letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
boulder/test
History
Aaron Gable 94d14689bf
Implement unpredictable issuance from similar intermediates (#7418) 
Replace the CA's "useForRSA" and "useForECDSA" config keys with a single
"active" boolean. When the CA starts up, all active RSA issuers will be
used to issue precerts with RSA pubkeys, and all ECDSA issuers will be
used to issue precerts with ECDSA pubkeys (if the ECDSAForAll flag is
true; otherwise just those that are on the allow-list). All "inactive"
issuers can still issue OCSP responses, CRLs, and (notably) final
certificates.

Instead of using the "useForRSA" and "useForECDSA" flags, plus implicit
config ordering, to determine which issuer to use to handle a given
issuance, simply use the issuer's public key algorithm to determine
which issuances it should be handling. All implicit ordering
considerations are removed, because the "active" certificates now just
form a pool that is sampled from randomly.

To facilitate this, update some unit and integration tests to be more
flexible and try multiple potential issuing intermediates, particularly
when constructing OCSP requests.

For this change to be safe to deploy with no user-visible behavior
changes, the CA configs must contain:
- Exactly one RSA-keyed intermediate with "useForRSALeaves" set to true;
and
- Exactly one ECDSA-keyed intermediate with "useForECDSALeaves" set to
true.

If the configs contain more than one intermediate meeting one of the
bullets above, then randomized issuance will begin immediately.

