The ocsp-updater no longer makes RPCs to the SA, but accesses the DB
directly (sometimes with help from SA functions to keep the DB
consistent).
This removes the SA connection config from config-next/. We'll remove
from config/ once the corresponding config has been removed from prod.
The `KeyPolicy.GoodKey` method is used to validate both public keys
used to sign JWK messages, and public keys contained inside CSR
messages.
According to RFC8555 section 6.7, validation failure in the former
case should result in `badPublicKey`, while validation failure in
the latter case should result in `badCSR`. In either case, a failure
due to reasons other than the key itself should result in
`serverInternal`.
However, the GoodKey method returns a variety of different errors
which are not all applicable depending on the context in which it is
called. In addition, the `csr.VerifyCSR` method passes these errors
through verbatim, resulting in ACME clients receiving confusing and
incorrect error message types.
This change causes the GoodKey method to always return either a
generic error or a KeyError. Calling methods should treat a `KeyError`
as either a `badPublicKey` or a `badCSR` depending on their context,
and may treat a generic error however they choose (though likely as a
serverInternal error).
Fixes#4930
The StoreKeyHashes feature flag controls whether rows are added to the
keyHashToSerial table. This feature is now enabled everywhere, so the
flag-protected code can be turned on unconditionally and the flag
removed from configs.
Related to #4895
Previously, if ocspchecker encountered a cert whose OCSP response
it didn't like, it would print the first reason it didn't like it and then
move on to the next cert provided on the command line. This
behavior both obscures the cert in question (by not printing
details of its OCSP response) and the error in question (by only
printing the first encountered error, instead of all errors).
This change causes ocspchecker to both print the details of the
OCSP response whether it likes the response or not, and to
accumulate all errors it encounters while validating that response.
This should increase interactive usability, as requested in #4901.
This changes the default behavior of the `-expectStatus` flag of
the ocspchecker and ocsp_forever binaries (as well as any other
consumer of the ocsp/helper.go library).
Previously, the flag had a default value of 0, meaning that all
OCSP responses were expected to have a status of "Good" (i.e. not
"Revoked"); having any other status is an error which would cause
the tool to print different information and have a non-zero exit code.
This flag now has a default value of -1, meaning that no enforcement
of the OCSP status should happen. All OCSP responses, whether Good,
Revoked, or otherwise, will simply be logged for informational
purposes and the tool will exit successfully.
This is a backwards-incompatible change, and users which rely on
the default behavior of this flag should update themselves.
The key-hash-backfill cmd was used to fill the keyHashToSerial table
when it was first created. Now that the table is up and running, the
backfill utility can be removed.
Fixes#4895
Previously this was logging a map of emails to unrevokedCertificates.
Since unrevokedCertificates includes DER, which is a []byte, this was
getting printed as a series of decimal numbers, one for each byte.
This adds a Stringer implementation for unrevokedCertificates that
omits the DER.
Fixes#4921.
This copies over a number of features flags and other settings from
test/config-next that have been applied in prod.
Also, remove the config-next gate on various tests.
And use it in ocsp-updater. This was cleaned up in #4546 because it was
unused, but it should have been in use in ocsp-updater now that we can
make a straightforward query here instead of a JOIN.
This makes the SA the single source of truth for what columns are in the
certificateStatus table.
Adds a new -expect-reason flag to the checkocsp binary to allow for
verifying the revocation reason of the certificate(s) in question.
This flag has a default value of -1, meaning that no particular
revocation reason will be expected or enforced.
Also updates the -expect-status flag to have the same default (-1) and
behavior, so that when the tool is run interactively it can simply
print the revocation status of each certificate.
Finally, refactors the way the ocsp/helper library declares flags and
accesses their values. This unifies the interface and makes it easy to
extend to allow tests to modify parameters other than expectStatus when
desired.
Fixes#4885
The OCSPStaleMaxAge config value was added in #2419 as part of an
effort to ensure that ocsp-updater's queries of the certificateStatus
table were efficient. It was never intended as a long-term fix:
in #2431 and #2432 the query was updated to index on the much more
efficient isExpired and notAfter columns if a feature flag was set,
and in #2561 that code path was made the default and the flag removed.
However, the `WHERE ocspLastUpdate > ocspStaleMaxAge` clause has
remained in the query. This is redundant, as the ocspStaleMaxAge has
always been set to 5040 hours, or 210 days, significantly longer than
the 90-day expiration of Let's Encrypt certs.
This change removes that clause from the query, and removes the config
scaffolding around it. In addition, it updates the tests to remove
workarounds necessitated by this column, and simplifies and documents
them for future readers.
