If a certificate has a CRLDistributionPoint, it will be stored in the
database in a new "DP" column.
At check time, each CRL must have exactly one IssuingDistributionPoint.
When a certificate is seen, its CRLDistributionPoint (if any) will be
compared to the IssuingDistributionPoint of the CRL it was seen on. If
they differ, error.
Because we need to call an API per serial number, this is causing slow
execution time. Instead, randomly sample up to a maximum number of
certificates per CRL. The count is loaded from the BOULDER_MAX_FETCH
environment variable if set, and is unlimited otherwise.
We want to build lambdas without CGO, but the `issuance` package requires it.
We only need the NameID() method, so we can extract it as a free function here instead.
This updates Boulder to incorporate the changes there to crl/checker: https://github.com/letsencrypt/boulder/pull/6518
Co-authored-by: Jacob Hoffman-Andrews <github@hoffman-andrews.com>
This adds the core of the CRL checker. The checker is what actually
examines CRLs.
The command-line program is nearly what will drive this as a lambda once
s3 event handling code is added, but is suitable for use in dev right
now. It successfully lints current CRLs and alerts on early removal from
our old CRLs during the previous incident.
Some fixups to other parts of code to make this work:
- Return aws.EndpointNotFound error in resolver so the sdk handles it
properly
- Don't make any API request to delete 0 certs
- Log every 100 certs fetched
Jacob Hoffman-Andrews
Matthew McPherrin