From c04e4ffdbc88b5a4a37f014ecbc73fab2b8ba2cc Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sun, 24 Sep 2023 12:54:50 +0200 Subject: [PATCH] Bump boulder version to release-2023-09-19 --- build/build.sh | 2 +- install | 2 +- patch.sh | 1 - patches/bad-key-revoker_main.patch | 6 +-- patches/ca_crl.patch | 8 ++-- patches/cert-checker_main.patch | 16 +++---- patches/crl_x509_crl.patch | 71 ------------------------------ patches/linter_linter.patch | 4 +- patches/notify-mailer_main.patch | 8 ++-- patches/ra_ra.patch | 4 +- patches/storer_storer.patch | 4 +- patches/updater_updater.patch | 2 +- 12 files changed, 28 insertions(+), 100 deletions(-) delete mode 100644 patches/crl_x509_crl.patch diff --git a/build/build.sh b/build/build.sh index 1a510ec..b7512b6 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2023-09-11" +boulderTag="release-2023-09-19" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. diff --git a/install b/install index ba5d1be..899c8ef 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2023-09-11" +boulderTag="release-2023-09-19" # Feature flags flag_skip_redis=true diff --git a/patch.sh b/patch.sh index b3d527d..86f5bee 100755 --- a/patch.sh +++ b/patch.sh @@ -28,7 +28,6 @@ $SUDO patch -p1 < $cloneDir/patches/config_duration.patch $SUDO patch -p1 < $cloneDir/patches/contact-auditor_main.patch $SUDO patch -p1 < $cloneDir/patches/core_interfaces.patch $SUDO patch -p1 < $cloneDir/patches/crl-storer_main.patch -$SUDO patch -p1 < $cloneDir/patches/crl_x509_crl.patch $SUDO patch -p1 < $cloneDir/patches/db_migrations.patch $SUDO patch -p1 < $cloneDir/patches/errors_errors.patch $SUDO patch -p1 < $cloneDir/patches/expiration-mailer_main.patch diff --git a/patches/bad-key-revoker_main.patch b/patches/bad-key-revoker_main.patch index dbdd987..2b9ee74 100644 --- a/patches/bad-key-revoker_main.patch +++ b/patches/bad-key-revoker_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go -index 052e46819..d1c96b7ca 100644 +index e4e7b5a8..e0337a96 100644 --- a/cmd/bad-key-revoker/main.go +++ b/cmd/bad-key-revoker/main.go @@ -18,6 +18,7 @@ import ( @@ -22,7 +22,7 @@ index 052e46819..d1c96b7ca 100644 // MaximumRevocations specifies the maximum number of certificates associated with // a key hash that bad-key-revoker will attempt to revoke. If the number of certificates // is higher than MaximumRevocations bad-key-revoker will error out and refuse to -@@ -461,6 +467,29 @@ func main() { +@@ -462,6 +468,29 @@ func main() { cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA") rac := rapb.NewRegistrationAuthorityClient(conn) @@ -52,7 +52,7 @@ index 052e46819..d1c96b7ca 100644 var smtpRoots *x509.CertPool if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" { pem, err := os.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile) -@@ -482,6 +511,7 @@ func main() { +@@ -483,6 +512,7 @@ func main() { config.BadKeyRevoker.Mailer.Username, smtpPassword, smtpRoots, diff --git a/patches/ca_crl.patch b/patches/ca_crl.patch index 32dd082..e0af481 100644 --- a/patches/ca_crl.patch +++ b/patches/ca_crl.patch @@ -1,5 +1,5 @@ diff --git a/ca/crl.go b/ca/crl.go -index 8600fe58..e15ff35a 100644 +index adb311f1..88dcdc71 100644 --- a/ca/crl.go +++ b/ca/crl.go @@ -117,7 +117,7 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error @@ -11,7 +11,7 @@ index 8600fe58..e15ff35a 100644 if err != nil { return fmt.Errorf("creating IDP extension: %w", err) } -@@ -150,8 +150,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error +@@ -146,8 +146,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error builder = strings.Builder{} } } @@ -23,8 +23,8 @@ index 8600fe58..e15ff35a 100644 + } } - template.RevokedCertificates = rcs -@@ -256,14 +258,14 @@ type issuingDistributionPoint struct { + template.RevokedCertificateEntries = rcs +@@ -246,14 +248,14 @@ type issuingDistributionPoint struct { // makeIDPExt returns a critical IssuingDistributionPoint extension containing a // URI built from the base url, the issuer's NameID, and the shard number. It // also sets the OnlyContainsUserCerts boolean