 73.3% of statements
ok github.com/cloudflare/cfssl/cli/gencsr 1.064s coverage: 70.3% of statements
ok github.com/cloudflare/cfssl/cli/genkey 6.415s coverage: 70.0% of statements
ok github.com/cloudflare/cfssl/cli/ocsprefresh 1.060s coverage: 64.3% of statements
ok github.com/cloudflare/cfssl/cli/revoke 1.033s coverage: 88.2% of statements
ok github.com/cloudflare/cfssl/cli/scan 1.013s coverage: 36.0% of statements
ok github.com/cloudflare/cfssl/cli/selfsign 2.029s coverage: 73.2% of statements
ok github.com/cloudflare/cfssl/cli/serve 1.073s coverage: 39.0% of statements
ok github.com/cloudflare/cfssl/cli/sign 1.054s coverage: 54.8% of statements
ok github.com/cloudflare/cfssl/cli/version 1.012s coverage: 100.0% of statements
ok github.com/cloudflare/cfssl/cmd/cfssl 1.036s coverage: 0.0% of statements [no tests to run]
ok github.com/cloudflare/cfssl/cmd/cfssljson 1.018s coverage: 3.4% of statements
ok github.com/cloudflare/cfssl/cmd/mkbundle 1.012s coverage: 0.0% of statements [no tests to run]
ok github.com/cloudflare/cfssl/config 1.029s coverage: 67.7% of statements
ok github.com/cloudflare/cfssl/crl 1.056s coverage: 68.3% of statements
ok github.com/cloudflare/cfssl/csr 31.882s coverage: 89.6% of statements
ok github.com/cloudflare/cfssl/errors 1.016s coverage: 79.6% of statements
ok github.com/cloudflare/cfssl/helpers 1.251s coverage: 82.8% of statements
ok github.com/cloudflare/cfssl/helpers/testsuite 6.974s coverage: 65.8% of statements
ok github.com/cloudflare/cfssl/initca 207.580s coverage: 73.2% of statements
ok github.com/cloudflare/cfssl/log 1.010s coverage: 59.3% of statements
ok github.com/cloudflare/cfssl/multiroot/config 1.161s coverage: 77.4% of statements
ok github.com/cloudflare/cfssl/ocsp 1.230s coverage: 77.4% of statements
ok github.com/cloudflare/cfssl/revoke 1.336s coverage: 77.9% of statements
ok github.com/cloudflare/cfssl/scan 1.016s coverage: 1.1% of statements
ok github.com/cloudflare/cfssl/selfsign 1.059s coverage: 70.0% of statements
ok github.com/cloudflare/cfssl/signer 1.014s coverage: 19.4% of statements
ok github.com/cloudflare/cfssl/signer/local 3.355s coverage: 77.9% of statements
ok github.com/cloudflare/cfssl/signer/remote 2.371s coverage: 70.0% of statements
ok github.com/cloudflare/cfssl/signer/universal 2.163s coverage: 67.7% of statements
ok github.com/cloudflare/cfssl/transport 1.012s
ok github.com/cloudflare/cfssl/transport/ca/localca 1.043s coverage: 94.9% of statements
ok github.com/cloudflare/cfssl/transport/core 1.030s coverage: 90.9% of statements
ok github.com/cloudflare/cfssl/transport/kp 1.032s coverage: 37.1% of statements
ok github.com/cloudflare/cfssl/ubiquity 1.034s coverage: 88.3% of statements
ok github.com/cloudflare/cfssl/whitelist 2.879s coverage: 100.0% of statements
```
This pulls in an upstream change that allows us to reference the Protected
header separately from the unprotected one (confusingly just called Header).
$ go test gopkg.in/square/go-jose.v2/...
ok gopkg.in/square/go-jose.v2 16.625s
ok gopkg.in/square/go-jose.v2/cipher 0.004s
? gopkg.in/square/go-jose.v2/jose-util [no test files]
ok gopkg.in/square/go-jose.v2/json 2.080s
? gopkg.in/square/go-jose.v2/jwk-keygen [no test files]
ok gopkg.in/square/go-jose.v2/jwt 0.128s
```
roland@catbus ~/code/go/src/github.com/cloudflare/cfssl master ./test.sh
BUILDING.md Gopkg.toml certdb crl helpers revoke test.sh
CHANGELOG LICENSE certinfo crypto info scan testdata
Dockerfile README.md cli csr initca script transport
Dockerfile.build api cmd doc log selfsign ubiquity
Dockerfile.minimal auth config errors multiroot signer vendor
Gopkg.lock bundler coverprofile.txt gopath ocsp test.prof whitelist
ok github.com/cloudflare/cfssl/api 1.043s coverage: 81.1% of statements
ok github.com/cloudflare/cfssl/api/bundle 1.570s coverage: 87.2% of statements
ok github.com/cloudflare/cfssl/api/certadd 12.607s coverage: 86.8% of statements
ok github.com/cloudflare/cfssl/api/client 1.070s coverage: 52.2% of statements
ok github.com/cloudflare/cfssl/api/crl 1.107s coverage: 75.0% of statements
ok github.com/cloudflare/cfssl/api/gencrl 1.057s coverage: 72.5% of statements
ok github.com/cloudflare/cfssl/api/generator 1.262s coverage: 33.3% of statements
ok github.com/cloudflare/cfssl/api/info 1.102s coverage: 84.1% of statements
ok github.com/cloudflare/cfssl/api/initca 1.073s coverage: 90.5% of statements
ok github.com/cloudflare/cfssl/api/ocsp 1.116s coverage: 93.8% of statements
ok github.com/cloudflare/cfssl/api/revoke 2.923s coverage: 75.0% of statements
ok github.com/cloudflare/cfssl/api/scan 17.178s coverage: 62.1% of statements
ok github.com/cloudflare/cfssl/api/sign 2.221s coverage: 83.3% of statements
ok github.com/cloudflare/cfssl/api/signhandler 1.145s coverage: 26.3% of statements
ok github.com/cloudflare/cfssl/auth 1.022s coverage: 68.2% of statements
ok github.com/cloudflare/cfssl/bundler 14.899s coverage: 84.5% of statements
ok github.com/cloudflare/cfssl/certdb/dbconf 1.040s coverage: 84.2% of statements
ok github.com/cloudflare/cfssl/certdb/ocspstapling 1.283s coverage: 69.2% of statements
ok github.com/cloudflare/cfssl/certdb/sql 1.092s coverage: 70.5% of statements
ok github.com/cloudflare/cfssl/cli 1.036s coverage: 61.9% of statements
ok github.com/cloudflare/cfssl/cli/bundle 1.034s coverage: 0.0% of statements [no tests to run]
ok github.com/cloudflare/cfssl/cli/crl 1.106s coverage: 57.8% of statements
ok github.com/cloudflare/cfssl/cli/gencert 6.106s coverage: 83.6% of statements
ok github.com/cloudflare/cfssl/cli/gencrl 1.081s coverage: 73.3% of statements
ok github.com/cloudflare/cfssl/cli/gencsr 1.075s coverage: 70.3% of statements
ok github.com/cloudflare/cfssl/cli/genkey 2.903s coverage: 70.0% of statements
ok github.com/cloudflare/cfssl/cli/ocsprefresh 1.074s coverage: 64.3% of statements
ok github.com/cloudflare/cfssl/cli/revoke 1.054s coverage: 88.2% of statements
ok github.com/cloudflare/cfssl/cli/scan 1.032s coverage: 36.0% of statements
ok github.com/cloudflare/cfssl/cli/selfsign 2.429s coverage: 73.2% of statements
ok github.com/cloudflare/cfssl/cli/serve 1.172s coverage: 39.0% of statements
ok github.com/cloudflare/cfssl/cli/sign 1.058s coverage: 54.8% of statements
ok github.com/cloudflare/cfssl/cli/version 1.028s coverage: 100.0% of statements
ok github.com/cloudflare/cfssl/cmd/cfssl 1.196s coverage: 0.0% of statements [no tests to run]
ok github.com/cloudflare/cfssl/cmd/cfssljson 1.031s coverage: 3.4% of statements
ok github.com/cloudflare/cfssl/cmd/mkbundle 1.032s coverage: 0.0% of statements [no tests to run]
ok github.com/cloudflare/cfssl/config 1.054s coverage: 67.7% of statements
ok github.com/cloudflare/cfssl/crl 1.072s coverage: 68.3% of statements
ok github.com/cloudflare/cfssl/csr 20.657s coverage: 89.6% of statements
ok github.com/cloudflare/cfssl/errors 1.029s coverage: 79.6% of statements
ok github.com/cloudflare/cfssl/helpers 1.225s coverage: 82.8% of statements
ok github.com/cloudflare/cfssl/helpers/testsuite 6.558s coverage: 65.8% of statements
ok github.com/cloudflare/cfssl/initca 81.870s coverage: 73.2% of statements
ok github.com/cloudflare/cfssl/log 1.019s coverage: 59.3% of statements
ok github.com/cloudflare/cfssl/multiroot/config 1.190s coverage: 77.4% of statements
ok github.com/cloudflare/cfssl/ocsp 1.226s coverage: 77.4% of statements
ok github.com/cloudflare/cfssl/revoke 1.832s coverage: 77.9% of statements
ok github.com/cloudflare/cfssl/scan 1.042s coverage: 1.1% of statements
ok github.com/cloudflare/cfssl/selfsign 1.073s coverage: 70.0% of statements
ok github.com/cloudflare/cfssl/signer 1.030s coverage: 19.4% of statements
ok github.com/cloudflare/cfssl/signer/local 3.171s coverage: 78.1% of statements
ok github.com/cloudflare/cfssl/signer/remote 2.197s coverage: 70.0% of statements
ok github.com/cloudflare/cfssl/signer/universal 2.061s coverage: 67.7% of statements
ok github.com/cloudflare/cfssl/transport 1.031s
ok github.com/cloudflare/cfssl/transport/ca/localca 1.062s coverage: 94.9% of statements
ok github.com/cloudflare/cfssl/transport/core 1.054s coverage: 90.9% of statements
ok github.com/cloudflare/cfssl/transport/kp 1.059s coverage: 37.1% of statements
ok github.com/cloudflare/cfssl/transport/roots/system 1.384s coverage: 77.1% of statements
ok github.com/cloudflare/cfssl/ubiquity 1.057s coverage: 88.3% of statements
ok github.com/cloudflare/cfssl/whitelist 2.060s coverage: 100.0% of statements
```
* Re-vendor certificate-transparency-go to latest.
