Bump boulder version to release-2022-10-25

2026-01-27 10:19:34 +00:00 · 2022-10-26 20:38:34 +02:00
parent 584accf056
commit 780c10daeb
10 changed files with 140 additions and 23 deletions
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -64,14 +64,16 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]
    cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s|\(certificatesPerFQDNSet:.*must-staple.le.wtf: 10000\).*\(certificatesPerFQDNSetFast:.*\)|\1\n${REPLACEMENT}rateLimitsURL: http://$PKI_FQDN/rate-limits\n\2|" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml
 fi

-perl -i -p0e "s/(\"maxNames\": [^\n]*).*?(\s+)(\"lifespanOCSP\":)/\1\2\"lifespanCRL\": \"96h\",\2\3/igs" config/ca-a.json
-perl -i -p0e "s/(\"maxNames\": [^\n]*).*?(\s+)(\"lifespanOCSP\":)/\1\2\"lifespanCRL\": \"96h\",\2\3/igs" config/ca-b.json
+sed -i -e "s/\"lifespanCRL\": \".*\"/\"lifespanCRL\": \"96h\"/" config/ca-a.json
+sed -i -e "s/\"lifespanCRL\": \".*\"/\"lifespanCRL\": \"96h\"/" config/ca-b.json
 sed -i -e "s/\"ocspMinTimeToExpiry\": \".*\"/\"ocspMinTimeToExpiry\": \"48h\"/" config/ocsp-updater.json

 sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/aia/issuer/$PKI_ISSUER_NAME_ID\"|" config/ca-a.json
 sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/aia/issuer/$PKI_ISSUER_NAME_ID\"|" config/ca-b.json
 sed -i -e "s|\"crlURL\": \".*\"|\"crlURL\": \"http://$PKI_FQDN/crl/$PKI_ISSUER_NAME_ID.crl\"|" config/ca-a.json
 sed -i -e "s|\"crlURL\": \".*\"|\"crlURL\": \"http://$PKI_FQDN/crl/$PKI_ISSUER_NAME_ID.crl\"|" config/ca-b.json
+sed -i -e "s|\"crldpBase\": \".*\"|\"crldpBase\": \"http://$PKI_FQDN/crl\"|" config/ca-a.json
+sed -i -e "s|\"crldpBase\": \".*\"|\"crldpBase\": \"http://$PKI_FQDN/crl\"|" config/ca-b.json

 if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then
    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca-a.json
--- a/2
+++ b/2
@@ -24,7 +24,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2022-10-17"
+boulderTag="release-2022-10-25"

 # Feature flags
 flag_skip_redis=true
--- a/patch-cfg.sh
+++ b/patch-cfg.sh
@@ -2,6 +2,7 @@

 set -e

+flag_skip_redis=true
 cloneDir=$(dirname $0)

 # For legacy mode, when called from the install script...
@@ -33,3 +34,6 @@ perl -i -p0e "s/\"dnsResolver\": \"service.consul\",/\"dnsResolvers\": [\n
 perl -i -p0e "s/\"dnsResolver\": \"service.consul\",/\"dnsResolvers\": [\n      \"127.0.0.1:8053\",\n      \"127.0.0.1:8054\"\n    ],/igs" $boulderLabCADir/config/va-remote-a.json
 perl -i -p0e "s/\"dnsResolver\": \"service.consul\",/\"dnsResolvers\": [\n      \"127.0.0.1:8053\",\n      \"127.0.0.1:8054\"\n    ],/igs" $boulderLabCADir/config/va-remote-b.json

