Bump boulder version to release-2023-09-19

2026-01-27 10:19:34 +00:00 · 2023-09-24 12:54:50 +02:00
parent 690b8e0fef
commit c04e4ffdbc
12 changed files with 28 additions and 100 deletions
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

 boulderDir=$TMP_DIR/src
-boulderTag="release-2023-09-11"
+boulderTag="release-2023-09-19"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..

--- a/2
+++ b/2
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2023-09-11"
+boulderTag="release-2023-09-19"

 # Feature flags
 flag_skip_redis=true
--- a/patch.sh
+++ b/patch.sh
@@ -28,7 +28,6 @@ $SUDO patch -p1 < $cloneDir/patches/config_duration.patch
 $SUDO patch -p1 < $cloneDir/patches/contact-auditor_main.patch
 $SUDO patch -p1 < $cloneDir/patches/core_interfaces.patch
 $SUDO patch -p1 < $cloneDir/patches/crl-storer_main.patch
-$SUDO patch -p1 < $cloneDir/patches/crl_x509_crl.patch
 $SUDO patch -p1 < $cloneDir/patches/db_migrations.patch
 $SUDO patch -p1 < $cloneDir/patches/errors_errors.patch
 $SUDO patch -p1 < $cloneDir/patches/expiration-mailer_main.patch
--- a/patches/bad-key-revoker_main.patch
+++ b/patches/bad-key-revoker_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go
-index 052e46819..d1c96b7ca 100644
+index e4e7b5a8..e0337a96 100644
 --- a/cmd/bad-key-revoker/main.go
 +++ b/cmd/bad-key-revoker/main.go
@@ -18,6 +18,7 @@ import (
@@ -22,7 +22,7 @@ index 052e46819..d1c96b7ca 100644
 		// MaximumRevocations specifies the maximum number of certificates associated with
 		// a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
 		// is higher than MaximumRevocations bad-key-revoker will error out and refuse to
-@@ -461,6 +467,29 @@ func main() {
+@@ -462,6 +468,29 @@ func main() {
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
 	rac := rapb.NewRegistrationAuthorityClient(conn)
 
@@ -52,7 +52,7 @@ index 052e46819..d1c96b7ca 100644
 	var smtpRoots *x509.CertPool
 	if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" {
 		pem, err := os.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile)
-@@ -482,6 +511,7 @@ func main() {
+@@ -483,6 +512,7 @@ func main() {
 		config.BadKeyRevoker.Mailer.Username,
 		smtpPassword,
 		smtpRoots,
--- a/patches/ca_crl.patch
+++ b/patches/ca_crl.patch
@@ -1,5 +1,5 @@
 diff --git a/ca/crl.go b/ca/crl.go
-index 8600fe58..e15ff35a 100644
+index adb311f1..88dcdc71 100644
 --- a/ca/crl.go
 +++ b/ca/crl.go
@@ -117,7 +117,7 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
@@ -11,7 +11,7 @@ index 8600fe58..e15ff35a 100644
 	if err != nil {
 		return fmt.Errorf("creating IDP extension: %w", err)
 	}
-@@ -150,8 +150,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
+@@ -146,8 +146,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
 				builder = strings.Builder{}
 			}
 		}
@@ -23,8 +23,8 @@ index 8600fe58..e15ff35a 100644
 +		}
 	}
 
- 	template.RevokedCertificates = rcs
-@@ -256,14 +258,14 @@ type issuingDistributionPoint struct {
+ 	template.RevokedCertificateEntries = rcs
+@@ -246,14 +248,14 @@ type issuingDistributionPoint struct {
 // makeIDPExt returns a critical IssuingDistributionPoint extension containing a
 // URI built from the base url, the issuer's NameID, and the shard number. It
 // also sets the OnlyContainsUserCerts boolean to true.
--- a/patches/cert-checker_main.patch
+++ b/patches/cert-checker_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
-index 199f40706..d1611a824 100644
+index 860b4aac..5ad3241f 100644
 --- a/cmd/cert-checker/main.go
 +++ b/cmd/cert-checker/main.go
-@@ -108,6 +108,7 @@ type certChecker struct {
+@@ -109,6 +109,7 @@ type certChecker struct {
 	checkPeriod                 time.Duration
 	acceptableValidityDurations map[time.Duration]bool
 	logger                      blog.Logger
@@ -10,7 +10,7 @@ index 199f40706..d1611a824 100644
 }
 
