Bump boulder version to release-2020-06-08

2026-01-27 10:19:34 +00:00 · 2020-08-11 20:00:22 +02:00
parent b793c1e56c
commit cdda2d0b26
11 changed files with 198 additions and 56 deletions
--- a/config_expiration-mailer.patch
+++ b/config_expiration-mailer.patch
@@ -2,7 +2,7 @@ diff --git a/test/config/expiration-mailer.json b/test/config/expiration-mailer.
 index 444beae43..e9bd228ef 100644
 --- a/test/config/expiration-mailer.json
 +++ b/test/config/expiration-mailer.json
-@@ -12,6 +12,11 @@
+@@ -11,6 +12,11 @@
     "nagCheckInterval": "24h",
     "emailTemplate": "test/example-expiration-template",
     "debugAddr": ":8008",
@@ -14,7 +14,7 @@ index 444beae43..e9bd228ef 100644
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",
       "certFile": "test/grpc-creds/expiration-mailer.boulder/cert.pem",
-@@ -28,5 +33,10 @@
+@@ -27,5 +33,10 @@
   "syslog": {
     "stdoutlevel": 6,
     "sysloglevel": 6
--- a/config_notify-mailer.patch
+++ b/config_notify-mailer.patch
@@ -0,0 +1,24 @@
+diff --git a/test/config/notify-mailer.json b/test/config/notify-mailer.json
+index 04405da..57f850e 100644
+--- a/test/config/notify-mailer.json
+++ b/test/config/notify-mailer.json
+@@ -2,11 +2,19 @@
+   "notifyMailer": {
+     "server": "localhost",
+     "port": "9380",
+    "hostnamePolicyFile": "test/hostname-policy.yaml",
+     "username": "cert-master@example.com",
+     "passwordFile": "test/secrets/smtp_password",
+     "dbConnectFile": "test/secrets/mailer_dburl",
+     "maxDBConns": 10
+   },
+  "pa": {
+    "challenges": {
+      "http-01": true,
+      "dns-01": true,
+      "tls-alpn-01": true
+    }
+  },
+   "syslog": {
+     "stdoutLevel": 7,
+     "syslogLevel": 7
--- a/core_interfaces.patch
+++ b/core_interfaces.patch
@@ -0,0 +1,12 @@
+diff --git a/core/interfaces.go b/core/interfaces.go
+index c57358c9b..5c5087c2f 100644
+--- a/core/interfaces.go
+++ b/core/interfaces.go
+@@ -108,6 +108,7 @@ type PolicyAuthority interface {
+ 	WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
+ 	ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
+ 	ChallengeTypeEnabled(t string) bool
+	ValidEmail(address string) error
+ }
+ 
+ // StorageGetter are the Boulder SA's read-only methods
--- a/docker-compose.patch
+++ b/docker-compose.patch
@@ -1,34 +1,34 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index e67d892a6..9b097c8b6 100644
+index a915b77ad..14fdb1fa6 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
-@@ -6,7 +6,7 @@ services:
+@@ -5,7 +5,7 @@ services:
+         image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.14.1}:2020-06-01
         environment:
-             FAKE_DNS: 10.77.77.77
-             PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657
-            BOULDER_CONFIG_DIR: test/config
-+            BOULDER_CONFIG_DIR: labca/config
-             GO111MODULE: "on"
-             GOFLAGS: "-mod=vendor"
+             - FAKE_DNS=10.77.77.77
+-            - BOULDER_CONFIG_DIR=test/config
+            - BOULDER_CONFIG_DIR=labca/config
+             - GOFLAGS=-mod=vendor
             # This is required so Python doesn't throw an error when printing
-@@ -14,6 +14,7 @@ services:
-             PYTHONIOENCODING: "utf-8"
+             # non-ASCII to stdout.
+@@ -18,6 +18,7 @@ services:
+             - RACE
         volumes:
-           - .:/go/src/github.com/letsencrypt/boulder
+           - .:/go/src/github.com/letsencrypt/boulder:cached
 +          - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca
-           - ./.gocache:/root/.cache/go-build
+           - ./.gocache:/root/.cache/go-build:cached
         networks:
           bluenet:
-@@ -54,7 +55,7 @@ services:
+@@ -57,7 +58,7 @@ services:
+           - 8055:8055 # dns-test-srv updates
         depends_on:
-           - bhsm
           - bmysql
 -        entrypoint: test/entrypoint.sh
 +        entrypoint: labca/entrypoint.sh
         working_dir: /go/src/github.com/letsencrypt/boulder
         # This works around a kernel bug that is tickled by Go 1.14:
         # https://github.com/golang/go/issues/37436
-@@ -63,6 +64,12 @@ services:
+@@ -66,8 +67,16 @@ services:
           memlock:
             soft: -1
             hard: -1
@@ -37,19 +37,6 @@ index e67d892a6..9b097c8b6 100644
 +          options:
 +            max-size: "500k"
 +            max-file: "5"
-+        restart: always
-     bhsm:
-         # To minimize fetching this should be the same version used above
-         image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.14.1}:2020-04-23
-@@ -75,8 +82,16 @@ services:
-           bluenet:
-             aliases:
-               - boulder-hsm
-+        logging:
-+          driver: "json-file"
-+          options:
-+            max-size: "500k"
-+            max-file: "5"
 +        restart: always
     bmysql:
         image: mariadb:10.3
@@ -58,7 +45,7 @@ index e67d892a6..9b097c8b6 100644
         networks:
           bluenet:
             aliases:
-@@ -90,20 +105,36 @@ services:
+@@ -81,20 +90,36 @@ services:
         # small.
         command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
         logging:
@@ -70,7 +57,7 @@ index e67d892a6..9b097c8b6 100644
 +            max-file: "5"
 +        restart: always
 +    labca:
-         image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.14.1}:2020-04-23
+         image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.14.1}:2020-06-01
 -        environment:
 -            GO111MODULE: "on"
 -            GOFLAGS: "-mod=vendor"
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -62,10 +62,10 @@ rm -f test-root.der
 cp -p $PKI_INT_CERT_BASE.key test-ca.key
 cp -p $PKI_INT_CERT_BASE.key.der test-ca.key.der
 cp -p $PKI_INT_CERT_BASE.pem test-ca.pem
-openssl rsa -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.der
+openssl rsa -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.pem
 cp -p $PKI_ROOT_CERT_BASE.key test-root.key
 cp -p $PKI_ROOT_CERT_BASE.key.der test-root.key.der
 cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem
-openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.der
+openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.pem

