letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
boulder/test
History
Aaron Gable 09195e6804
ocsp-responder: get minimal status info from SA (#6293) 
Add a new `GetRevocationStatus` gRPC method to the SA which retrieves
only the subset of the certificate status metadata relevant to
revocation, namely whether the certificate has been revoked, when it was
revoked, and the revocation reason. Notably, this method is our first
use of the `goog.protobuf.Timestamp` type in a message, which is more
ergonomic and less prone to errors than using unix nanoseconds.

Use this new method in ocsp-responder's checked_redis_source, to avoid
having to send many other pieces of metadata and the full ocsp response
bytes over the network. It provides all the information necessary to
determine if the response from Redis is up-to-date.

Within the checked_redis_source, use this new method in two different
ways: if only a database connection is configured (as is the case today)
then get this information directly from the db; if a gRPC connection to
the SA is available then prefer that instead. This may make requests
slower, but will allow us to remove database access from the hosts which
run the ocsp-responder today, simplifying our network.

The new behavior consists of two pieces, each locked behind a config
gate:
- Performing the smaller database query is only enabled if the
  ocsp-responder has the `ROCSPStage3` feature flag enabled.
- Talking to the SA rather than the database directly is only enabled if
  the ocsp-responder has an `saService` gRPC stanza in its config.