to true. diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch index 71db4c5..5ac8c1b 100644 --- a/patches/cert-checker_main.patch +++ b/patches/cert-checker_main.patch @@ -1,8 +1,8 @@ diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go -index 199f40706..d1611a824 100644 +index 860b4aac..5ad3241f 100644 --- a/cmd/cert-checker/main.go +++ b/cmd/cert-checker/main.go -@@ -108,6 +108,7 @@ type certChecker struct { +@@ -109,6 +109,7 @@ type certChecker struct { checkPeriod time.Duration acceptableValidityDurations map[time.Duration]bool logger blog.Logger @@ -10,7 +10,7 @@ index 199f40706..d1611a824 100644 } func newChecker(saDbMap certDB, -@@ -117,6 +118,7 @@ func newChecker(saDbMap certDB, +@@ -118,6 +119,7 @@ func newChecker(saDbMap certDB, period time.Duration, avd map[time.Duration]bool, logger blog.Logger, @@ -18,7 +18,7 @@ index 199f40706..d1611a824 100644 ) certChecker { precertGetter := func(ctx context.Context, serial string) ([]byte, error) { precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial) -@@ -137,6 +139,7 @@ func newChecker(saDbMap certDB, +@@ -138,6 +140,7 @@ func newChecker(saDbMap certDB, checkPeriod: period, acceptableValidityDurations: avd, logger: logger, @@ -26,7 +26,7 @@ index 199f40706..d1611a824 100644 } } -@@ -365,7 +368,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno +@@ -366,7 +369,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id}) if err != nil { problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err)) @@ -35,7 +35,7 @@ index 199f40706..d1611a824 100644 // For defense-in-depth, even if the PA was willing to issue for a name // we double check it against a list of forbidden domains. This way even // if the hostnamePolicyFile malfunctions we will flag the forbidden -@@ -441,10 +444,11 @@ type Config struct { +@@ -444,10 +447,11 @@ type Config struct { DB cmd.DBConfig cmd.HostnamePolicyConfig @@ -51,7 +51,7 @@ index 199f40706..d1611a824 100644 // AcceptableValidityDurations is a list of durations which are // acceptable for certificates we issue. -@@ -510,6 +514,8 @@ func main() { +@@ -515,6 +519,8 @@ func main() { acceptableValidityDurations[ninetyDays] = true } @@ -60,7 +60,7 @@ index 199f40706..d1611a824 100644 // Validate PA config and set defaults if needed. cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration") -@@ -550,6 +556,7 @@ func main() { +@@ -555,6 +561,7 @@ func main() { config.CertChecker.CheckPeriod.Duration, acceptableValidityDurations, logger, diff --git a/patches/crl_x509_crl.patch b/patches/crl_x509_crl.patch deleted file mode 100644 index 2f8e4d7..0000000 --- a/patches/crl_x509_crl.patch +++ /dev/null @@ -1,71 +0,0 @@ -diff --git a/crl/crl_x509/crl.go b/crl/crl_x509/crl.go -index f49356dd3..d2c88b3ca 100644 ---- a/crl/crl_x509/crl.go -+++ b/crl/crl_x509/crl.go -@@ -417,6 +417,9 @@ func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *x509 - return nil, err - } - -+ // Fix PrintableString / UTF8String before calculating the siugnature / hash -+ fixDirectoryStrings(issuer.RawSubject, &tbsCertListContents) -+ - input := tbsCertListContents - if hashFunc != 0 { - h := hashFunc.New() -@@ -436,11 +439,19 @@ func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *x509 - return nil, err - } - -- return asn1.Marshal(pkix.CertificateList{ -+ cl, err := asn1.Marshal(pkix.CertificateList{ - TBSCertList: tbsCertList, - SignatureAlgorithm: signatureAlgorithm, - SignatureValue: asn1.BitString{Bytes: signature, BitLength: len(signature) * 8}, - }) -+ if err != nil { -+ return nil, err -+ } -+ -+ // Fix PrintableString / UTF8String again in the final result -+ fixDirectoryStrings(issuer.RawSubject, &cl) -+ -+ return cl, nil - } - - // CheckSignatureFrom verifies that the signature on rl is a valid signature -@@ -461,3 +472,35 @@ func (rl *RevocationList) CheckSignatureFrom(parent *x509.Certificate) error { - - return parent.CheckSignature(x509.SignatureAlgorithm(rl.SignatureAlgorithm), rl.RawTBSRevocationList, rl.Signature) - } -+ -+// The attributes in the Name of the Subject or Issuer mostly are a