Fixes https://github.com/letsencrypt/boulder/issues/7291
Fixes https://github.com/letsencrypt/boulder/issues/7290
 		2024-04-18 10:00:38 -07:00
..
aia-test-srv Update integration test hierarchy for the modern era (#7411) 2024-04-08 14:06:00 -07:00
akamai-test-srv Appease errcheck (#6821) 2023-04-14 22:32:24 -04:00
block-a-key Block keys using hex(sha256(spki)). (#4745) 2020-04-09 09:41:33 -07:00
boulder-tools Re-enable lints on go1.22 (#7412) 2024-04-04 08:14:29 -07:00
cert-ceremonies Update integration test hierarchy for the modern era (#7411) 2024-04-08 14:06:00 -07:00
config Update integration test hierarchy for the modern era (#7411) 2024-04-08 14:06:00 -07:00
config-next Implement unpredictable issuance from similar intermediates (#7418) 2024-04-18 10:00:38 -07:00
consul test: remove use of 10.88.88.88 in most places (#7270) 2024-01-30 11:34:13 -08:00
ct-test-srv Update integration test hierarchy for the modern era (#7411) 2024-04-08 14:06:00 -07:00
grafana Python upgrade os upgrades and travis config cleanup (#5186) 2020-11-23 18:12:04 -08:00
grpc-creds Implement DoH for validation queries (#7178) 2023-12-11 10:49:00 -08:00
health-checker Remove `service1` / `service2` names in consul (#7266) 2024-01-22 09:34:20 -08:00
hierarchy CRLs: include IssuingDistributionPoint extension (#6412) 2022-10-24 11:21:55 -07:00
inmem Upgrade go-jose from v2.6.1 to v.4.0.1 (#7345) 2024-04-02 17:49:51 -04:00
integration Implement unpredictable issuance from similar intermediates (#7418) 2024-04-18 10:00:38 -07:00
list-features Add GitHub Action to prompt CP/CPS review when new flags are added (#7425) 2024-04-12 12:04:48 -07:00
load-generator Upgrade go-jose from v2.6.1 to v.4.0.1 (#7345) 2024-04-02 17:49:51 -04:00
mail-test-srv Fix non-gRPC process cleanup and exit (#6808) 2023-04-14 16:22:56 -04:00
ocsp Update integration test hierarchy for the modern era (#7411) 2024-04-08 14:06:00 -07:00
prometheus Remove ocsp-updater from Boulder (#6769) 2023-03-31 14:39:04 -07:00
proxysql Remove ocsp-updater from Boulder (#6769) 2023-03-31 14:39:04 -07:00
redis-tls set permissions for generated certs and keys (#7193) 2023-12-07 20:03:35 -08:00
s3-test-srv Update integration test hierarchy for the modern era (#7411) 2024-04-08 14:06:00 -07:00
secrets WFE: Add new key-value ratelimits implementation (#7089) 2023-10-04 14:12:38 -04:00
vars Improve cert_storage_failed_test (#6849) 2023-05-02 15:43:07 -07:00
wfe-tls Add Redis to Boulder's docker-compose (#5747) 2021-10-28 10:36:11 -07:00
PKI.md ceremony: Distinguish between intermediate and cross-sign ceremonies (#7005) 2023-08-23 14:01:19 -04:00
asserts.go test: better message for different empty slices (#6920) 2023-05-26 09:41:23 -07:00
certs.go Further simplifications to test.ThrowAwayCert (#7129) 2023-11-02 09:45:56 -07:00
challtestsrv.py challtestsrv.py: change address of target (#6234) 2022-07-18 11:10:00 -07:00
chisel2.py VA: Use default PortConfig during testing (#6609) 2023-01-25 16:16:08 -05:00
create_db.sh Clean up database schema (#6832) 2023-04-21 10:37:05 -07:00
db.go It's borpin' time! (#6982) 2023-07-17 14:38:29 -07:00
entrypoint.sh grpc/sa: Implement deep health checks (#6928) 2023-06-12 13:58:53 -04:00
example-bad-key-revoker-template Add bad-key-revoker daemon (#4788) 2020-04-23 11:51:59 -07:00
example-blocked-keys.yaml test: Use more //test/hierarchy/ key material in tests (#7318) 2024-02-09 14:39:07 -05:00
example-weak-keys.json Remove executable bit from JSON file (#6764) 2023-03-21 08:59:41 -07:00
format-configs.py Check if JSON configs are properly formatted instead of relying on git --diff (#7375) 2024-03-08 14:39:00 -08:00
helpers.py Implement unpredictable issuance from similar intermediates (#7418) 2024-04-18 10:00:38 -07:00
hostname-policy.yaml PA: Support YAML for hostname policy. (#4180) 2019-04-26 14:35:28 -04:00
integration-test.py Remove `service1` / `service2` names in consul (#7266) 2024-01-22 09:34:20 -08:00
rate-limit-policies.yml RA: Implement leaky bucket for duplicate certificate limit (#6262) 2022-07-29 17:39:31 -07:00
redis-cli.sh ratelimits: Add Redis source (#7016) 2023-08-10 11:45:04 -04:00
redis-ocsp.config ratelimits: Add Redis source (#7016) 2023-08-10 11:45:04 -04:00
redis-ratelimits.config ratelimits: Add Redis source (#7016) 2023-08-10 11:45:04 -04:00
startservers.py Update integration test hierarchy for the modern era (#7411) 2024-04-08 14:06:00 -07:00
test-ca-cross.pem wfe: implement alternate certificate chains (#4714) 2020-03-24 12:43:26 -07:00
test-ca.der Unflake OCSP integration test 2015-10-21 14:38:15 -07:00
test-ca.key.der Add DER form of test-ca key in-tree. (#2041) 2016-07-12 09:06:59 -07:00
test-ca.pubkey.pem Fix test pubkey files. (#4826) 2020-05-27 12:30:47 -07:00
test-ca2-cross.pem wfe: implement alternate certificate chains (#4714) 2020-03-24 12:43:26 -07:00
test-caa-log-checker.sh Add support for subcommands to "boulder" command (#6426) 2022-10-06 11:21:47 -07:00
test-ee.key WFE: Always use precert revocation path (#5227) 2021-01-20 16:00:11 -08:00
test-ee.pem WFE: Always use precert revocation path (#5227) 2021-01-20 16:00:11 -08:00
test-example.key Implement TLS-ALPN-01 and integration test for it (#3654) 2018-06-06 13:04:09 -04:00
test-example.pem Implement TLS-ALPN-01 and integration test for it (#3654) 2018-06-06 13:04:09 -04:00
test-key-5.der Fix wfe2 key rollover (#3373) 2018-01-18 14:31:48 -08:00
test-root.der Update pkcs11key to v4 (#4602) 2019-12-09 10:03:33 -08:00
test-root.key Unflake OCSP integration test 2015-10-21 14:38:15 -07:00
test-root.key.der Improve single-ocsp command (#2181) 2016-09-15 15:28:54 -07:00
test-root.pem Unflake OCSP integration test 2015-10-21 14:38:15 -07:00
test-root.pubkey.pem Fix test pubkey files. (#4826) 2020-05-27 12:30:47 -07:00
test-root2.key wfe: implement alternate certificate chains (#4714) 2020-03-24 12:43:26 -07:00
test-root2.pem wfe: implement alternate certificate chains (#4714) 2020-03-24 12:43:26 -07:00
v2_integration.py Implement unpredictable issuance from similar intermediates (#7418) 2024-04-18 10:00:38 -07:00
wait-for-it.sh Quiet the output of wait-for-it (#5775) 2021-11-05 11:38:20 -07:00