 chown -R `ls -l rate-limit-policies.yml | cut -d" " -f 3,4 | sed 's/ /:/g'` .
--- a/16
+++ b/16
@@ -24,7 +24,7 @@ dockerComposeVersion="1.22.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2020-05-18"
+boulderTag="release-2020-06-08"

 #
 # Color configuration
@@ -480,9 +480,15 @@ config_boulder() {
    sudo -u labca patch -p1 < $cloneDir/docker-compose.patch &>>$installLog
    cp docker-compose.yml "$boulderLabCADir/.backup/"

+    sudo -u labca patch -p1 < $cloneDir/core_interfaces.patch &>>$installLog
+    cp core/interfaces.go "$boulderLabCADir/.backup/"
+
    sudo -u labca patch -p1 < $cloneDir/policy_pa.patch &>>$installLog
    cp policy/pa.go "$boulderLabCADir/.backup/"

+    sudo -u labca patch -p1 < $cloneDir/ra_ra.patch &>>$installLog
+    cp ra/ra.go "$boulderLabCADir/.backup/"
+
    sudo -u labca patch -p1 < $cloneDir/mail_mailer.patch &>>$installLog
    cp mail/mailer.go "$boulderLabCADir/.backup/"

@@ -499,6 +505,7 @@ config_boulder() {
    sudo -u labca patch -p1 -o "$boulderLabCADir/config/ca-b.json" < $cloneDir/test_config_ca_b.patch &>>$installLog

    sudo -u labca patch -p1 -o "$boulderLabCADir/config/expiration-mailer.json" < $cloneDir/config_expiration-mailer.patch &>>$installLog
+    sudo -u labca patch -p1 -o "$boulderLabCADir/config/notify-mailer.json" < $cloneDir/config_notify-mailer.patch &>>$installLog
    #sudo -u labca patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/config_bad-key-revoker.patch &>>$installLog