DirectoryString, primarily -+// PrintableString or UTF8String. In the go crypto packages both get mapped to a string and it is -+// virtually impossible to preserve the UTF8String correctly. But it is necessary for producing -+// correct, usable CRLs (Certificate Revocation Lists). -+// This helper method updates the type byte for those oids in a []byte (the raw crl) by copying -+// them from another []byte (the raw issuer). -+func fixDirectoryStrings(src []byte, dest *[]byte) { -+ ptn := []byte{6, 3, 85, 4, 0} -+ oids := []byte{ -+ 3, // common name -+ 7, // locality -+ 8, // province -+ 9, // street address -+ 10, // organization -+ 11, // organizational unit -+ 17, // postal code -+ } -+ -+ for oid := 0; oid < len(oids); oid++ { -+ ptn[4] = oids[oid] -+ -+ i := bytes.Index(src, ptn) -+ if i > -1 { -+ tp := src[i+len(ptn)] -+ k := bytes.Index(*dest, ptn) -+ if k > -1 { -+ (*dest)[k+len(ptn)] = tp -+ } -+ } -+ } -+} diff --git a/patches/linter_linter.patch b/patches/linter_linter.patch index 3aa8ddb..3f7866e 100644 --- a/patches/linter_linter.patch +++ b/patches/linter_linter.patch @@ -1,8 +1,8 @@ diff --git a/linter/linter.go b/linter/linter.go -index 82c3e238..bda07bd9 100644 +index b7a9d11d..8cdc5702 100644 --- a/linter/linter.go +++ b/linter/linter.go -@@ -194,10 +194,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C +@@ -193,10 +193,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C SubjectKeyId: realIssuer.SubjectKeyId, URIs: realIssuer.URIs, UnknownExtKeyUsage: realIssuer.UnknownExtKeyUsage, diff --git a/patches/notify-mailer_main.patch b/patches/notify-mailer_main.patch index 968eebb..7b2d3ba 100644 --- a/patches/notify-mailer_main.patch +++ b/patches/notify-mailer_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go -index 8794a4b42..fc874549e 100644 +index a05366c3..da9d78c8 100644 --- a/cmd/notify-mailer/main.go +++ b/cmd/notify-mailer/main.go @@ -37,6 +37,7 @@ type mailer struct { @@ -29,7 +29,7 @@ index 8794a4b42..fc874549e 100644 Syslog cmd.SyslogConfig } -@@ -569,6 +572,15 @@ func main() { +@@ -570,6 +573,15 @@ func main() { log.Infof("While reading the recipient list file %s", probs) } @@ -45,7 +45,7 @@ index 8794a4b42..fc874549e 100644 var mailClient bmail.Mailer if *dryRun { log.Infof("Starting %s in dry-run mode", cmd.VersionString()) -@@ -584,6 +596,7 @@ func main() { +@@ -585,6 +597,7 @@ func main() { cfg.NotifyMailer.Username, smtpPassword, nil, @@ -53,7 +53,7 @@ index 8794a4b42..fc874549e 100644 *address, log, metrics.NoopRegisterer, -@@ -604,6 +617,7 @@ func main() { +@@ -605,6 +618,7 @@ func main() { end: *end, }, sleepInterval: *sleep, diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index ca45ae8..fdcea1d 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,5 +1,5 @@ diff --git a/ra/ra.go b/ra/ra.go -index 21c7c2fc..348146f4 100644 +index 8000e6ad..ef136c00 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -41,7 +41,6 @@ import ( @@ -10,7 +10,7 @@ index 21c7c2fc..348146f4 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -540,7 +539,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -555,7 +554,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { contact, ) } diff --git a/patches/storer_storer.patch b/patches/storer_storer.patch index d8555c2..65e6e3f 100644 --- a/patches/storer_storer.patch +++ b/patches/storer_storer.patch @@ -1,8 +1,8 @@ diff --git a/crl/storer/storer.go b/crl/storer/storer.go -index 055c0f028..8f909ee49 100644 +index d1470c7a..e58e46a8 100644 --- a/crl/storer/storer.go +++ b/crl/storer/storer.go -@@ -9,6 +9,9 @@ import ( +@@ -10,6 +10,9 @@ import ( "fmt" "io" "math/big" diff --git a/patches/updater_updater.patch b/patches/updater_updater.patch index de00020..1c437bb 100644 --- a/patches/updater_updater.patch +++ b/patches/updater_updater.patch @@ -1,5 +1,5 @@ diff --git a/crl/updater/updater.go b/crl/updater/updater.go -index 7df31371..da92a3d3 100644 +index ab0cc7e0..256927e3 100644 --- a/crl/updater/updater.go +++ b/crl/updater/updater.go @@ -228,7 +228,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN