boulder

History

Samantha 2efabf57b6 Adding support for multiple issuers to publisher (#5272 ) Publisher currently loads a PEM formatted certificate bundle from file using LoadCertBundle a utility function in the core package. LoadCertBundle parses the PEM file to a slice of x509.Certificates and returns them to boulder-publisher (without checking validity). Using these x509 Certificates, boulder-publisher to construct an ASN1Cert bundle. This bundle is passed to each new publisher instance. When publisher receives a request it unconditionally appends this bundle to each end-entity precertificate for submission to CT logs. This change augments this process to add support for multiple issuers using the IssuerNameID concept in the Issuance package. Config field Common.CT.CertificateBundleFilename has been replaced with the Chains field. LoadChain, a utility function added in PR #5271, loads and validates the chain (which nets us some added deploy-time safety) before returning it to boulder-publisher. Using these x509 Certificates, boulder-publisher constructs a mapping of IssuerNameID to ASN1Cert bundle and passes this to each new publisher instance. When publisher receives a request it determines the IssuerNameID of the precertificate to select and append the correct ASN1Cert bundle for a given Issuer. A followup issue #5269 has been created to address removal of the Common field from the publisher configuration and code has been commented with TODOs where code will need to be removed or refactored. Fixes #1669	2021-02-08 12:23:44 -08:00
..
main.go	Adding support for multiple issuers to publisher (#5272 )	2021-02-08 12:23:44 -08:00
main_test.go	Add dummy tests for all commands. (#1879 )	2016-06-03 11:54:03 -07:00

Adding support for multiple issuers to publisher (#5272 )

Publisher currently loads a PEM formatted certificate bundle from file
using LoadCertBundle a utility function in the core package.
LoadCertBundle parses the PEM file to a slice of x509.Certificates and
returns them to boulder-publisher (without checking validity). Using
these x509 Certificates, boulder-publisher to construct an ASN1Cert
bundle. This bundle is passed to each new publisher instance. When
publisher receives a request it unconditionally appends this bundle to
each end-entity precertificate for submission to CT logs.

This change augments this process to add support for multiple issuers
using the IssuerNameID concept in the Issuance package. Config field
Common.CT.CertificateBundleFilename has been replaced with the Chains
field. LoadChain, a utility function added in PR #5271, loads and
validates the chain (which nets us some added deploy-time safety) before
returning it to boulder-publisher. Using these x509 Certificates,
boulder-publisher constructs a mapping of IssuerNameID to ASN1Cert
bundle and passes this to each new publisher instance. When publisher
receives a request it determines the IssuerNameID of the precertificate
to select and append the correct ASN1Cert bundle for a given Issuer.

A followup issue #5269 has been created to address removal of the Common
field from the publisher configuration and code has been commented with
TODOs where code will need to be removed or refactored.

Fixes #1669

2021-02-08 12:23:44 -08:00

main.go

Adding support for multiple issuers to publisher (#5272 )

2021-02-08 12:23:44 -08:00

main_test.go

Add dummy tests for all commands. (#1879 )

2016-06-03 11:54:03 -07:00