dab8a71b0e
Simplify the WFE `RevokeCertificate` API method in three ways: - Remove most of the logic checking if the requester is authorized to revoke the certificate in question (based on who is making the request, what authorizations they have, and what reason they're requesting). That checking is now done by the RA. Instead, simply verify that the JWS is authenticated. - Remove the hard-to-read `authorizedToRevoke` callbacks, and make the `revokeCertBySubscriberKey` (nee `revokeCertByKeyID`) and `revokeCertByCertKey` (nee `revokeCertByJWK`) helpers much more straight-line in their execution logic. - Call the RA's new `RevokeCertByApplicant` and `RevokeCertByKey` gRPC methods, rather than the deprecated `RevokeCertificateWithReg`. This change, without any flag flips, should be invisible to the end-user. It will slightly change some of our log message formats. However, by now relying on the new RA gRPC revocation methods, this change allows us to change our revocation policies by enabling the `AllowDoubleRevocation` and `MozRevocationReasons` feature flags, which affect the behavior of those new helpers. Fixes #5936 |
||
|---|---|---|
| .. | ||
| checkocsp | ||
| helper | ||
| ocsp_forever | ||
| README.md | ||
README.md
This directory contains two utilities for checking ocsp.
"checkocsp" is a command-line tool to check the OCSP response for a certificate or a list of certificates.
"ocsp_forever" is a similar tool that runs as a daemon and continually checks OCSP for a list of certificates, and exports Prometheus stats.
Both of these are useful for monitoring a Boulder instance. "checkocsp" is also useful for debugging.