Fixes#4884
The spec specifies (https://tools.ietf.org/html/rfc8555#section-7.2)
that a `no-store` Cache-Control header is required in response to
getting a new nonce. This PR makes that change specifically but does
not modify other uses of the `no-cache` directive.
Fixes#4727
The existing checkSmallPrimes function maintains a table of primes,
converts them to an array of *big.Int and uses the resulting values
for comparing against a RSA modulus as follows:
for _, prime := range smallPrimes {
if modulus % prime != 0 {
return invalid
}
}
return valid
This incurs substantial overhead as each prime is checked individually,
invoking QuoRem(...) each time. By multiplying the primes together into
a single *big.Int, we can utilize a single library call, GCD(...), and
check all the values at once. While a single GCD invocation is slower
than a single QuoRem, 133 such invocations of QuoRem are together
slower than the single GCD.
BenchmarkSmallPrimeGCD
BenchmarkSmallPrimeGCD-4 72759 16240 ns/op
BenchmarkSmallPrimeIndividualMods
BenchmarkSmallPrimeIndividualMods-4 8866 165265 ns/op
This gives us room to later increase the number of smallPrimes, if
desired, while keeping the same timing profile. Currently the product
of the 133 primes in smallPrimes fits within 1040 bits.
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
This version contains
go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
which fixes CVE-2020-14040. All tests pass at tag v0.3.3 in the upstream repo.
Fixes#4877.
Join on the precertificates table to handle the case when a
precertificate was issued but no certificate.
Treat NoRows as a regular error.
Use named constants to specify revoked/expired arguments
to insertCert helper.
Remove the config gate on the bad-key-revoker unittest.
This change brings the three top-level markdown documents (README,
CONTRIBUTING, and CODE_OF_CONDUCT) in line with standard markdown
formatting and styling, as informed by
markdownlint/markdownlint:docs/RULES.md@master
Primarily, it:
Hard-wraps long lines to be 80 characters or less, except for
long URLs and code blocks;
Uniformly wraps all code blocks in triple-backticks, and supplies
language information for syntax highlighting; and
Makes a few other small tweaks.
This commit consists of three classes of changes:
1) Changing various command main.go files to always behave as they
would have when features.BlockedKeyTable was true. Also changing
one test in the same manner.
2) Removing the BlockedKeyTable flag from configuration in config-next,
because the flag is already live.
3) Moving the BlockedKeyTable flag to the "deprecated" section of
features.go, and regenerating featureflag_strings.go.
A future change will remove the BlockedKeyTable flag (and other
similarly deprecated flags) from features.go entirely.
Fixes#4873
This reverts commit 6454513ded.
We actually need to wait 90 days to ensure the issuerID field of the
certificateStatus table is non-nil for all extant certificates.
Normally we do this with a reverse proxy in front of Boulder, but it's
nice to have an additional layer of protection in case someone deploys
Boulder without a reverse proxy.
Fixes#4730.
Now that the migration has been applied, we can reference the issuerID
field unconditionally. Also remove the migration file. It had already
been copied to sa/_db/migrations, but not removed from _db-next.
Part of a multi-PR changeset removing the StoreIssuerInfo flag.
Previously, we logged both the precertificate and the final certificate
when the final certificate was signed. However, we already log the
precertificate body at precertificate issuance time, and we can conect
the two log lines by serial, so this was making the final certificate
log line unnecessarily long.
As part of that, add support for issuer IDs in orphan-finder's
and RA's calls to GenerateOCSP.
This factors out the idForIssuer logic from ca/ca.go into a new
issuercerts package.
orphan-finder refactors:
Add a list of issuers in config.
Create an orphanFinder struct to hold relevant fields, including the
newly added issuers field.
Factor out a storeDER function to reduce duplication between the
parse-der and parse-ca-log cases.
Use test certificates generated specifically for orphan-finder tests.
This was necessary because the issuers of these test certificates have
to be configured for the orphan finder.
Currently 99.99% of RSA keys we see in certificates at Let's Encrypt are
either 2048, 3072, or 4096 bits, but we support every 8 bit increment
between 2048 and 4096. Supporting these uncommon key sizes opens us up to
having to block much larger ranges of keys when dealing with something
like the Debian weak keys incident. Instead we should just reduce the
set of key sizes we support down to what people actually use.
Fixes#4835.
Jacob Hoffman-Andrews
Aaron Gable
Roland Bracewell Shoemaker
Matt Drollette
Alexander Scheel
Aaron Gable