 func newChecker(saDbMap certDB,
-@@ -117,6 +118,7 @@ func newChecker(saDbMap certDB,
+@@ -118,6 +119,7 @@ func newChecker(saDbMap certDB,
 	period time.Duration,
 	avd map[time.Duration]bool,
 	logger blog.Logger,
@@ -18,7 +18,7 @@ index 199f40706..d1611a824 100644
 ) certChecker {
 	precertGetter := func(ctx context.Context, serial string) ([]byte, error) {
 		precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial)
-@@ -137,6 +139,7 @@ func newChecker(saDbMap certDB,
+@@ -138,6 +140,7 @@ func newChecker(saDbMap certDB,
 		checkPeriod:                 period,
 		acceptableValidityDurations: avd,
 		logger:                      logger,
@@ -26,7 +26,7 @@ index 199f40706..d1611a824 100644
 	}
 }
 
-@@ -365,7 +368,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
+@@ -366,7 +369,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
 			err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id})
 			if err != nil {
 				problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
@@ -35,7 +35,7 @@ index 199f40706..d1611a824 100644
 				// For defense-in-depth, even if the PA was willing to issue for a name
 				// we double check it against a list of forbidden domains. This way even
 				// if the hostnamePolicyFile malfunctions we will flag the forbidden
-@@ -441,10 +444,11 @@ type Config struct {
+@@ -444,10 +447,11 @@ type Config struct {
 		DB cmd.DBConfig
 		cmd.HostnamePolicyConfig
 
@@ -51,7 +51,7 @@ index 199f40706..d1611a824 100644
 
 		// AcceptableValidityDurations is a list of durations which are
 		// acceptable for certificates we issue.
-@@ -510,6 +514,8 @@ func main() {
+@@ -515,6 +519,8 @@ func main() {
 		acceptableValidityDurations[ninetyDays] = true
 	}
 
@@ -60,7 +60,7 @@ index 199f40706..d1611a824 100644
 	// Validate PA config and set defaults if needed.
 	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
 
-@@ -550,6 +556,7 @@ func main() {
+@@ -555,6 +561,7 @@ func main() {
 		config.CertChecker.CheckPeriod.Duration,
 		acceptableValidityDurations,
 		logger,
--- a/patches/crl_x509_crl.patch
+++ b/patches/crl_x509_crl.patch
@@ -1,71 +0,0 @@
-diff --git a/crl/crl_x509/crl.go b/crl/crl_x509/crl.go
-index f49356dd3..d2c88b3ca 100644
--- a/crl/crl_x509/crl.go
-+++ b/crl/crl_x509/crl.go
-@@ -417,6 +417,9 @@ func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *x509
- 		return nil, err
- 	}
- 
-+	// Fix PrintableString / UTF8String before calculating the siugnature / hash
-+	fixDirectoryStrings(issuer.RawSubject, &tbsCertListContents)
-+
- 	input := tbsCertListContents
- 	if hashFunc != 0 {
- 		h := hashFunc.New()
-@@ -436,11 +439,19 @@ func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *x509
- 		return nil, err
- 	}
- 
-	return asn1.Marshal(pkix.CertificateList{
-+	cl, err := asn1.Marshal(pkix.CertificateList{
- 		TBSCertList:        tbsCertList,
- 		SignatureAlgorithm: signatureAlgorithm,
- 		SignatureValue:     asn1.BitString{Bytes: signature, BitLength: len(signature) * 8},
- 	})
-+	if err != nil {
-+		return nil, err
-+	}
-+
-+	// Fix PrintableString / UTF8String again in the final result
-+	fixDirectoryStrings(issuer.RawSubject, &cl)
-+
-+	return cl, nil
- }
- 
- // CheckSignatureFrom verifies that the signature on rl is a valid signature
-@@ -461,3 +472,35 @@ func (rl *RevocationList) CheckSignatureFrom(parent *x509.Certificate) error {
- 
- 	return parent.CheckSignature(x509.SignatureAlgorithm(rl.SignatureAlgorithm), rl.RawTBSRevocationList, rl.Signature)
- }
-+
-+// The attributes in the Name of the Subject or Issuer mostly are a DirectoryString, primarily
-+// PrintableString or UTF8String. In the go crypto packages both get mapped to a string and it is
-+// virtually impossible to preserve the UTF8String correctly. But it is necessary for producing
-+// correct, usable CRLs (Certificate Revocation Lists).
-+// This helper method updates the type byte for those oids in a []byte (the raw crl) by copying
-+// them from another []byte (the raw issuer).
-+func fixDirectoryStrings(src []byte, dest *[]byte) {
-+	ptn := []byte{6, 3, 85, 4, 0}
-+	oids := []byte{
-+		3,  // common name
-+		7,  // locality
-+		8,  // province
-+		9,  // street address
-+		10, // organization
-+		11, // organizational unit
-+		17, // postal code
-+	}
-+
-+	for oid := 0; oid < len(oids); oid++ {
-+		ptn[4] = oids[oid]
-+
-+		i := bytes.Index(src, ptn)
-+		if i > -1 {
-+			tp := src[i+len(ptn)]
-+			k := bytes.Index(*dest, ptn)
-+			if k > -1 {
-+				(*dest)[k+len(ptn)] = tp
-+			}
-+		}
-+	}
-+}
--- a/patches/linter_linter.patch
+++ b/patches/linter_linter.patch
@@ -1,8 +1,8 @@
 diff --git a/linter/linter.go b/linter/linter.go
-index 82c3e238..bda07bd9 100644
+index b7a9d11d..8cdc5702 100644
 --- a/linter/linter.go
 +++ b/linter/linter.go
-@@ -194,10 +194,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
+@@ -193,10 +193,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
 		SubjectKeyId:                realIssuer.SubjectKeyId,
 		URIs:                        realIssuer.URIs,
 		UnknownExtKeyUsage:          realIssuer.UnknownExtKeyUsage,
--- a/patches/notify-mailer_main.patch
+++ b/patches/notify-mailer_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go
-index 8794a4b42..fc874549e 100644
+index a05366c3..da9d78c8 100644
 --- a/cmd/notify-mailer/main.go
 +++ b/cmd/notify-mailer/main.go
@@ -37,6 +37,7 @@ type mailer struct {
@@ -29,7 +29,7 @@ index 8794a4b42..fc874549e 100644
 	Syslog cmd.SyslogConfig
 }
 
