package cmd import ( "encoding/json" "errors" "fmt" "io/ioutil" "strings" "time" cfsslConfig "github.com/cloudflare/cfssl/config" "github.com/letsencrypt/pkcs11key" "github.com/letsencrypt/boulder/core" "github.com/letsencrypt/boulder/goodkey" ) // Config stores configuration parameters that applications // will need. For simplicity, we just lump them all into // one struct, and use encoding/json to read it from a file. // // Note: NO DEFAULTS are provided. type Config struct { // Default AMQPConfig for services that don't specify one. // TODO(jsha): Delete this after a deploy. AMQP *AMQPConfig CA CAConfig SA struct { ServiceConfig DBConfig MaxConcurrentRPCServerRequests int64 } VA struct { ServiceConfig UserAgent string IssuerDomain string PortConfig PortConfig MaxConcurrentRPCServerRequests int64 LookupIPv6 bool GoogleSafeBrowsing *GoogleSafeBrowsingConfig CAAService *GRPCClientConfig CAADistributedResolver *CAADistributedResolverConfig // The number of times to try a DNS query (that has a temporary error) // before giving up. May be short-circuited by deadlines. A zero value // will be turned into 1. DNSTries int // Feature flag to enable enforcement of CAA SERVFAILs. CAASERVFAILExceptions string } Statsd StatsdConfig Syslog SyslogConfig Revoker struct { DBConfig // The revoker isn't a long running service, so doesn't get a full // ServiceConfig, just an AMQPConfig. AMQP *AMQPConfig } Mailer struct { ServiceConfig DBConfig SMTPConfig From string Subject string CertLimit int NagTimes []string // How much earlier (than configured nag intervals) to // send reminders, to account for the expected delay // before the next expiration-mailer invocation. NagCheckInterval string // Path to a text/template email template EmailTemplate string } OCSPResponder struct { ServiceConfig DBConfig // Source indicates the source of pre-signed OCSP responses to be used. It // can be a DBConnect string or a file URL. The file URL style is used // when responding from a static file for intermediates and roots. // If DBConfig has non-empty fields, it takes precedence over this. Source string Path string ListenAddress string // MaxAge is the max-age to set in the Cache-Control response // header. It is a time.Duration formatted string. MaxAge ConfigDuration ShutdownStopTimeout string ShutdownKillTimeout string } OCSPUpdater OCSPUpdaterConfig Publisher struct { ServiceConfig SubmissionTimeout ConfigDuration MaxConcurrentRPCServerRequests int64 } PA PAConfig Common struct { BaseURL string // Path to a PEM-encoded copy of the issuer certificate. IssuerCert string DNSResolver string DNSTimeout string DNSAllowLoopbackAddresses bool CT struct { Logs []LogDescription IntermediateBundleFilename string } } CertChecker struct { DBConfig HostnamePolicyConfig Workers int ReportDirectoryPath string UnexpiredOnly bool BadResultsOnly bool CheckPeriod ConfigDuration } AllowedSigningAlgos *AllowedSigningAlgos // TODO: remove after production configs use SubscriberAgreementURL in the wfe section SubscriberAgreementURL string } // AllowedSigningAlgos defines which algorithms be used for keys that we will // sign. type AllowedSigningAlgos struct { RSA bool ECDSANISTP256 bool ECDSANISTP384 bool ECDSANISTP521 bool } // KeyPolicy returns a KeyPolicy reflecting the Boulder configuration. func (asa *AllowedSigningAlgos) KeyPolicy() goodkey.KeyPolicy { if asa != nil { return goodkey.KeyPolicy{ AllowRSA: asa.RSA, AllowECDSANISTP256: asa.ECDSANISTP256, AllowECDSANISTP384: asa.ECDSANISTP384, AllowECDSANISTP521: asa.ECDSANISTP521, } } return goodkey.KeyPolicy{ AllowRSA: true, } } // KeyPolicy returns a KeyPolicy reflecting the Boulder configuration. // TODO: remove once WFE, RA and CA all use KeyPolicy belonging to the type AllowedSigningAlgos func (config *Config) KeyPolicy() goodkey.KeyPolicy { if config.AllowedSigningAlgos != nil { return goodkey.KeyPolicy{ AllowRSA: config.AllowedSigningAlgos.RSA, AllowECDSANISTP256: config.AllowedSigningAlgos.ECDSANISTP256, AllowECDSANISTP384: config.AllowedSigningAlgos.ECDSANISTP384, AllowECDSANISTP521: config.AllowedSigningAlgos.ECDSANISTP521, } } return goodkey.KeyPolicy{ AllowRSA: true, } } // PasswordConfig either contains a password or the path to a file // containing a password type PasswordConfig struct { Password string PasswordFile string } // Pass returns a password, either directly from the configuration // struct or by reading from a specified file func (pc *PasswordConfig) Pass() (string, error) { if pc.PasswordFile != "" { contents, err := ioutil.ReadFile(pc.PasswordFile) if err != nil { return "", err } return strings.TrimRight(string(contents), "\n"), nil } return pc.Password, nil } // ServiceConfig contains config items that are common to all our services, to // be embedded in other config structs. type ServiceConfig struct { // DebugAddr is the address to run the /debug handlers on. DebugAddr string AMQP *AMQPConfig GRPC *GRPCServerConfig } // DBConfig defines how to connect to a database. The connect string may be // stored in a file separate from the config, because it can contain a password, // which we want to keep out of configs. type DBConfig struct { DBConnect string // A file containing a connect URL for the DB. DBConnectFile string MaxDBConns int } // URL returns the DBConnect URL represented by this DBConfig object, either // loading it from disk or returning a default value. func (d *DBConfig) URL() (string, error) { if d.DBConnectFile != "" { url, err := ioutil.ReadFile(d.DBConnectFile) return string(url), err } return d.DBConnect, nil } type SMTPConfig struct { PasswordConfig Server string Port string Username string } // AMQPConfig describes how to connect to AMQP, and how to speak to each of the // RPC services we offer via AMQP. type AMQPConfig struct { // A file from which the AMQP Server URL will be read. This allows secret // values (like the password) to be stored separately from the main config. ServerURLFile string // AMQP server URL, including username and password. Server string Insecure bool RA *RPCServerConfig VA *RPCServerConfig SA *RPCServerConfig CA *RPCServerConfig Publisher *RPCServerConfig TLS *TLSConfig // Queue name on which to listen, if this is an RPC service (vs acting only as // an RPC client). ServiceQueue string ReconnectTimeouts struct { Base ConfigDuration Max ConfigDuration } } // ServerURL returns the appropriate server URL for this object, which may // involve reading from a file. func (a *AMQPConfig) ServerURL() (string, error) { if a.ServerURLFile != "" { url, err := ioutil.ReadFile(a.ServerURLFile) return strings.TrimRight(string(url), "\n"), err } if a.Server == "" { return "", fmt.Errorf("Missing AMQP server URL") } return a.Server, nil } // CAConfig structs have configuration information for the certificate // authority, including database parameters as well as controls for // issued certificates. type CAConfig struct { ServiceConfig DBConfig HostnamePolicyConfig RSAProfile string ECDSAProfile string TestMode bool SerialPrefix int // TODO(jsha): Remove Key field once we've migrated to Issuers Key *IssuerConfig // Issuers contains configuration information for each issuer cert and key // this CA knows about. The first in the list is used as the default. Issuers []IssuerConfig // LifespanOCSP is how long OCSP responses are valid for; It should be longer // than the minTimeToExpiry field for the OCSP Updater. LifespanOCSP ConfigDuration // How long issued certificates are valid for, should match expiry field // in cfssl config. Expiry string // The maximum number of subjectAltNames in a single certificate MaxNames int CFSSL cfsslConfig.Config MaxConcurrentRPCServerRequests int64 // DoNotForceCN is a temporary config setting. It controls whether // to add a certificate's serial to its Subject, and whether to // not pull a SAN entry to be the CN if no CN was given in a CSR. DoNotForceCN bool // EnableMustStaple governs whether the Must Staple extension in CSRs // triggers issuance of certificates with Must Staple. EnableMustStaple bool PublisherService *GRPCClientConfig } // PAConfig specifies how a policy authority should connect to its // database, what policies it should enforce, and what challenges // it should offer. type PAConfig struct { DBConfig EnforcePolicyWhitelist bool Challenges map[string]bool } // HostnamePolicyConfig specifies a file from which to load a policy regarding // what hostnames to issue for. type HostnamePolicyConfig struct { HostnamePolicyFile string } // CheckChallenges checks whether the list of challenges in the PA config // actually contains valid challenge names func (pc PAConfig) CheckChallenges() error { if len(pc.Challenges) == 0 { return errors.New("empty challenges map in the Policy Authority config is not allowed") } for name := range pc.Challenges { if !core.ValidChallenge(name) { return fmt.Errorf("Invalid challenge in PA config: %s", name) } } return