$ go test github.com/google/certificate-transparency-go{,/asn1,/client,/client/configpb,/jsonclient,/tls,/x509/pkix} golang.org/x/crypto/cryptobyte{,/asn1}
ok github.com/google/certificate-transparency-go 0.722s
ok github.com/google/certificate-transparency-go/asn1 0.011s
ok github.com/google/certificate-transparency-go/client 22.995s
? github.com/google/certificate-transparency-go/client/configpb [no test files]
ok github.com/google/certificate-transparency-go/jsonclient 0.020s
ok github.com/google/certificate-transparency-go/tls 0.096s
? github.com/google/certificate-transparency-go/x509/pkix [no test files]
ok golang.org/x/crypto/cryptobyte 0.013s
? golang.org/x/crypto/cryptobyte/asn1 [no test files]
* Bring in latest ct-go master.
In #3454, I tried to update certificate-transparency-go, but that pulled in a bunch of extra package updates, making for a complicated PR. This PR breaks out one of the packages that needed update, to allow us to bring things up to date in a simpler, more piecemeal fashion.
$ go test golang.org/x/crypto/...
ok golang.org/x/crypto/acme 2.564s
ok golang.org/x/crypto/acme/autocert 0.634s
ok golang.org/x/crypto/argon2 0.118s
ok golang.org/x/crypto/bcrypt 2.282s
ok golang.org/x/crypto/blake2b 0.103s
ok golang.org/x/crypto/blake2s 0.072s
ok golang.org/x/crypto/blowfish 0.006s
ok golang.org/x/crypto/bn256 0.462s
2ok golang.org/x/crypto/cast5 4.288s
ok golang.org/x/crypto/chacha20poly1305 0.037s
ok golang.org/x/crypto/cryptobyte 0.012s
? golang.org/x/crypto/cryptobyte/asn1 [no test files]
ok golang.org/x/crypto/curve25519 0.029s
ok golang.org/x/crypto/ed25519 0.082s
? golang.org/x/crypto/ed25519/internal/edwards25519 [no test files]
ok golang.org/x/crypto/hkdf 0.003s
ok golang.org/x/crypto/internal/chacha20 0.002s
ok golang.org/x/crypto/md4 0.002s
ok golang.org/x/crypto/nacl/auth 1.473s
ok golang.org/x/crypto/nacl/box 0.007s
ok golang.org/x/crypto/nacl/secretbox 0.004s
ok golang.org/x/crypto/ocsp 0.034s
ok golang.org/x/crypto/openpgp 7.275s
ok golang.org/x/crypto/openpgp/armor 0.015s
ok golang.org/x/crypto/openpgp/clearsign 0.028s
ok golang.org/x/crypto/openpgp/elgamal 0.015s
? golang.org/x/crypto/openpgp/errors [no test files]
ok golang.org/x/crypto/openpgp/packet 0.170s
ok golang.org/x/crypto/openpgp/s2k 9.401s
ok golang.org/x/crypto/otr 0.321s
ok golang.org/x/crypto/pbkdf2 0.046s
ok golang.org/x/crypto/pkcs12 0.065s
ok golang.org/x/crypto/pkcs12/internal/rc2 0.014s
ok golang.org/x/crypto/poly1305 0.023s
ok golang.org/x/crypto/ripemd160 0.061s
ok golang.org/x/crypto/salsa20 0.029s
ok golang.org/x/crypto/salsa20/salsa 0.043s
ok golang.org/x/crypto/scrypt 0.815s
ok golang.org/x/crypto/sha3 0.263s
ok golang.org/x/crypto/ssh 1.175s
ok golang.org/x/crypto/ssh/agent 0.827s
ok golang.org/x/crypto/ssh/knownhosts 0.038s
ok golang.org/x/crypto/ssh/terminal 0.029s
ok golang.org/x/crypto/ssh/test 0.148s
ok golang.org/x/crypto/tea 0.012s
ok golang.org/x/crypto/twofish 0.013s
ok golang.org/x/crypto/xtea 0.002s
ok golang.org/x/crypto/xts 0.016s
In #3454, I tried to update certificate-transparency-go, but that pulled in a bunch of extra package updates, making for a complicated PR. This PR breaks out one of the packages that needed update, to allow us to bring things up to date in a simpler, more piecemeal fashion.
$ go test github.com/golang/protobuf/...
ok github.com/golang/protobuf/descriptor 0.004s
ok github.com/golang/protobuf/jsonpb 0.012s
? github.com/golang/protobuf/jsonpb/jsonpb_test_proto [no test
files]
ok github.com/golang/protobuf/proto 0.062s
? github.com/golang/protobuf/proto/proto3_proto [no test files]
? github.com/golang/protobuf/protoc-gen-go [no test files]
? github.com/golang/protobuf/protoc-gen-go/descriptor [no test
files]
ok github.com/golang/protobuf/protoc-gen-go/generator 0.002s
? github.com/golang/protobuf/protoc-gen-go/grpc [no test files]
? github.com/golang/protobuf/protoc-gen-go/plugin [no test files]
ok github.com/golang/protobuf/ptypes 0.014s
? github.com/golang/protobuf/ptypes/any [no test files]
? github.com/golang/protobuf/ptypes/duration [no test files]
? github.com/golang/protobuf/ptypes/empty [no test files]
? github.com/golang/protobuf/ptypes/struct [no test files]
? github.com/golang/protobuf/ptypes/timestamp [no test files]
? github.com/golang/protobuf/ptypes/wrappers [no test files]
This commit updates the github.com/miekg/pkcs11 dependency to
88ac7c418f89b164432a00c46ec7b7612d686b57, the tip of master at the time
of writing.
This incorporates a fix for Golang 1.9.4.
Confirmed upstream unit tests pass:
$> git rev-parse HEAD
88ac7c418f89b164432a00c46ec7b7612d686b57
$> go test ./...
ok github.com/miekg/pkcs11 0.676s
Resolves#3442
Update CFSSL to get upstream ocsp changes required to minimize log
volume.
Confirmed that unit tests pass:
```
$ git rev-parse HEAD
ed5223a490ece4d66899bbb292e3e46c0677cb86
$> go test ./...
ok github.com/cloudflare/cfssl/api 0.009s
ok github.com/cloudflare/cfssl/api/bundle 0.811s
ok github.com/cloudflare/cfssl/api/certadd 6.735s
? github.com/cloudflare/cfssl/api/certinfo [no test files]
ok github.com/cloudflare/cfssl/api/client 0.069s
ok github.com/cloudflare/cfssl/api/crl 0.103s
ok github.com/cloudflare/cfssl/api/gencrl 0.008s
ok github.com/cloudflare/cfssl/api/generator 0.051s
ok github.com/cloudflare/cfssl/api/info 0.027s
ok github.com/cloudflare/cfssl/api/initca 0.022s
ok github.com/cloudflare/cfssl/api/ocsp 0.026s
ok github.com/cloudflare/cfssl/api/revoke 0.614s
ok github.com/cloudflare/cfssl/api/scan 51.888s
ok github.com/cloudflare/cfssl/api/sign 0.329s
ok github.com/cloudflare/cfssl/api/signhandler 0.056s
ok github.com/cloudflare/cfssl/auth 0.002s
ok github.com/cloudflare/cfssl/bundler 7.864s
? github.com/cloudflare/cfssl/certdb [no test files]
ok github.com/cloudflare/cfssl/certdb/dbconf 0.003s
ok github.com/cloudflare/cfssl/certdb/ocspstapling 1.103s
ok github.com/cloudflare/cfssl/certdb/sql 0.369s
? github.com/cloudflare/cfssl/certdb/testdb [no test files]
? github.com/cloudflare/cfssl/certinfo [no test files]
ok github.com/cloudflare/cfssl/cli 0.003s
ok github.com/cloudflare/cfssl/cli/bundle 0.003s [no tests to run]
? github.com/cloudflare/cfssl/cli/certinfo [no test files]
ok github.com/cloudflare/cfssl/cli/crl 0.061s
ok github.com/cloudflare/cfssl/cli/gencert 1.518s
ok github.com/cloudflare/cfssl/cli/gencrl 0.011s
ok github.com/cloudflare/cfssl/cli/gencsr 0.010s
ok github.com/cloudflare/cfssl/cli/genkey 0.583s
? github.com/cloudflare/cfssl/cli/info [no test files]
? github.com/cloudflare/cfssl/cli/ocspdump [no test files]
ok github.com/cloudflare/cfssl/cli/ocsprefresh 0.068s
? github.com/cloudflare/cfssl/cli/ocspserve [no test files]
? github.com/cloudflare/cfssl/cli/ocspsign [no test files]
? github.com/cloudflare/cfssl/cli/printdefault [no test files]
ok github.com/cloudflare/cfssl/cli/revoke 0.092s
ok github.com/cloudflare/cfssl/cli/scan 0.003s
ok github.com/cloudflare/cfssl/cli/selfsign 0.648s
ok github.com/cloudflare/cfssl/cli/serve 0.016s
ok github.com/cloudflare/cfssl/cli/sign 0.041s
ok github.com/cloudflare/cfssl/cli/version 0.003s
ok github.com/cloudflare/cfssl/cmd/cfssl 0.005s [no tests to run]
? github.com/cloudflare/cfssl/cmd/cfssl-bundle [no test files]
? github.com/cloudflare/cfssl/cmd/cfssl-certinfo [no test files]
? github.com/cloudflare/cfssl/cmd/cfssl-newkey [no test files]
? github.com/cloudflare/cfssl/cmd/cfssl-scan [no test files]
ok github.com/cloudflare/cfssl/cmd/cfssljson 0.012s
ok github.com/cloudflare/cfssl/cmd/mkbundle 0.011s [no tests
to run]
? github.com/cloudflare/cfssl/cmd/multirootca [no test files]
ok github.com/cloudflare/cfssl/config 0.004s
ok github.com/cloudflare/cfssl/crl 0.013s
? github.com/cloudflare/cfssl/crypto [no test files]
? github.com/cloudflare/cfssl/crypto/pkcs7 [no test files]
ok github.com/cloudflare/cfssl/csr 4.836s
ok github.com/cloudflare/cfssl/errors 0.004s
ok github.com/cloudflare/cfssl/helpers 0.037s
? github.com/cloudflare/cfssl/helpers/derhelpers [no test files]
ok github.com/cloudflare/cfssl/helpers/testsuite 4.830s
? github.com/cloudflare/cfssl/info [no test files]
ok github.com/cloudflare/cfssl/initca 17.794s
ok github.com/cloudflare/cfssl/log 0.002s
ok github.com/cloudflare/cfssl/multiroot/config 0.022s
ok github.com/cloudflare/cfssl/ocsp 0.119s
? github.com/cloudflare/cfssl/ocsp/config [no test files]
? github.com/cloudflare/cfssl/ocsp/universal [no test files]
ok github.com/cloudflare/cfssl/revoke 2.172s
ok github.com/cloudflare/cfssl/scan 0.003s
? github.com/cloudflare/cfssl/scan/vendor/crypto [no test files]
? github.com/cloudflare/cfssl/scan/vendor/crypto/md5 [no test
files]
? github.com/cloudflare/cfssl/scan/vendor/crypto/rsa [no test
files]
? github.com/cloudflare/cfssl/scan/vendor/crypto/sha1 [no test
files]
? github.com/cloudflare/cfssl/scan/vendor/crypto/sha256 [no test
files]
? github.com/cloudflare/cfssl/scan/vendor/crypto/sha512 [no test
files]
? github.com/cloudflare/cfssl/scan/vendor/crypto/tls [no test
files]
ok github.com/cloudflare/cfssl/selfsign 0.011s
ok github.com/cloudflare/cfssl/signer 0.003s
ok github.com/cloudflare/cfssl/signer/local 0.419s
ok github.com/cloudflare/cfssl/signer/remote 0.341s
ok github.com/cloudflare/cfssl/signer/universal 0.262s
ok github.com/cloudflare/cfssl/transport 0.017s
? github.com/cloudflare/cfssl/transport/ca [no test files]
ok github.com/cloudflare/cfssl/transport/ca/localca 0.020s
ok github.com/cloudflare/cfssl/transport/core 0.021s
? github.com/cloudflare/cfssl/transport/example/exlib [no test
files]
? github.com/cloudflare/cfssl/transport/example/maclient [no test
files]
? github.com/cloudflare/cfssl/transport/example/maserver [no test
files]
ok github.com/cloudflare/cfssl/transport/kp 0.021s
? github.com/cloudflare/cfssl/transport/roots [no test files]
? github.com/cloudflare/cfssl/transport/roots/system [no test
files]
ok github.com/cloudflare/cfssl/ubiquity 0.012s
ok github.com/cloudflare/cfssl/whitelist 0.086s
? github.com/cloudflare/cfssl/whitelist/example [no test files]
```
This change is pulled out of #3294 in hopes of simplifying that change.
Tests run:
```
$ go test github.com/golang/mock/gomock/...
ok github.com/golang/mock/gomock 0.002s
? github.com/golang/mock/gomock/mock_matcher [no test files]
```
The go-grpc-prometheus package by default registers its metrics with Prometheus' global registry. In #3167, when we stopped using the global registry, we accidentally lost our gRPC metrics. This change adds them back.
Specifically, it adds two convenience functions, one for clients and one for servers, that makes the necessary metrics object and registers it. We run these in the main function of each server.
I considered adding these as part of StatsAndLogging, but the corresponding ClientMetrics and ServerMetrics objects (defined by go-grpc-prometheus) need to be subsequently made available during construction of the gRPC clients and servers. We could add them as fields on Scope, but this seemed like a little too much tight coupling.
Also, update go-grpc-prometheus to get the necessary methods.
```
$ go test github.com/grpc-ecosystem/go-grpc-prometheus/...
ok github.com/grpc-ecosystem/go-grpc-prometheus 0.069s
? github.com/grpc-ecosystem/go-grpc-prometheus/examples/testproto [no test files]
```
This pulls in multilog support (logs sharded by date). As a result,
it also pulls in new dependencies gogo/protobuf (for UnmarshalText) and
golang/protobuf/ptypes (for Timestamp).
Replaces #3202, adding a smaller set of dependencies. See also #3205.
Tests run:
```
$ go test github.com/gogo/protobuf/proto github.com/golang/protobuf/ptypes/... github.com/google/certificate-transparency-go/...
ok github.com/gogo/protobuf/proto 0.063s
ok github.com/golang/protobuf/ptypes 0.009s
? github.com/golang/protobuf/ptypes/any [no test files]
? github.com/golang/protobuf/ptypes/duration [no test files]
? github.com/golang/protobuf/ptypes/empty [no test files]
? github.com/golang/protobuf/ptypes/struct [no test files]
? github.com/golang/protobuf/ptypes/timestamp [no test files]
? github.com/golang/protobuf/ptypes/wrappers [no test files]
ok github.com/google/certificate-transparency-go 1.005s
ok github.com/google/certificate-transparency-go/asn1 0.021s
ok github.com/google/certificate-transparency-go/client 22.034s
? github.com/google/certificate-transparency-go/client/ctclient [no test files]
ok github.com/google/certificate-transparency-go/fixchain 0.145s
? github.com/google/certificate-transparency-go/fixchain/main [no test files]
ok github.com/google/certificate-transparency-go/fixchain/ratelimiter 27.745s
ok github.com/google/certificate-transparency-go/gossip 0.772s
? github.com/google/certificate-transparency-go/gossip/main [no test files]
ok github.com/google/certificate-transparency-go/jsonclient 25.523s
ok github.com/google/certificate-transparency-go/merkletree 0.004s
? github.com/google/certificate-transparency-go/preload [no test files]
? github.com/google/certificate-transparency-go/preload/dumpscts/main [no test files]
? github.com/google/certificate-transparency-go/preload/main [no test files]
ok github.com/google/certificate-transparency-go/scanner 0.010s
? github.com/google/certificate-transparency-go/scanner/main [no test files]
ok github.com/google/certificate-transparency-go/tls 0.026s
ok github.com/google/certificate-transparency-go/x509 0.417s
? github.com/google/certificate-transparency-go/x509/pkix [no test files]
? github.com/google/certificate-transparency-go/x509util [no test files]
```
Fixes https://github.com/letsencrypt/boulder/issues/3205.
Previously, we would only move aside Godeps.json before running `godep save ./...`. However, in order to get a true picture of what is needed, we must also remove the existing `vendor/` directory.