Fixes #6274
 		2022-08-16 16:37:24 -07:00
..
akamai-test-srv Use io and os instead of deprecated ioutil (#6286) 2022-08-10 13:30:17 -07:00
block-a-key Block keys using hex(sha256(spki)). (#4745) 2020-04-09 09:41:33 -07:00
boulder-tools Stop rsyslog from de-duplicating log lines (#6291) 2022-08-11 12:37:16 -07:00
cert-ceremonies Use io and os instead of deprecated ioutil (#6286) 2022-08-10 13:30:17 -07:00
config Create new crl-storer service (#6264) 2022-08-08 16:22:48 -07:00
config-next ocsp-responder: get minimal status info from SA (#6293) 2022-08-16 16:37:24 -07:00
ct-test-srv Start testing on go1.19 (#6227) 2022-08-10 15:30:43 -07:00
grafana Python upgrade os upgrades and travis config cleanup (#5186) 2020-11-23 18:12:04 -08:00
grpc-creds Create new crl-storer service (#6264) 2022-08-08 16:22:48 -07:00
health-checker Add health-checker tool and use it from startservers.py (#5095) 2020-10-06 15:01:35 -07:00
hierarchy Add CRL linting framework and first few lints (#6205) 2022-07-08 12:22:44 -07:00
inmem Remove RA NewAuthorization and NewCertificate (#5900) 2022-01-20 14:47:21 -08:00
integration Use io and os instead of deprecated ioutil (#6286) 2022-08-10 13:30:17 -07:00
load-generator Start testing on go1.19 (#6227) 2022-08-10 15:30:43 -07:00
mail-test-srv Fix race condition in revocation integration tests (#6253) 2022-07-29 09:23:50 -07:00
ocsp Use io and os instead of deprecated ioutil (#6286) 2022-08-10 13:30:17 -07:00
prometheus boulder-observer (#5315) 2021-03-29 12:56:54 -07:00
redis-tls Add Redis to Boulder's docker-compose (#5747) 2021-10-28 10:36:11 -07:00
s3-test-srv Create new crl-storer service (#6264) 2022-08-08 16:22:48 -07:00
sd-test-srv Update config from config-next (#6051) 2022-04-19 12:10:26 -07:00
secrets Create new crl-storer service (#6264) 2022-08-08 16:22:48 -07:00
vars Remove dead code (#5893) 2022-01-19 12:23:06 -08:00
wfe-tls Add Redis to Boulder's docker-compose (#5747) 2021-10-28 10:36:11 -07:00
PKI.md grpc: Implement a static multiple IP address gRPC resolver (#6270) 2022-08-05 10:20:57 -07:00
asserts.go Support new Google CT Policy (#6082) 2022-05-25 15:14:57 -07:00
certs.go Use io and os instead of deprecated ioutil (#6286) 2022-08-10 13:30:17 -07:00
challtestsrv.py challtestsrv.py: change address of target (#6234) 2022-07-18 11:10:00 -07:00
chisel2.py Remove chisel.py (#5986) 2022-03-11 08:39:06 -08:00
create_db.sh Test: merge db-common.sh into db-create.sh (#5410) 2021-05-11 11:26:19 -07:00
db.go Improve error checking paradigm (#5920) 2022-02-01 14:42:43 -07:00
entrypoint-netaccess.sh Add rocsp-tool to manually store OCSP responses in Redis (#5758) 2021-11-02 11:04:03 -07:00
entrypoint.sh entrypoint: fix quoting (#6178) 2022-06-17 15:52:49 -07:00
example-bad-key-revoker-template Add bad-key-revoker daemon (#4788) 2020-04-23 11:51:59 -07:00
example-blocked-keys.yaml Block keys using hex(sha256(spki)). (#4745) 2020-04-09 09:41:33 -07:00
example-weak-keys.json Basic RSA known weak key checking (#2765) 2017-05-25 09:33:58 -07:00
helpers.py Use new RA methods from WFE revocation path (#5983) 2022-03-28 14:14:11 -07:00
hostname-policy.yaml PA: Support YAML for hostname policy. (#4180) 2019-04-26 14:35:28 -04:00
integration-test.py Remove chisel.py (#5986) 2022-03-11 08:39:06 -08:00
issuer-ocsp-responder.json integration: save hierarchy across runs (#5729) 2021-10-20 17:06:33 -07:00
rate-limit-policies-b.yml Add lower, faster duplicate certificate rate limit (#5401) 2021-05-17 14:50:29 -07:00
rate-limit-policies.yml RA: Implement leaky bucket for duplicate certificate limit (#6262) 2022-07-29 17:39:31 -07:00
redis-cli.sh Add doc and debugging tool for Redis (#5885) 2022-01-18 18:32:37 -08:00
redis-create.sh redis-create.sh: run `exec` on the last line (#6254) 2022-07-26 13:19:50 -07:00
redis.config Support writing initial OCSP response to redis (#5958) 2022-03-21 20:33:12 -06:00
sa_db_users.sql Remove fqdnsets_old workaround (#6054) 2022-04-21 16:39:35 -07:00
startservers.py Create new crl-storer service (#6264) 2022-08-08 16:22:48 -07:00
test-ca-cross.pem wfe: implement alternate certificate chains (#4714) 2020-03-24 12:43:26 -07:00
test-ca.der Unflake OCSP integration test 2015-10-21 14:38:15 -07:00
test-ca.key Make it easier to start a test config. 2015-04-09 18:26:40 -07:00
test-ca.key-pkcs11.json Switch to OS-provided SoftHSM2. (#5365) 2021-03-30 17:37:58 -07:00
test-ca.key.der Add DER form of test-ca key in-tree. (#2041) 2016-07-12 09:06:59 -07:00
test-ca.pem Unflake OCSP integration test 2015-10-21 14:38:15 -07:00
test-ca.pubkey.pem Fix test pubkey files. (#4826) 2020-05-27 12:30:47 -07:00
test-ca2-cross.pem wfe: implement alternate certificate chains (#4714) 2020-03-24 12:43:26 -07:00
test-ca2.pem Add multi-issuer support to the CA. 2016-03-21 20:56:58 -07:00
test-ee.key WFE: Always use precert revocation path (#5227) 2021-01-20 16:00:11 -08:00
test-ee.pem WFE: Always use precert revocation path (#5227) 2021-01-20 16:00:11 -08:00
test-example.key Implement TLS-ALPN-01 and integration test for it (#3654) 2018-06-06 13:04:09 -04:00
test-example.pem Implement TLS-ALPN-01 and integration test for it (#3654) 2018-06-06 13:04:09 -04:00
test-key-5.der Fix wfe2 key rollover (#3373) 2018-01-18 14:31:48 -08:00
test-root.der Update pkcs11key to v4 (#4602) 2019-12-09 10:03:33 -08:00
test-root.key Unflake OCSP integration test 2015-10-21 14:38:15 -07:00
test-root.key-pkcs11.json Switch to OS-provided SoftHSM2. (#5365) 2021-03-30 17:37:58 -07:00
test-root.key.der Improve single-ocsp command (#2181) 2016-09-15 15:28:54 -07:00
test-root.pem Unflake OCSP integration test 2015-10-21 14:38:15 -07:00
test-root.pubkey.pem Fix test pubkey files. (#4826) 2020-05-27 12:30:47 -07:00
test-root2.key wfe: implement alternate certificate chains (#4714) 2020-03-24 12:43:26 -07:00
test-root2.pem wfe: implement alternate certificate chains (#4714) 2020-03-24 12:43:26 -07:00
v2_integration.py Disallow affiliationChanged revocation reason (#6217) 2022-07-07 10:45:36 -07:00
wait-for-it.sh Quiet the output of wait-for-it (#5775) 2021-11-05 11:38:20 -07:00