+if [ "$flag_skip_redis" == true ]; then
+    perl -i -p0e "s/\n    \"redis\": \{\n.*?    \},//igs" $boulderLabCADir/config/ocsp-responder.json
+fi
--- a/patch.sh
+++ b/patch.sh
@@ -30,6 +30,7 @@ $SUDO patch -p1 < $cloneDir/patches/log-validator_main.patch
 $SUDO patch -p1 < $cloneDir/patches/mail_mailer.patch
 $SUDO patch -p1 < $cloneDir/patches/makefile.patch
 $SUDO patch -p1 < $cloneDir/patches/notify-mailer_main.patch
+$SUDO patch -p1 < $cloneDir/patches/ocsp-responder_main.patch
 $SUDO patch -p1 < $cloneDir/patches/policy_pa.patch
 $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch
 $SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch
--- a/patches/ca_crl.patch
+++ b/patches/ca_crl.patch
@@ -1,8 +1,17 @@
 diff --git a/ca/crl.go b/ca/crl.go
-index 99eb57b5..91e10a40 100644
+index 8600fe58..e15ff35a 100644
 --- a/ca/crl.go
 +++ b/ca/crl.go
-@@ -127,8 +127,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
+@@ -117,7 +117,7 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
+ 	}
+ 
+ 	// Add the Issuing Distribution Point extension.
+-	idp, err := makeIDPExt(ci.idpBase, issuer.Cert.NameID(), shard)
+	idp, err := makeIDPExt(ci.idpBase, issuer.Cert.NameID())
+ 	if err != nil {
+ 		return fmt.Errorf("creating IDP extension: %w", err)
+ 	}
+@@ -150,8 +150,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
 				builder = strings.Builder{}
 			}
 		}
@@ -15,3 +24,20 @@ index 99eb57b5..91e10a40 100644
 	}
 
 	template.RevokedCertificates = rcs
+@@ -256,14 +258,14 @@ type issuingDistributionPoint struct {
+ // makeIDPExt returns a critical IssuingDistributionPoint extension containing a
+ // URI built from the base url, the issuer's NameID, and the shard number. It
+ // also sets the OnlyContainsUserCerts boolean to true.
+-func makeIDPExt(base string, issuer issuance.IssuerNameID, shardIdx int64) (*pkix.Extension, error) {
+func makeIDPExt(base string, issuer issuance.IssuerNameID) (*pkix.Extension, error) {
+ 	val := issuingDistributionPoint{
+ 		DistributionPoint: distributionPointName{
+ 			[]asn1.RawValue{ // GeneralNames
+ 				{ // GeneralName
+ 					Class: 2, // context-specific
+ 					Tag:   6, // uniformResourceIdentifier, IA5String
+-					Bytes: []byte(fmt.Sprintf("%s/%d/%d.crl", base, issuer, shardIdx)),
+					Bytes: []byte(fmt.Sprintf("%s/%d.crl", base, issuer)),
+ 				},
+ 			},
+ 		},
--- a/patches/config_ocsp-responder.patch
+++ b/patches/config_ocsp-responder.patch
@@ -2,7 +2,7 @@ diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json
 index ed874d3..a1a78f3 100644
 --- a/test/config/ocsp-responder.json
 +++ b/test/config/ocsp-responder.json
-@@ -7,9 +7,7 @@
+@@ -44,9 +44,7 @@
     "path": "/",
     "listenAddress": "0.0.0.0:4002",
     "issuerCerts": [
@@ -11,5 +11,5 @@ index ed874d3..a1a78f3 100644
 -      "/hierarchy/intermediate-cert-ecdsa-a.pem"
 +      "/hierarchy/intermediate-cert-rsa-a.pem"
     ],
+     "liveSigningPeriod": "60h",
     "timeout": "4.9s",
-     "shutdownStopTimeout": "10s",
--- a/patches/docker-compose-redis.patch
+++ b/patches/docker-compose-redis.patch
@@ -1,8 +1,8 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 52ccecabd..819611f8c 100644
+index 02460285..ddde0231 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
-@@ -25,8 +25,6 @@ services:
+@@ -24,8 +24,6 @@ services:
         ipv4_address: 10.77.77.77
       rednet:
         ipv4_address: 10.88.88.88
@@ -11,7 +11,7 @@ index 52ccecabd..819611f8c 100644
       consulnet:
         ipv4_address: 10.55.55.55
     extra_hosts:
-@@ -44,7 +42,6 @@ services:
+@@ -43,7 +41,6 @@ services:
       - 4003:4003 # OCSP
     depends_on:
       - bmysql
@@ -19,7 +19,7 @@ index 52ccecabd..819611f8c 100644
       - bconsul
     entrypoint: test/entrypoint.sh
     working_dir: &boulder_working_dir /boulder
-@@ -66,79 +63,6 @@ services:
+@@ -65,79 +62,6 @@ services:
     logging:
         driver: none
 
@@ -99,7 +99,7 @@ index 52ccecabd..819611f8c 100644
   bconsul:
     image: hashicorp/consul:1.13.1
     volumes:
-@@ -175,13 +99,6 @@ networks:
+@@ -174,13 +98,6 @@ networks:
       config:
         - subnet: 10.88.88.0/24
 
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -1,18 +1,18 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 819611f8c..3da7d454e 100644
+index ddde0231..b06711b7 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -8,7 +8,7 @@ services:
-     image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.18.6_2022-09-06}
+     image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.19.2_2022-10-05}
     environment:
       FAKE_DNS: 10.77.77.77
 -      BOULDER_CONFIG_DIR: test/config
 +      BOULDER_CONFIG_DIR: labca/config
       GOFLAGS: -mod=vendor
-       # Go 1.18 turns off SHA-1 validation on CSRs (and certs, but that doesn't
-       # affect us). It also turns off TLS 1.0 and TLS 1.1. Temporarily go back
-@@ -17,6 +17,8 @@ services:
-       GODEBUG: x509sha1=1,tls10default=1
+       # Go 1.18 turned off SHA-1 validation on CSRs (and certs, but that doesn't
+       # affect us) by default, but it can be turned back on with the x509sha1
+@@ -16,6 +16,8 @@ services:
+       GODEBUG: x509sha1=1
     volumes:
       - .:/boulder:cached
 +      - /home/labca/boulder_labca:/boulder/labca
@@ -20,7 +20,7 @@ index 819611f8c..3da7d454e 100644
       - ./.gocache:/root/.cache/go-build:cached
       - ./.hierarchy:/hierarchy/:cached
       - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
-@@ -36,18 +38,26 @@ services:
+@@ -35,18 +37,26 @@ services:
     # IP (running consul).
     # (https://docs.docker.com/config/containers/container-networking/#dns-services).
     dns: 10.55.55.10
@@ -52,7 +52,7 @@ index 819611f8c..3da7d454e 100644
     networks:
       bluenet:
         aliases:
-@@ -61,7 +71,11 @@ services:
+@@ -60,7 +70,11 @@ services:
     # small.
     command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
     logging:
@@ -65,7 +65,7 @@ index 819611f8c..3da7d454e 100644
 
   bconsul:
     image: hashicorp/consul:1.13.1
-@@ -72,18 +86,68 @@ services:
+@@ -71,18 +85,68 @@ services:
         ipv4_address: 10.55.55.10
     command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
 