nil } // IssuerConfig contains info about an issuer: private key and issuer cert. // It should contain either a File path to a PEM-format private key, // or a PKCS11Config defining how to load a module for an HSM. type IssuerConfig struct { // A file from which a pkcs11key.Config will be read and parsed, if present ConfigFile string File string PKCS11 *pkcs11key.Config CertFile string } // TLSConfig reprents certificates and a key for authenticated TLS. type TLSConfig struct { CertFile *string KeyFile *string CACertFile *string } // RPCServerConfig contains configuration particular to a specific RPC server // type (e.g. RA, SA, etc) type RPCServerConfig struct { Server string // Queue name where the server receives requests RPCTimeout ConfigDuration } // OCSPUpdaterConfig provides the various window tick times and batch sizes needed // for the OCSP (and SCT) updater type OCSPUpdaterConfig struct { ServiceConfig DBConfig NewCertificateWindow ConfigDuration OldOCSPWindow ConfigDuration MissingSCTWindow ConfigDuration RevokedCertificateWindow ConfigDuration NewCertificateBatchSize int OldOCSPBatchSize int MissingSCTBatchSize int RevokedCertificateBatchSize int OCSPMinTimeToExpiry ConfigDuration OldestIssuedSCT ConfigDuration AkamaiBaseURL string AkamaiClientToken string AkamaiClientSecret string AkamaiAccessToken string AkamaiPurgeRetries int AkamaiPurgeRetryBackoff ConfigDuration SignFailureBackoffFactor float64 SignFailureBackoffMax ConfigDuration Publisher *GRPCClientConfig } // GoogleSafeBrowsingConfig is the JSON config struct for the VA's use of the // Google Safe Browsing API. type GoogleSafeBrowsingConfig struct { APIKey string DataDir string } // SyslogConfig defines the config for syslogging. type SyslogConfig struct { StdoutLevel int SyslogLevel int } // StatsdConfig defines the config for Statsd. type StatsdConfig struct { Server string Prefix string } // ConfigDuration is just an alias for time.Duration that allows // serialization to YAML as well as JSON. type ConfigDuration struct { time.Duration } // ErrDurationMustBeString is returned when a non-string value is // presented to be deserialized as a ConfigDuration var ErrDurationMustBeString = errors.New("cannot JSON unmarshal something other than a string into a ConfigDuration") // UnmarshalJSON parses a string into a ConfigDuration using // time.ParseDuration. If the input does not unmarshal as a // string, then UnmarshalJSON returns ErrDurationMustBeString. func (d *ConfigDuration) UnmarshalJSON(b []byte) error { s := "" err := json.Unmarshal(b, &s) if err != nil { if _, ok := err.(*json.UnmarshalTypeError); ok { return ErrDurationMustBeString } return err } dd, err := time.ParseDuration(s) d.Duration = dd return err } // MarshalJSON returns the string form of the duration, as a byte array. func (d ConfigDuration) MarshalJSON() ([]byte, error) { return []byte(d.Duration.String()), nil } // UnmarshalYAML uses the same frmat as JSON, but is called by the YAML // parser (vs. the JSON parser). func (d *ConfigDuration) UnmarshalYAML(unmarshal func(interface{}) error) error { var s string if err := unmarshal(&s); err != nil { return err } dur, err := time.ParseDuration(s) if err != nil { return err } d.Duration = dur return nil } // LogDescription contains the information needed to submit certificates // to a CT log and verify returned receipts type LogDescription struct { URI string Key string } // GRPCClientConfig contains the information needed to talk to the gRPC service type GRPCClientConfig struct { ServerAddresses []string ServerIssuerPath string ClientCertificatePath string ClientKeyPath string Timeout ConfigDuration } // GRPCServerConfig contains the information needed to run a gRPC service type GRPCServerConfig struct { Address string `json:"address" yaml:"address"` ServerCertificatePath string `json:"serverCertificatePath" yaml:"server-certificate-path"` ServerKeyPath string `json:"serverKeyPath" yaml:"server-key-path"` ClientIssuerPath string `json:"clientIssuerPath" yaml:"client-issuer-path"` } // PortConfig specifies what ports the VA should call to on the remote // host when performing its checks. type PortConfig struct { HTTPPort int HTTPSPort int TLSPort int } // CAADistributedResolverConfig specifies the HTTP client setup and interfaces // needed to resolve CAA addresses over multiple paths type CAADistributedResolverConfig struct { Timeout ConfigDuration MaxFailures int Proxies []string }