This change also removes some unnecessary dependencies that have piled up over the years, generally test dependencies. Godep used to vendor such dependencies but no longer does.
This pulls in google/safebrowsing#74, which introduces a new LookupURLsContext that allows us to pass through timeout information nicely.
Also, update calling code to use LookupURLsContext instead of LookupURLs.
The 2.1.3 release of go-jose.v2 contains a bug fix for a nil panic
encountering null values in JWS headers that affects Boulder. This
commit updates Boulder to use the 2.1.3 release.
Unit tests were confirmed to pass:
```
$ go test ./...
ok gopkg.in/square/go-jose.v2 13.648s
ok gopkg.in/square/go-jose.v2/cipher 0.003s
? gopkg.in/square/go-jose.v2/jose-util [no test files]
ok gopkg.in/square/go-jose.v2/json 1.199s
ok gopkg.in/square/go-jose.v2/jwt 0.064s
```
This commit updates the `github.com/google/safebrowsing` dependency to
commit f387af, the tip of master at the time of writing.
Unit tests were confirmed to pass per CONTRIBUTING.md:
```
$ go test ./...
ok github.com/google/safebrowsing 2.500s
? github.com/google/safebrowsing/cmd/sblookup [no test files]
? github.com/google/safebrowsing/cmd/sbserver [no test files]
? github.com/google/safebrowsing/cmd/sbserver/statik [no test files]
? github.com/google/safebrowsing/internal/safebrowsing_proto [no test files]
```
This commit updates the publicsuffix-go dependency to
6787cd3b348b18fab6371264ae5392cd8eca1723 the tip of master at the time
of writing.
The unit tests were verified to pass:
```
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.006s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.024s
```
Godep apparently breaks when trying to parse code that specifies build tags for versions of golang above that with which it was built (which it shouldn't be parsing in the first place). This breaks the travis tests since `golang.org/x/net/context` now contains golang 1.9 specific code. In order to get around this we temporarily disable the error check for `godep save ./...` in test.sh. Opened #2965 to revert this once Godep is fixed or we move to golang 1.9.
Requires an update to `golang.org/x/net` and adding `golang.org/x/text`.
```
[roland@niya:~/gopath/src/golang.org/x/net]$ go test ./...
ok golang.org/x/net/bpf 0.472s
ok golang.org/x/net/context 0.090s
ok golang.org/x/net/context/ctxhttp 0.161s
? golang.org/x/net/dict [no test files]
ok golang.org/x/net/dns/dnsmessage 0.044s
ok golang.org/x/net/html 0.094s
ok golang.org/x/net/html/atom 0.003s
ok golang.org/x/net/html/charset 0.027s
ok golang.org/x/net/http2 80.253s
? golang.org/x/net/http2/h2i [no test files]
ok golang.org/x/net/http2/hpack 0.064s
ok golang.org/x/net/icmp 0.026s
ok golang.org/x/net/idna 0.035s
? golang.org/x/net/internal/iana [no test files]
? golang.org/x/net/internal/nettest [no test files]
ok golang.org/x/net/internal/socket 0.005s
ok golang.org/x/net/internal/timeseries 0.024s
ok golang.org/x/net/ipv4 0.013s
ok golang.org/x/net/ipv6 0.036s
ok golang.org/x/net/lex/httplex 0.004s
ok golang.org/x/net/nettest 1.164s
ok golang.org/x/net/netutil 0.898s
ok golang.org/x/net/proxy 0.004s
ok golang.org/x/net/publicsuffix 0.202s
ok golang.org/x/net/trace 0.018s
ok golang.org/x/net/webdav 0.061s
ok golang.org/x/net/webdav/internal/xml 0.014s
ok golang.org/x/net/websocket 0.022s
ok golang.org/x/net/xsrftoken 0.025s
[roland@niya:~/gopath/src/golang.org/x/text]$ go test ./...
? golang.org/x/text [no test files]
ok golang.org/x/text/cases 0.439s
? golang.org/x/text/cmd/gotext [no test files]
ok golang.org/x/text/collate 0.038s
ok golang.org/x/text/collate/build 0.024s
? golang.org/x/text/collate/tools/colcmp [no test files]
ok golang.org/x/text/currency 2.961s
ok golang.org/x/text/encoding 0.005s
ok golang.org/x/text/encoding/charmap 0.060s
ok golang.org/x/text/encoding/htmlindex 0.005s
ok golang.org/x/text/encoding/ianaindex 0.030s
? golang.org/x/text/encoding/internal [no test files]
? golang.org/x/text/encoding/internal/enctest [no test files]
? golang.org/x/text/encoding/internal/identifier [no test files]
ok golang.org/x/text/encoding/japanese 0.098s
ok golang.org/x/text/encoding/korean 0.032s
ok golang.org/x/text/encoding/simplifiedchinese 0.100s
ok golang.org/x/text/encoding/traditionalchinese 0.012s
ok golang.org/x/text/encoding/unicode 0.013s
ok golang.org/x/text/encoding/unicode/utf32 0.071s
ok golang.org/x/text/feature/plural 0.352s
ok golang.org/x/text/internal 0.009s
ok golang.org/x/text/internal/catmsg 0.034s
ok golang.org/x/text/internal/colltab 1.817s
ok golang.org/x/text/internal/export/idna 0.040s
? golang.org/x/text/internal/format [no test files]
? golang.org/x/text/internal/gen [no test files]
ok golang.org/x/text/internal/number 0.028s
ok golang.org/x/text/internal/stringset 0.021s
ok golang.org/x/text/internal/tag 0.044s
? golang.org/x/text/internal/testtext [no test files]
ok golang.org/x/text/internal/triegen 0.357s
ok golang.org/x/text/internal/ucd 0.023s
? golang.org/x/text/internal/utf8internal [no test files]
ok golang.org/x/text/language 0.033s
ok golang.org/x/text/language/display 3.917s
ok golang.org/x/text/message 0.033s
ok golang.org/x/text/message/catalog 0.069s
ok golang.org/x/text/runes 0.039s
ok golang.org/x/text/search 0.019s
? golang.org/x/text/secure [no test files]
ok golang.org/x/text/secure/bidirule 0.032s
ok golang.org/x/text/secure/precis 0.066s
ok golang.org/x/text/transform 0.106s
? golang.org/x/text/unicode [no test files]
ok golang.org/x/text/unicode/bidi 0.026s
ok golang.org/x/text/unicode/cldr 0.114s
ok golang.org/x/text/unicode/norm 4.009s
ok golang.org/x/text/unicode/rangetable 1.516s
ok golang.org/x/text/unicode/runenames 0.011s
ok golang.org/x/text/width 0.310s
```
Fixes#2963.
This commit replaces the Boulder dependency on
gopkg.in/square/go-jose.v1 with gopkg.in/square/go-jose.v2. This is
necessary both to stay in front of bitrot and because the ACME v2 work
will require a feature from go-jose.v2 for JWS validation.
The largest part of this diff is cosmetic changes:
Changing import paths
jose.JsonWebKey -> jose.JSONWebKey
jose.JsonWebSignature -> jose.JSONWebSignature
jose.JoseHeader -> jose.Header
Some more significant changes were caused by updates in the API for
for creating new jose.Signer instances. Previously we constructed
these with jose.NewSigner(algorithm, key). Now these are created with
jose.NewSigner(jose.SigningKey{},jose.SignerOptions{}). At present all
signers specify EmbedJWK: true but this will likely change with
follow-up ACME V2 work.
Another change was the removal of the jose.LoadPrivateKey function
that the wfe tests relied on. The jose v2 API removed these functions,
moving them to a cmd's main package where we can't easily import them.
This function was reimplemented in the WFE's test code & updated to fail
fast rather than return errors.
Per CONTRIBUTING.md I have verified the go-jose.v2 tests at the imported
commit pass:
ok gopkg.in/square/go-jose.v2 14.771s
ok gopkg.in/square/go-jose.v2/cipher 0.025s
? gopkg.in/square/go-jose.v2/jose-util [no test files]
ok gopkg.in/square/go-jose.v2/json 1.230s
ok gopkg.in/square/go-jose.v2/jwt 0.073s
Resolves#2880
This uses the mysql driver library's capability to use `SET` to set the system
variables that prefixdb previously was.
Unfortunately, the library doesn't sort the params when making the string, so we
have to do a little munging to TestNewDbMap.
Ran it in a checkout of the repo since godeps now doesn't include the test files (which is great!).
```
MYSQL_TEST_ADDR=127.0.0.1:3306 go test .
ok github.com/go-sql-driver/mysql 46.099s
```
This commit updates the
`github.com/weppos/publicsuffix-go/publicsuffix` dependency to commit
e91dbc7, the tip of master at the time of writing.
Unit tests are confirmed to pass:
```
:~/go/src/github.com/weppos/publicsuffix-go$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.006s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.025s
```
Update github.com/google/safebrowsing and block on database health before starting VA
before starting `boulder-va`.
```
$ go test .
ok github.com/google/safebrowsing 4.510s
$ go test .
ok github.com/golang/protobuf/ptypes 0.002s
```
Fixes#2742.
This commit updates the `publicsuffix-go` dependency to f5c9a8, the tip
of master at the time of writing.
Per CONTRIBUTING.md, the unit tests were run:
```
~/go/src/github.com/weppos/publicsuffix-go$ go test
./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.006s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.025s
```
When running `gomock` to generate mocks in the boulder-tools image there is a requirement on `github.com/golang/mock/mockgen/model` but only during runtime (it is not required to build `gomock`). So that we don't require users to `go get` this package so that it exists in their GOPATH we need to vendor it so that it is always in the GOPATH of the boulder-tools image. In order to vendor this package (since it isn't actually used anywhere) we need to add a special file that imports this package and uses it for a variable that isn't actually used anywhere so that we can satisfy `godep`, this is done in the `test` package.
Fixes#2751.
Per review policy, running tests in updated dependencies yields:
```
$ go test ./vendor/github.com/cloudflare/cfssl/ocsp/
? github.com/letsencrypt/boulder/vendor/github.com/cloudflare/cfssl/ocsp [no test files]
```
Switches imports from `github.com/google/certificate-transparency` to `github.com/google/certificate-transparency-go` and vendors the new code. Also fixes a number of small breakages caused by API changes since the last time we vendored the code. Also updates `github.com/cloudflare/cfssl` since you can't vendor both `github.com/google/certificate-transparency` and `github.com/google/certificate-transparency-go`.
Side note: while doing this `godep` tried to pull in a number of imports under the `golang.org/x/text` repo that I couldn't find actually being used anywhere so I just dropped the changes to `Godeps/Godeps.json` and didn't add the vendored dir to the tree, let's see if this breaks any tests...
All tests pass
```
$ go test ./...
ok github.com/google/certificate-transparency-go 0.640s
ok github.com/google/certificate-transparency-go/asn1 0.005s
ok github.com/google/certificate-transparency-go/client 22.054s
? github.com/google/certificate-transparency-go/client/ctclient [no test files]
ok github.com/google/certificate-transparency-go/fixchain 0.133s
? github.com/google/certificate-transparency-go/fixchain/main [no test files]
ok github.com/google/certificate-transparency-go/fixchain/ratelimiter 27.752s
ok github.com/google/certificate-transparency-go/gossip 0.322s
? github.com/google/certificate-transparency-go/gossip/main [no test files]
ok github.com/google/certificate-transparency-go/jsonclient 25.701s
ok github.com/google/certificate-transparency-go/merkletree 0.006s
? github.com/google/certificate-transparency-go/preload [no test files]
? github.com/google/certificate-transparency-go/preload/dumpscts/main [no test files]
? github.com/google/certificate-transparency-go/preload/main [no test files]
ok github.com/google/certificate-transparency-go/scanner 0.013s
? github.com/google/certificate-transparency-go/scanner/main [no test files]
ok github.com/google/certificate-transparency-go/tls 0.033s
ok github.com/google/certificate-transparency-go/x509 1.071s
? github.com/google/certificate-transparency-go/x509/pkix [no test files]
? github.com/google/certificate-transparency-go/x509util [no test files]
```
```
$ ./test.sh
...
ok github.com/cloudflare/cfssl/api 1.089s coverage: 81.1% of statements
ok github.com/cloudflare/cfssl/api/bundle 1.548s coverage: 87.2% of statements
ok github.com/cloudflare/cfssl/api/certadd 13.681s coverage: 86.8% of statements
ok github.com/cloudflare/cfssl/api/client 1.314s coverage: 55.2% of statements
ok github.com/cloudflare/cfssl/api/crl 1.124s coverage: 75.0% of statements
ok github.com/cloudflare/cfssl/api/gencrl 1.067s coverage: 72.5% of statements
ok github.com/cloudflare/cfssl/api/generator 2.809s coverage: 33.3% of statements
ok github.com/cloudflare/cfssl/api/info 1.112s coverage: 84.1% of statements
ok github.com/cloudflare/cfssl/api/initca 1.059s coverage: 90.5% of statements
ok github.com/cloudflare/cfssl/api/ocsp 1.178s coverage: 93.8% of statements
ok github.com/cloudflare/cfssl/api/revoke 2.282s coverage: 75.0% of statements
ok github.com/cloudflare/cfssl/api/scan 2.729s coverage: 62.1% of statements
ok github.com/cloudflare/cfssl/api/sign 2.483s coverage: 83.3% of statements
ok github.com/cloudflare/cfssl/api/signhandler 1.137s coverage: 26.3% of statements
ok github.com/cloudflare/cfssl/auth 1.030s coverage: 68.2% of statements
ok github.com/cloudflare/cfssl/bundler 15.014s coverage: 85.1% of statements
ok github.com/cloudflare/cfssl/certdb/dbconf 1.042s coverage: 78.9% of statements
ok github.com/cloudflare/cfssl/certdb/ocspstapling 1.919s coverage: 69.2% of statements
ok github.com/cloudflare/cfssl/certdb/sql 1.265s coverage: 65.7% of statements
ok github.com/cloudflare/cfssl/cli 1.050s coverage: 61.9% of statements
ok github.com/cloudflare/cfssl/cli/bundle 1.023s coverage: 0.0% of statements
ok github.com/cloudflare/cfssl/cli/crl 1.669s coverage: 57.8% of statements
ok github.com/cloudflare/cfssl/cli/gencert 9.278s coverage: 83.6% of statements
ok github.com/cloudflare/cfssl/cli/gencrl 1.310s coverage: 73.3% of statements
ok github.com/cloudflare/cfssl/cli/genkey 3.028s coverage: 70.0% of statements
ok github.com/cloudflare/cfssl/cli/ocsprefresh 1.106s coverage: 64.3% of statements
ok github.com/cloudflare/cfssl/cli/revoke 1.081s coverage: 88.2% of statements
ok github.com/cloudflare/cfssl/cli/scan 1.217s coverage: 36.0% of statements
ok github.com/cloudflare/cfssl/cli/selfsign 2.201s coverage: 73.2% of statements
ok github.com/cloudflare/cfssl/cli/serve 1.133s coverage: 39.0% of statements
ok github.com/cloudflare/cfssl/cli/sign 1.210s coverage: 54.8% of statements
ok github.com/cloudflare/cfssl/cli/version 2.475s coverage: 100.0% of statements
ok github.com/cloudflare/cfssl/cmd/cfssl 1.082s coverage: 0.0% of statements
ok github.com/cloudflare/cfssl/cmd/cfssljson 1.016s coverage: 4.0% of statements
ok github.com/cloudflare/cfssl/cmd/mkbundle 1.024s coverage: 0.0% of statements
ok github.com/cloudflare/cfssl/config 2.754s coverage: 67.7% of statements
ok github.com/cloudflare/cfssl/crl 1.063s coverage: 68.3% of statements
ok github.com/cloudflare/cfssl/csr 27.016s coverage: 89.6% of statements
ok github.com/cloudflare/cfssl/errors 1.081s coverage: 81.2% of statements
ok github.com/cloudflare/cfssl/helpers 1.217s coverage: 80.4% of statements
ok github.com/cloudflare/cfssl/helpers/testsuite 7.658s coverage: 65.8% of statements
ok github.com/cloudflare/cfssl/initca 205.809s coverage: 74.2% of statements
ok github.com/cloudflare/cfssl/log 1.016s coverage: 59.3% of statements
ok github.com/cloudflare/cfssl/multiroot/config 1.107s coverage: 77.4% of statements
ok github.com/cloudflare/cfssl/ocsp 1.524s coverage: 77.7% of statements
ok github.com/cloudflare/cfssl/revoke 1.775s coverage: 79.6% of statements
ok github.com/cloudflare/cfssl/scan 1.022s coverage: 1.1% of statements
ok github.com/cloudflare/cfssl/selfsign 1.119s coverage: 70.0% of statements
ok github.com/cloudflare/cfssl/signer 1.019s coverage: 20.0% of statements
ok github.com/cloudflare/cfssl/signer/local 3.146s coverage: 81.2% of statements
ok github.com/cloudflare/cfssl/signer/remote 2.328s coverage: 71.8% of statements
ok github.com/cloudflare/cfssl/signer/universal 2.280s coverage: 67.7% of statements
ok github.com/cloudflare/cfssl/transport 1.028s
ok github.com/cloudflare/cfssl/transport/ca/localca 1.056s coverage: 94.9% of statements
ok github.com/cloudflare/cfssl/transport/core 1.538s coverage: 90.9% of statements
ok github.com/cloudflare/cfssl/transport/kp 1.054s coverage: 37.1% of statements
ok github.com/cloudflare/cfssl/ubiquity 1.042s coverage: 88.3% of statements
ok github.com/cloudflare/cfssl/whitelist 2.304s coverage: 100.0% of statements
```
Fixes#2746.
This removes the config and code to output to statsd.
- Change `cmd.StatsAndLogging` to output a `Scope`, not a `Statter`.
- Remove the prefixing of component name (e.g. "VA") in front of stats; this was stripped by `autoProm` but now no longer needs to be.
- Delete vendored statsd client.
- Delete `MockStatter` (generated by gomock) and `mocks.Statter` (hand generated) in favor of mocking `metrics.Scope`, which is the interface we now use everywhere.
- Remove a few unused methods on `metrics.Scope`, and update its generated mock.
- Refactor `autoProm` and add `autoRegisterer`, which can be included in a `metrics.Scope`, avoiding global state. `autoProm` now registers everything with the `prometheus.Registerer` it is given.
- Change va_test.go's `setup()` to not return a stats object; instead the individual tests that care about stats override `va.stats` directly.
Fixes#2639, #2733.
This commit updates the `publicsuffix-go` dependency to 908fd3b. Per
CONTRIBUTING.md the upstream unit tests were verified to pass:
```
daniel@XXXX:~/go/src/github.com/weppos/publicsuffix-go$ git log --oneline | head -n1
908fd3b autopull: 2017-04-25T06:00:35Z (#75)
daniel@XXXX:~/go/src/github.com/weppos/publicsuffix-go$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.014s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.027s
```
Deletes github.com/streadway/amqp and the various RabbitMQ setup tools etc. Changes how listenbuddy is used to proxy all of the gRPC client -> server connections so we test reconnection logic.
+49 -8,221 😁Fixes#2640 and #2562.
This PR updates the `publicsuffix-go` dependency to `fb1fc94`, the
latest autopull and the HEAD of master at the time of writing.
Per CONTRIBUTING.md the tests were verified to pass:
```
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.007s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.027s
```
Updates the various gRPC/protobuf libs (google.golang.org/grpc/... and github.com/golang/protobuf/proto) and the boulder-tools image so that we can update to the newest github.com/grpc-ecosystem/go-grpc-prometheus. Also regenerates all of the protobuf definition files.
Tests run on updated packages all pass.
Unblocks #2633fixes#2636.
Switch from `gorp.v1` to `gorp.v2`. Removes `vendor/gopkg.in/gorp.v1` and vendors `vendor/gopkg/go-gorp/gorp.v2`, all tests pass.
Changes between `v1.7.1` and `v2.0.0`: c87af80f3c...4deece6103Fixes#2490.
This commit updates the `publicsuffix-go` dependency to version 0.3.2,
the latest autopull.
Per CONTRIBUTING.md the tests are verified to pass:
```
HEAD position was 5ebfcac... Fix outdated version number
HEAD is now at c12e7e9... autopull: 2017-03-04T06:00:47Z (#62)
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
=== RUN TestPublicSuffix
--- PASS: TestPublicSuffix (0.00s)
=== RUN TestEffectiveTLDPlusOne
--- PASS: TestEffectiveTLDPlusOne (0.00s)
PASS
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.007s
=== RUN TestValid
--- PASS: TestValid (0.00s)
=== RUN TestIncludePrivate
--- PASS: TestIncludePrivate (0.00s)
=== RUN TestIDNA
--- PASS: TestIDNA (0.00s)
=== RUN TestPsl
--- PASS: TestPsl (0.01s)
=== RUN TestNewListFromString
--- PASS: TestNewListFromString (0.00s)
=== RUN TestNewListFromString_IDNAInputIsUnicode
--- PASS: TestNewListFromString_IDNAInputIsUnicode (0.00s)
=== RUN TestNewListFromString_IDNAInputIsAscii
--- PASS: TestNewListFromString_IDNAInputIsAscii (0.00s)
=== RUN TestNewListFromFile
--- PASS: TestNewListFromFile (0.00s)
=== RUN TestListAddRule
--- PASS: TestListAddRule (0.00s)
=== RUN TestListFind
--- PASS: TestListFind (0.00s)
=== RUN TestNewRule_Normal
--- PASS: TestNewRule_Normal (0.00s)
=== RUN TestNewRule_Wildcard
--- PASS: TestNewRule_Wildcard (0.00s)
=== RUN TestNewRule_Exception
--- PASS: TestNewRule_Exception (0.00s)
=== RUN TestNewRule_FromASCII
--- PASS: TestNewRule_FromASCII (0.00s)
=== RUN TestNewRule_FromUnicode
--- PASS: TestNewRule_FromUnicode (0.00s)
=== RUN TestNewRuleUnicode_FromASCII
--- PASS: TestNewRuleUnicode_FromASCII (0.00s)
=== RUN TestNewRuleUnicode_FromUnicode
--- PASS: TestNewRuleUnicode_FromUnicode (0.00s)
=== RUN TestRuleMatch
--- PASS: TestRuleMatch (0.00s)
=== RUN TestRuleDecompose
--- PASS: TestRuleDecompose (0.00s)
=== RUN TestLabels
--- PASS: TestLabels (0.00s)
=== RUN TestCookieJarList
--- PASS: TestCookieJarList (0.00s)
PASS
ok github.com/weppos/publicsuffix-go/publicsuffix 0.027s
```
In the last weeks we made some large changes to the list of .RU and .SU domains in the PSL, due to some very old policy changes at the registry (2009) and more recent follow up.
Given the amount of pressure about these changes from certain users, most certainly because LE limits, I figured out you'll soon have people asking you to merge the changes. I've packaged a new release of publicsuffix-go, and updated the dependency in this PR.
$ git show master
commit c5490f26d8f43b84857ac54e23387b8ed9b100dd
Author: Simone Carletti <weppos@weppos.net>
Date: Tue Feb 7 23:26:14 2017 +0100
Release 0.3.2
➜ publicsuffix-go git:(master) go test ./...
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.023s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.039s
Please note this release also includes the .ONION as per publicsuffix/list#374
Pulls in logging improvements in OCSP Responder and the CT client, plus a handful of API changes. Also, the CT client verifies responses by default now.
This change includes some Boulder diffs to accommodate the API changes.
We recently made changes to the IANA suffixes, and you may want to pull them into the latest Boulder version.
```
➜ publicsuffix-go git:(master) git show -s
commit 3ea542729b4d7056a9d1356c9baf27bcad2bda7f
Author: Simone Carletti <weppos@weppos.net>
Date: Mon Jan 2 18:28:57 2017 +0100
Release 0.3.1
```
```
➜ publicsuffix-go git:(master) go test ./...
? github.com/weppos/publicsuffix-go/cmd/gen [no test files]
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.045s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.091s
```
v0.3.1 is tagged and signed with my PGP key.
https://github.com/weppos/publicsuffix-go/releases/tag/v0.3.1
Right now we are using a third-party client for the Google Safe Browsing API, but Google has recently released their own [Golang library](https://github.com/google/safebrowsing) which also supports the newer v4 API. Using this library will let us avoid fixing some lingering race conditions & unpleasantness in our fork of `go-safebrowsing-api`.
This PR adds support for using the Google library & the v4 API in place of our existing fork when the `GoogleSafeBrowsingV4` feature flag is enabled in the VA "features" configuration.
Resolves https://github.com/letsencrypt/boulder/issues/1863
Per `CONTRIBUTING.md` I also ran the unit tests for the new dependency:
```
daniel@XXXXXXXXXX:~/go/src/github.com/google/safebrowsing$ go test ./...
ok github.com/google/safebrowsing 3.274s
? github.com/google/safebrowsing/cmd/sblookup [no test files]
? github.com/google/safebrowsing/cmd/sbserver [no test files]
? github.com/google/safebrowsing/cmd/sbserver/statik [no test files]
? github.com/google/safebrowsing/internal/safebrowsing_proto [no test files]
ok github.com/google/safebrowsing/vendor/github.com/golang/protobuf/jsonpb 0.012s
? github.com/google/safebrowsing/vendor/github.com/golang/protobuf/jsonpb/jsonpb_test_proto [no test files]
ok github.com/google/safebrowsing/vendor/github.com/golang/protobuf/proto 0.062s
? github.com/google/safebrowsing/vendor/github.com/golang/protobuf/proto/proto3_proto [no test files]
? github.com/google/safebrowsing/vendor/github.com/golang/protobuf/protoc-gen-go [no test files]
? github.com/google/safebrowsing/vendor/github.com/golang/protobuf/protoc-gen-go/descriptor [no test files]
ok github.com/google/safebrowsing/vendor/github.com/golang/protobuf/protoc-gen-go/generator 0.017s
? github.com/google/safebrowsing/vendor/github.com/golang/protobuf/protoc-gen-go/grpc [no test files]
? github.com/google/safebrowsing/vendor/github.com/golang/protobuf/protoc-gen-go/plugin [no test files]
ok github.com/google/safebrowsing/vendor/github.com/golang/protobuf/ptypes 0.009s
? github.com/google/safebrowsing/vendor/github.com/golang/protobuf/ptypes/any [no test files]
? github.com/google/safebrowsing/vendor/github.com/golang/protobuf/ptypes/duration [no test files]
? github.com/google/safebrowsing/vendor/github.com/golang/protobuf/ptypes/empty [no test files]
? github.com/google/safebrowsing/vendor/github.com/golang/protobuf/ptypes/struct [no test files]
? github.com/google/safebrowsing/vendor/github.com/golang/protobuf/ptypes/timestamp [no test files]
? github.com/google/safebrowsing/vendor/github.com/golang/protobuf/ptypes/wrappers [no test files]
? github.com/google/safebrowsing/vendor/github.com/rakyll/statik [no test files]
? github.com/google/safebrowsing/vendor/github.com/rakyll/statik/fs [no test files]
ok github.com/google/safebrowsing/vendor/golang.org/x/net/idna 0.003s
```
There's an off-the-shelf package that provides most of the stats we care about
for gRPC using interceptors. This change vendors go-grpc-prometheus and its
dependencies, and calls out to the interceptors provided by that package from
our own interceptors.