--- a/patches/ocsp-responder_main.patch
+++ b/patches/ocsp-responder_main.patch
@@ -0,0 +1,84 @@
+diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go
+index f23cf2ad..c5aa7917 100644
+--- a/cmd/ocsp-responder/main.go
+++ b/cmd/ocsp-responder/main.go
+@@ -166,42 +166,44 @@ as generated by Boulder's ceremony command.
+ 		dbMap, err := sa.InitWrappedDb(config.DB, stats, logger)
+ 		cmd.FailOnError(err, "While initializing dbMap")
+ 
+-		// Set up the redis source and the combined multiplex source.
+-		rocspReader, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, stats)
+-		cmd.FailOnError(err, "Could not make redis client")
+-
+-		err = rocspReader.Ping(context.Background())
+-		cmd.FailOnError(err, "pinging Redis")
+-
+-		liveSigningPeriod := c.OCSPResponder.LiveSigningPeriod.Duration
+-		if liveSigningPeriod == 0 {
+-			liveSigningPeriod = 60 * time.Hour
+-		}
+-
+-		tlsConfig, err := c.OCSPResponder.TLS.Load()
+-		cmd.FailOnError(err, "TLS config")
+-		clientMetrics := bgrpc.NewClientMetrics(stats)
+-		raConn, err := bgrpc.ClientSetup(c.OCSPResponder.RAService, tlsConfig, clientMetrics, clk)
+-		cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
+-		rac := rapb.NewRegistrationAuthorityClient(raConn)
+-
+-		maxInflight := c.OCSPResponder.MaxInflightSignings
+-		if maxInflight == 0 {
+-			maxInflight = 1000
+-		}
+-		liveSource := live.New(rac, int64(maxInflight))
+-
+-		rocspSource, err := redis_responder.NewRedisSource(rocspReader, liveSource, liveSigningPeriod, clk, stats, logger)
+-		cmd.FailOnError(err, "Could not create redis source")
+-
+-		var sac sapb.StorageAuthorityClient
+-		if c.OCSPResponder.SAService != nil {
+-			saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, clientMetrics, clk)
+-			cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
+-			sac = sapb.NewStorageAuthorityClient(saConn)
+		if c.OCSPResponder.Redis.Addrs != nil {
+			// Set up the redis source and the combined multiplex source.
+			rocspReader, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, stats)
+			cmd.FailOnError(err, "Could not make redis client")
+
+			err = rocspReader.Ping(context.Background())
+			cmd.FailOnError(err, "pinging Redis")
+
+			liveSigningPeriod := c.OCSPResponder.LiveSigningPeriod.Duration
+			if liveSigningPeriod == 0 {
+				liveSigningPeriod = 60 * time.Hour
+			}
+
+			tlsConfig, err := c.OCSPResponder.TLS.Load()
+			cmd.FailOnError(err, "TLS config")
+			clientMetrics := bgrpc.NewClientMetrics(stats)
+			raConn, err := bgrpc.ClientSetup(c.OCSPResponder.RAService, tlsConfig, clientMetrics, clk)
+			cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
+			rac := rapb.NewRegistrationAuthorityClient(raConn)
+
+			maxInflight := c.OCSPResponder.MaxInflightSignings
+			if maxInflight == 0 {
+				maxInflight = 1000
+			}
+			liveSource := live.New(rac, int64(maxInflight))
+
+			rocspSource, err := redis_responder.NewRedisSource(rocspReader, liveSource, liveSigningPeriod, clk, stats, logger)
+			cmd.FailOnError(err, "Could not create redis source")
+
+			var sac sapb.StorageAuthorityClient
+			if c.OCSPResponder.SAService != nil {
+				saConn, err := bgrpc.ClientSetup(c.OCSPResponder.SAService, tlsConfig, clientMetrics, clk)
+				cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
+				sac = sapb.NewStorageAuthorityClient(saConn)
+			}
+			source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, stats, logger)
+			cmd.FailOnError(err, "Could not create checkedRedis source")
+ 		}
+-		source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, stats, logger)
+-		cmd.FailOnError(err, "Could not create checkedRedis source")
+ 
+ 		// Load the certificate from the file path.
+ 		issuerCerts := make([]*issuance.Certificate, len(c.OCSPResponder.IssuerCerts))
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,5 +1,5 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 5edbd8d5b..5022c1a93 100644
+index dd15485e..24e3a4da 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
@@ -32,7 +32,6 @@ import (
@@ -10,7 +10,7 @@ index 5edbd8d5b..5022c1a93 100644
 	"github.com/letsencrypt/boulder/probs"
 	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -476,7 +475,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -477,7 +476,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
 				contact,
 			)
 		}