eb20b2accd
The `test/config-next` CA configs are both updated to use `zlint` to lint TBS pre-certificates with a throw-away key and treat any lint findings >= `lints.Pass` as an error, blocking the CA from signing the TBS pre-cert with its private key. The CA `issuePrecertificateInner` function is updated to specifically catch linting related errors from CFSSL to marshal the linting findings to the audit log. A small unit test for this change is included. The CA `IssueCertificateForPrecertificate` function remains unchanged: the CFSSL interface that defines `SignFromPrecert` doesn't facilitate linting. We still lint final certificates post-issuance with `cert-checker` and accept the possibility there may be some compliance issues that could occur between the precertificate passing linting and the final certificate being signed. Resolves https://github.com/letsencrypt/boulder/issues/4255 |
||
|---|---|---|
| .. | ||
| config | ||
| proto | ||
| testdata | ||
| ca.go | ||
| ca_test.go | ||