This will allow us to get metrics like latency histograms by call, status codes
by call, and so on.
Fixes#2390.
This change vendors go-grpc-prometheus and its dependencies. Per contributing guidelines, I've run the tests on these dependencies, and they pass:
go test github.com/davecgh/go-spew/spew github.com/grpc-ecosystem/go-grpc-prometheus github.com/grpc-ecosystem/go-grpc-prometheus/examples/testproto github.com/pmezard/go-difflib/difflib github.com/stretchr/testify/assert github.com/stretchr/testify/require github.com/stretchr/testify/suite
ok github.com/davecgh/go-spew/spew 0.022s
ok github.com/grpc-ecosystem/go-grpc-prometheus 0.120s
? github.com/grpc-ecosystem/go-grpc-prometheus/examples/testproto [no test files]
ok github.com/pmezard/go-difflib/difflib 0.042s
ok github.com/stretchr/testify/assert 0.021s
ok github.com/stretchr/testify/require 0.017s
ok github.com/stretchr/testify/suite 0.012s
This PR updates the github.com/letsencrypt/pkcs11key dependency to v1.0.0.
Per CONTRIBUTING.md I checked the unit tests pass:
daniel@XXXXX:~/go/src/github.com/letsencrypt/pkcs11key$ git show -s
commit c47dab18ddd8c4d4267661870d3ba331cddc57c9
Author: Jacob Hoffman-Andrews <github@hoffman-andrews.com>
Date: Fri Sep 9 15:23:00 2016 -0400
Echo path when failing to load module. (#6)
daniel@XXXXX:~/go/src/github.com/letsencrypt/pkcs11key$ go test ./...
ok github.com/letsencrypt/pkcs11key 0.002s
ok github.com/letsencrypt/pkcs11key/uri 0.002s
This PR updates our GRPC library dep. to v1.0.3. It's likely we can update to v1.0.4 without much effort but on a first attempt it seems that the SupportPackageIsVersion3 to SupportPackageIsVersion4 change might cause some headaches so I started with 1.0.3.
The grpc/creds.go serverTransportCredentials and clientTransportCredentials needed two new funcs (Clone and OverrideServerName) to conform to the updated credentials.TransportCredentials interface.
It's tempting to remove grpc/creds.go clientTransportCredentials entirely now that the TLSCredentials from upstream has a OverrideServerName function we can use, but unfortunately it only supports one hostname and must be called a-head of ClientHandshake that we still need clientTransportCredentials for our use-case. I tried this and failed, so clientTransportCredentials remains in bgrpc/creds/creds.go.
Per CONTRIBUTING.md I've verified the unit tests pass:
daniel@XXXXXX:~/go/src/google.golang.org/grpc$ git show -s
commit b7f1379d3cbbbeb2ca3405852012e237aa05459e
Merge: 33731fd bac9e1d
Author: Qi Zhao <toqizhao@gmail.com>
Date: Mon Oct 17 16:02:05 2016 -0700
Merge pull request #903 from improbable-io/blocking-graceful-shutdown-fix
Make concurrent Server.GracefulStop calls all behave equivalently.
daniel@XXXXXX:~/go/src/google.golang.org/grpc$ go test ./...
ok google.golang.org/grpc 0.215s
ok google.golang.org/grpc/benchmark 0.017s
? google.golang.org/grpc/benchmark/client [no test files]
? google.golang.org/grpc/benchmark/grpc_testing [no test files]
? google.golang.org/grpc/benchmark/server [no test files]
? google.golang.org/grpc/benchmark/stats [no test files]
? google.golang.org/grpc/benchmark/worker [no test files]
? google.golang.org/grpc/codes [no test files]
ok google.golang.org/grpc/credentials 0.041s
? google.golang.org/grpc/credentials/oauth [no test files]
? google.golang.org/grpc/examples/helloworld/greeter_client [no test files]
? google.golang.org/grpc/examples/helloworld/greeter_server [no test files]
? google.golang.org/grpc/examples/helloworld/helloworld [no test files]
? google.golang.org/grpc/examples/route_guide/client [no test files]
? google.golang.org/grpc/examples/route_guide/routeguide [no test files]
? google.golang.org/grpc/examples/route_guide/server [no test files]
ok google.golang.org/grpc/grpclb 0.047s
? google.golang.org/grpc/grpclb/grpc_lb_v1 [no test files]
? google.golang.org/grpc/grpclog [no test files]
? google.golang.org/grpc/grpclog/glogger [no test files]
? google.golang.org/grpc/health [no test files]
? google.golang.org/grpc/health/grpc_health_v1 [no test files]
? google.golang.org/grpc/internal [no test files]
? google.golang.org/grpc/interop [no test files]
? google.golang.org/grpc/interop/client [no test files]
? google.golang.org/grpc/interop/grpc_testing [no test files]
? google.golang.org/grpc/interop/server [no test files]
ok google.golang.org/grpc/metadata 0.004s
? google.golang.org/grpc/naming [no test files]
? google.golang.org/grpc/peer [no test files]
ok google.golang.org/grpc/reflection 0.029s
? google.golang.org/grpc/reflection/grpc_reflection_v1alpha [no test files]
? google.golang.org/grpc/reflection/grpc_testing [no test files]
? google.golang.org/grpc/stress/client [no test files]
? google.golang.org/grpc/stress/grpc_testing [no test files]
? google.golang.org/grpc/stress/metrics_client [no test files]
ok google.golang.org/grpc/test 94.693s
? google.golang.org/grpc/test/codec_perf [no test files]
? google.golang.org/grpc/test/grpc_testing [no test files]
ok google.golang.org/grpc/transport 12.574s
This PR updates the `github.com/prometheus/client_golang` dependency to the v0.8.0 release tag.
For future note, `godep update github.com/prometheus/client_golang/prometheus/promhttp` doesn't work correctly for this package due to the nesting structure (See https://github.com/tools/godep/issues/164). This can be worked around by using `godep update github.com/prometheus/client_golang/...` instead ¯\\\_(ツ)\_/¯
Per `CONTRIBUTING.md` I verified the unit tests pass:
```
daniel@XXXXXX:~/go/src/github.com/prometheus/client_golang$ git show -s
commit c5b7fccd204277076155f10851dad72b76a49317
Merge: a4d14b3 1b26087
Author: Björn Rabenstein <bjoern@rabenste.in>
Date: Wed Aug 17 17:48:24 2016 +0200
Merge pull request #226 from prometheus/beorn7/alloc
Bring back zero-alloc label-value access for metric vecs
daniel@XXXXXX:~/go/src/github.com/prometheus/client_golang$ go test ./...
ok github.com/prometheus/client_golang/api/prometheus 0.003s
? github.com/prometheus/client_golang/examples/random [no test files]
? github.com/prometheus/client_golang/examples/simple [no test files]
ok github.com/prometheus/client_golang/prometheus 28.661s
ok github.com/prometheus/client_golang/prometheus/promhttp 0.013s
ok github.com/prometheus/client_golang/prometheus/push 0.007s
```
This commit updates the `go-sql-driver` dependency to the tip of master
(665b83488b90b902ce0a305ef6652e599771cdf9).
A v1.3 release and a commitment to semantic versioning[0] will soon
allow us to switch this from master to a well defined tag.
[0]
- https://github.com/go-sql-driver/mysql/issues/476#issuecomment-256004996
This commit updates the cactus `go-statsd-client` to the 2.0.2 release
tag.
Note: the most recent release is 3.1.0 but the introduction of
substatter support in 3.0.0 changes the `Statter` interface we rely on
in the boulder metrics package. We should consider follow-up work to
refactor our metrics code to be compatible with the 3.x releases.
Relates to #2315.
This pull request updates the publicsuffix-go dependency to version 0.3.0, most notably including weppos/publicsuffix-go#40 and support for IDN TLDs.
The PA's TestWillingToIssue unit test is updated to confirm that Boulder is WillingToIssue a well formed IDN domain with an IDN TLD. Prior to c5cc328 this causes the PA unit tests to fail as expected with urn:acme:error:malformed :: Name does not end in a public suffix. After
c5cc328 everything is 💯
Per CONTRIBUTING.md the unit tests are confirmed to pass:
daniel@XXXXXX:~/go/src/github.com/weppos/publicsuffix-go$ git show -s
commit 49fe4b0e8276b314e6703300ac26940d9c090a06
Author: Simone Carletti <weppos@weppos.net>
Date: Mon Nov 21 19:26:37 2016 +0100
Release 0.3.0
daniel@XXXXXX:~/go/src/github.com/weppos/publicsuffix-go$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/gen [no test files]
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.007s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.042s
❤️🍺 and 🎉's to @weppos for the upstream work required for this fix. We truly appreciate your volunteer work on the PSL and the publicsuffix-go library. You're the best!
This resolves#2277.
This commit updates the `go-jose` dependency to [v1.1.0](https://github.com/square/go-jose/releases/tag/v1.1.0) (Commit: aa2e30fdd1fe9dd3394119af66451ae790d50e0d). Since the import path changed from `github.com/square/...` to `gopkg.in/square/go-jose.v1/` this means removing the old dep and adding the new one.
The upstream go-jose library added a `[]*x509.Certificate` member to the `JsonWebKey` struct that prevents us from using a direct equality test against two `JsonWebKey` instances. Instead we now must compare the inner `Key` members.
The `TestRegistrationContactUpdate` function from `ra_test.go` was updated to populate the `Key` members used in testing instead of only using KeyID's to allow the updated comparisons to work as intended.
The `Key` field of the `Registration` object was switched from `jose.JsonWebKey` to `*jose.JsonWebKey ` to make it easier to represent a registration w/o a Key versus using a value with a nil `JsonWebKey.Key`.
I verified the upstream unit tests pass per contributing.md:
```
daniel@XXXXX:~/go/src/gopkg.in/square/go-jose.v1$ git show
commit aa2e30fdd1fe9dd3394119af66451ae790d50e0d
Merge: 139276c e18a743
Author: Cedric Staub <cs@squareup.com>
Date: Thu Sep 22 17:08:11 2016 -0700
Merge branch 'master' into v1
* master:
Better docs explaining embedded JWKs
Reject invalid embedded public keys
Improve multi-recipient/multi-sig handling
daniel@XXXXX:~/go/src/gopkg.in/square/go-jose.v1$ go test ./...
ok gopkg.in/square/go-jose.v1 17.599s
ok gopkg.in/square/go-jose.v1/cipher 0.007s
? gopkg.in/square/go-jose.v1/jose-util [no test files]
ok gopkg.in/square/go-jose.v1/json 1.238s
```
This vendors the Prometheus client code, and exports metrics on the debug port, under `/metrics`.
This will currently export just the default metrics, like `go_goroutines`, `process_cpu_seconds_total`, `process_open_fds`, and `process_resident_memory_bytes`. Later work will start exporting Boulder-specific metrics, but this will allow Ops to start configuring scraping of Prometheus metrics in production.
Tests pass:
```
$ git diff master Godeps/ | sed -ne 's/^+.*ImportPath": "//p' | tr -d '",' | xargs go test
ok github.com/beorn7/perks/quantile 0.562s
ok github.com/matttproud/golang_protobuf_extensions/pbutil 0.003s
ok github.com/prometheus/client_golang/prometheus 34.418s
ok github.com/prometheus/client_golang/prometheus/promhttp 0.003s
? github.com/prometheus/client_model/go [no test files]
ok github.com/prometheus/common/expfmt 0.019s
ok github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg 0.002s
ok github.com/prometheus/common/model 0.003s
ok github.com/prometheus/procfs 0.008s
```
Part of #2284
Add feature flagged support for issuing for IDNs, fixes#597.
This patch expects that clients have performed valid IDN2008 encoding on any label that includes unicode characters. Invalid encodings (including non-compatible IDN2003 encoding) will be rejected. No script-mixing or script exclusion checks are performed as we assume that if a name is resolvable that it conforms to the registrar's policies on these matters and if it uses non-standard scripts in sub-domains etc that browsers should be the ones choosing how to display those names.
Required a full update of the golang.org/x/net tree to pull in golang.org/x/net/idna, all test suites pass.
Fixes#1880.
Updates google.golang.org/grpc and github.com/jmhodges/clock, both test suites pass. A few of the gRPC interfaces changed so this also fixes those breakages.
This commit updates the publicsuffix-go dependency to upstream HEAD (commit
088a5b7b1f746fca57b9440f8e94f9b3302605b7 (there are no tags or releases
for this project)).
Per CONTRIBUTING.md I ran the project unit tests:
```
daniel@xxxxxxxxx:~/go/src/github.com/weppos/publicsuffix-go$ git show -s
commit 088a5b7b1f746fca57b9440f8e94f9b3302605b7
Author: Simone Carletti <weppos@weppos.net>
Date: Wed Aug 10 10:52:20 2016 +0200
autopull: 2016-08-10T06:00:16Z (#20)
daniel@xxxxxxxxx:~/go/src/github.com/weppos/publicsuffix-go$ go test ./...
? github.com/weppos/publicsuffix-go/cmd/gen [no test files]
? github.com/weppos/publicsuffix-go/cmd/load [no test files]
ok github.com/weppos/publicsuffix-go/net/publicsuffix 0.008s
ok github.com/weppos/publicsuffix-go/publicsuffix 0.029s
```
Part of #2080.
This change vendors `crypto/x509`, `crypto/x509/pkix`, and `encoding/asn1` from 1d5f6a765d. That commit is a direct child of the Go 1.5.4 release tag, so it contains the same code as the current Go version we are using. In that commit I rewrote imports in those packages so they depend on each other internally rather than calling out to the standard library, which would cause type disagreements.
I changed the imports in each place where we're parsing CSRs, and imported under a different name `oldx509`, both to avoid collisions and make it clear what's going on. Places that only use `x509` to parse certificates are not changed, and will use the current standard library.
This will unblock us from moving to Go 1.6, and subsequently Go 1.7.
This PR removes the use of the global configuration variable BOULDER_CONFIG. It also removes the global configuration struct cmd.Config. Furthermore, it removes the dependency codegangsta/cli and the last bit of code that was using it cmd/single-ocsp/main.go.
This is the final (hopefully) pull request in the work to remove the reliance on a global configuration structure. Included below is a history of all other pull requests relevant in accomplishing this:
WFE (#1973)
RA (#1974)
SA (#1975)
CA (#1978)
VA (#1979)
Publisher (#2008)
OCSP Updater (#2013)
OCSP Responder (#2017)
Admin Revoker (#2053)
Expiration Mailer (#2036)
Cert Checker (#2058)
Orphan Finder (#2059)
Single OCSP (this PR)
Closes#1962
This pulls in two changes that fix the case where pkcs11 failed to load the module. One where the return value was nil, and one where an empty string could be passed to libtool-ltdl.
Tests pass for both packages.
Updates `github.com/cloudflare/cfssl` and `github.com/google/certificate-transparency/go` to current master. CFSSL has re-structured some of the `signer/local` code which should be given a once-over. Otherwise everything seems mostly benign and/or doesn't affect our usage.
Vendored tests pass.
This PR replaces the `x/net/publicsuffix` package with `weppos/publicsuffix-go`.
The conversations that leaded to this decision are #1479 and #1374. To summarize the discussion, the main issue with `x/net/publicsuffix` is that the package compiles the list into the Go source code and doesn't provide a way to easily pull updates (e.g. by re-parsing the original PSL) unless the entire package is recompiled.
The PSL update frequency is almost daily, which makes very hard to recompile the official Golang package to stay up-to-date with all the changes. Moreover, Golang maintainers expressed some concerns about rebuilding and committing changes with a frequency that would keep the package in sync with the original PSL. See https://github.com/letsencrypt/boulder/issues/1374#issuecomment-182429297
`weppos/publicsuffix-go` contains a compiled version of the list that is updated weekly (or more frequently). Moreover, the package can read and parse a PSL from a String or a File which will effectively decouple the Boulder source code with the list itself. The main benefit is that it will be possible to update the definition by simply downloading the latest list and restarting the application (assuming the list is persisted in memory).
The `letsencrypt/boulder-tools` image was recently updated, pulling in version
0.8.0 of certbot. That version stores the output of `certonly` requests in a
different path. In test.sh, we check out a specific tagged release of certbot in
order to get its integration tests. Prior to this commit, we were using
certbot 0.8.0 with the integration tests from version 0.6.0 of certbot,
which looked for `certonly` output in the wrong place, and failed.
This commit changes test.sh to checkout the 0.8.0 branch, and also removes a
temporary shim we used to make the `certbot` command call out to the
`letsencrypt` command.
Also, since the latest version of `letsencrypt/boulder-tools` includes an updated
`protoc-gen-go`, this change also updates the support packages to match.
Adds a server side unary RPC interceptor which includes basic stats. We could also use this to add a server request ID to the context.Context to identify the call through the system, but really I'd rather do that on the client side before the RPC is sent which requires the client interceptor implementation upstream. Also updates google.golang.org/grpc.
Updates #1880.
When a CAA request to Unbound times out, fall back to checking CAA via Google Public DNS' HTTPS API, through multiple proxies so as to hit geographically distributed paths. All successful multipath responses must be identical in order to succeed, and at most one can fail.
Fixes#1618
Jacob Hoffman-Andrews