-@@ -569,6 +572,15 @@ func main() {
+@@ -570,6 +573,15 @@ func main() {
 		log.Infof("While reading the recipient list file %s", probs)
 	}
 
@@ -45,7 +45,7 @@ index 8794a4b42..fc874549e 100644
 	var mailClient bmail.Mailer
 	if *dryRun {
 		log.Infof("Starting %s in dry-run mode", cmd.VersionString())
-@@ -584,6 +596,7 @@ func main() {
+@@ -585,6 +597,7 @@ func main() {
 			cfg.NotifyMailer.Username,
 			smtpPassword,
 			nil,
@@ -53,7 +53,7 @@ index 8794a4b42..fc874549e 100644
 			*address,
 			log,
 			metrics.NoopRegisterer,
-@@ -604,6 +617,7 @@ func main() {
+@@ -605,6 +618,7 @@ func main() {
 			end:   *end,
 		},
 		sleepInterval: *sleep,
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,5 +1,5 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 21c7c2fc..348146f4 100644
+index 8000e6ad..ef136c00 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
@@ -41,7 +41,6 @@ import (
@@ -10,7 +10,7 @@ index 21c7c2fc..348146f4 100644
 	"github.com/letsencrypt/boulder/probs"
 	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -540,7 +539,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -555,7 +554,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
 				contact,
 			)
 		}
--- a/patches/storer_storer.patch
+++ b/patches/storer_storer.patch
@@ -1,8 +1,8 @@
 diff --git a/crl/storer/storer.go b/crl/storer/storer.go
-index 055c0f028..8f909ee49 100644
+index d1470c7a..e58e46a8 100644
 --- a/crl/storer/storer.go
 +++ b/crl/storer/storer.go
-@@ -9,6 +9,9 @@ import (
+@@ -10,6 +10,9 @@ import (
 	"fmt"
 	"io"
 	"math/big"
--- a/patches/updater_updater.patch
+++ b/patches/updater_updater.patch
@@ -1,5 +1,5 @@
 diff --git a/crl/updater/updater.go b/crl/updater/updater.go
-index 7df31371..da92a3d3 100644
+index ab0cc7e0..256927e3 100644
 --- a/crl/updater/updater.go
 +++ b/crl/updater/updater.go
@@ -228,7 +228,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN