Updates #1699.
Adds a new package, `features`, which exposes methods to set and check if various internal features are enabled. The implementation uses global state to store the features so that services embedded in another service do not each require their own features map in order to check if something is enabled.
Requires a `boulder-tools` image update to include `golang.org/x/tools/cmd/stringer`.
Previously, the CA would log the full PEM encoded certificate signing request and the signed certificate. This PR, removes that, and logs a base64 encoded version of the request and the certificate.
Due to the fact that cfssl returns the certificate in PEM format regardless, we decode the certificate into DER and log the base64 version. If there is any failure in the decoding from PEM to DER, the CA will log the PEM encoded version of the certificate (this is the only case).
Furthermore, the Signing Success message was moved after the certificate is checked for 0 length and decoded into DER, which seems to make logical sense to me.
Fixes#1968
Part of #2080.
This change vendors `crypto/x509`, `crypto/x509/pkix`, and `encoding/asn1` from 1d5f6a765d. That commit is a direct child of the Go 1.5.4 release tag, so it contains the same code as the current Go version we are using. In that commit I rewrote imports in those packages so they depend on each other internally rather than calling out to the standard library, which would cause type disagreements.
I changed the imports in each place where we're parsing CSRs, and imported under a different name `oldx509`, both to avoid collisions and make it clear what's going on. Places that only use `x509` to parse certificates are not changed, and will use the current standard library.
This will unblock us from moving to Go 1.6, and subsequently Go 1.7.
In this PR, logger is passed to the following callers:
NewWebFrontEndImpl
NewCertificateAuthorityImpl
NewValidationAuthorityImpl
NewAmqpRPCServer
newUpdater
NewRegistrationAuthorityServer
This reduces the usage of a global singleton logger and allows tests to consistently use a mock logger.
Fixes#1642
* remove blog.Get() in wfe
* remove blog.Get() from va
* remove Blog.Get() from ca
* remove blog.Get() from oscp updater, ampq rpc server, registration authority server
* removed some pointless logging code
* remove one added newline
* fix format issue
* fix setup function to return *blog.Mock instead of being passed in
* remove useless blog.NewMock() call
* Split CSR testing and name hoisting into own functions, verify CSR in RA & CA
* Move tests around and various other fixes
* 1.5.3 doesn't have the needed stringer
* Move functions to their own lib
* Remove unused imports
* Move MaxCNLength and BadSignatureAlgorithms to csr package
* Always normalizeCSR in VerifyCSR and de-export it
* Update comments
* Delete Policy DB.
This is no longer needed now that we have a JSON policy file.
* Fix tests.
* Revert Dockerfile.
* Fix create_db
* Simplify user addition.
* Fix tests.
* Fix tests
* Review fixes.
https://github.com/letsencrypt/boulder/pull/1773
* Fix newVARPC sanity check logic error
* Redo style of sanity check in RA to match VA
* Switch to ServerInternal(), readd log.Info
* Add tests to make sure correct metric measured
* comments on exported symbols
* review fixes
* build an array instead of storing last
* Fix all errcheck errors
* Add errcheck to test.sh
* Add a new sa.Rollback method to make handling errors in rollbacks easier.
This also causes a behavior change in the VA. If a HTTP connection is
abruptly closed after serving the headers for a non-200 response, the
reported error will be the read failure instead of the non-200.
- Remove error signatures from log methods. This means fewer places where errcheck will show ignored errors.
- Pull in latest cfssl to be compatible with errorless log messages.
- Reduce the number of message priorities we support to just those we actually use.
- AuditNotice -> AuditInfo
- Remove InfoObject (only one use, switched to Info)
- Remove EmergencyExit and related functions in favor of panic
- Remove SyslogWriter / AuditLogger separate types in favor of a single interface, Logger, that has all the logging methods on it.
- Merge mock log into logger. This allows us to unexport the internals but still override them in the mock.
- Shorten names to be compatible with Go style: New, Set, Get, Logger, NewMock, etc.
- Use a shorter log format for stdout logs.
- Remove "... Starting" log messages. We have better information in the "Versions" message logged at startup.
Motivation: The AuditLogger / SyslogWriter distinction was confusing and exposed internals only necessary for tests. Some components accepted one type and some accepted the other. This made it hard to consistently use mock loggers in tests. Also, the unnecessarily fat interface for AuditLogger made it hard to meaningfully mock out.
Pass log as an argument to SA. This allows us to mock it out.
Use a mockSA in CA test.
Use mockSA in orphan-finder test.
Improve logging from assert functions: Use our own printing style plus FailNow() so that each failure message isn't prefixed by "test-tools.go:60"
Remove duplicate TraceOn.
Part of #1642.
https://github.com/letsencrypt/boulder/pull/1683
It's behind a new temporary config flag.
Also, check if the CN is over 64 bytes.
This also makes sure the certificate's Subject is not empty if the CN is
empty by always setting the SerialNumber in Subject.
While I was here, I also corrected the logged hex encoding of
SerialNumber so that its prefixed by zeroes correctly. See the use of
core.SerialToString in IssueCertificate.
I also added a test for the no CommonName and no SANs case.
Fixes#40
Also in ra tests.
This fixes the spurious ca and ra test failure where the serials are the
wrong size. CFSSL makes ones that are larger than we expect.
Allows multiple CFSSL profiles to be defined. A profile is selected by
key type. ECDSA keys get one profile, RSA keys get another.
Either the "profile" config option or the "rsaProfile" and
"ecdsaProfile" config options must be specified. Both cannot be
specified. Specifying "profile" uses the same profile for RSA and ECDSA.
Fixes#1384
Roland Bracewell Shoemaker