    sed -i -e "s|https://letsencrypt.org/docs/rate-limits/|http://$LABCA_FQDN/rate-limits|" errors/errors.go &>>$installLog
@@ -517,6 +524,13 @@ config_boulder() {
    sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json
    sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe.json
    sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json
+    sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json
+    sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json
+    sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-updater.json
+    sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json
+    sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
+    sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json
+    sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json
    sed -i -e "s/5001/443/g" config/va.json
    sed -i -e "s/5002/80/g" config/va.json
    sed -i -e "s|http://boulder:4000/terms/v1|http://$LABCA_FQDN/terms/v1|" config/wfe.json
--- a/notify-mailer_main.patch
+++ b/notify-mailer_main.patch
@@ -1,8 +1,50 @@
 diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go
-index bb8945236..e278cdc16 100644
+index 0445a04c0..ba2be9e2f 100644
 --- a/cmd/notify-mailer/main.go
 +++ b/cmd/notify-mailer/main.go
-@@ -468,6 +468,7 @@ func main() {
+@@ -37,6 +37,7 @@ type mailer struct {
+ 	destinations  []recipient
+ 	targetRange   interval
+ 	sleepInterval time.Duration
+	pa            *policy.AuthorityImpl
+ }
+ 
+ // interval defines a range of email addresses to send to, alphabetically.
+@@ -146,7 +147,7 @@ func (m *mailer) run() error {
+ 			m.log.Debugf("skipping %q: out of target range")
+ 			continue
+ 		}
+-		if err := policy.ValidEmail(address); err != nil {
+		if err := m.pa.ValidEmail(address); err != nil {
+ 			m.log.Infof("skipping %q: %s", address, err)
+ 			continue
+ 		}
+@@ -410,7 +411,9 @@ func main() {
+ 			cmd.PasswordConfig
+ 			cmd.SMTPConfig
+ 			Features map[string]bool
+			cmd.HostnamePolicyConfig
+ 		}
+		PA cmd.PAConfig
+ 		Syslog cmd.SyslogConfig
+ 	}
+ 	configFile := flag.String("config", "", "File containing a JSON config.")
+@@ -461,6 +464,14 @@ func main() {
+ 		end:   *end,
+ 	}
+ 
+	// Validate PA config and set defaults if needed
+	cmd.FailOnError(cfg.PA.CheckChallenges(), "Invalid PA configuration")
+
+	pa, err := policy.New(cfg.PA.Challenges)
+	cmd.FailOnError(err, "Failed to create PA")
+	err = pa.SetHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile)
+	cmd.FailOnError(err, "Failed to load HostnamePolicyFile")
+
+ 	var mailClient bmail.Mailer
+ 	if *dryRun {
+ 		log.Infof("Doing a dry run.")
+@@ -474,6 +485,7 @@ func main() {
 			cfg.NotifyMailer.Username,
 			smtpPassword,
 			nil,
@@ -10,3 +52,11 @@ index bb8945236..e278cdc16 100644
 			*address,
 			log,
 			metrics.NoopRegisterer,
+@@ -491,6 +503,7 @@ func main() {
+ 		emailTemplate: template,
+ 		targetRange:   targetRange,
+ 		sleepInterval: *sleep,
+		pa:            pa,
+ 	}
+ 
+ 	err = m.run()
--- a/policy_pa.patch
+++ b/policy_pa.patch
@@ -1,8 +1,8 @@
 diff --git a/policy/pa.go b/policy/pa.go
-index f6c908363..5de2d9ddc 100644
+index 230eaa1e0..4f9c09633 100644
 --- a/policy/pa.go
 +++ b/policy/pa.go
-@@ -29,6 +29,8 @@ type AuthorityImpl struct {
+@@ -30,6 +30,8 @@ type AuthorityImpl struct {
 	blocklist              map[string]bool
 	exactBlocklist         map[string]bool
 	wildcardExactBlocklist map[string]bool
@@ -11,7 +11,7 @@ index f6c908363..5de2d9ddc 100644
 	blocklistMu            sync.RWMutex
 
 	enabledChallenges map[string]bool
-@@ -69,6 +71,9 @@ type blockedNamesPolicy struct {
+@@ -70,6 +72,9 @@ type blockedNamesPolicy struct {
 	// time above and beyond the high-risk domains. Managing these entries separately
 	// from HighRiskBlockedNames makes it easier to vet changes accurately.
 	AdminBlockedNames []string `yaml:"AdminBlockedNames"`
@@ -21,7 +21,7 @@ index f6c908363..5de2d9ddc 100644
 }
 
 // SetHostnamePolicyFile will load the given policy file, returning error if it
-@@ -137,10 +142,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
+@@ -138,10 +143,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
 		// wildcardNameMap to block issuance for `*.`+parts[1]
 		wildcardNameMap[parts[1]] = true
 	}
@@ -42,7 +42,16 @@ index f6c908363..5de2d9ddc 100644
 	pa.blocklistMu.Unlock()
 	return nil
 }
-@@ -280,6 +295,14 @@ func (pa *AuthorityImpl) ValidDomain(domain string) error {
+@@ -214,7 +229,7 @@ var (
+ // * exactly equal to an IANA registered TLD
+ //
+ // It does _not_ check that the domain isn't on any PA blocked lists.
+-func ValidDomain(domain string) error {
+func (pa *AuthorityImpl) ValidDomain(domain string) error {
+ 	if domain == "" {
+ 		return errEmptyName
+ 	}
+@@ -281,6 +296,14 @@ func ValidDomain(domain string) error {
 		}
 	}
 
@@ -57,7 +66,30 @@ index f6c908363..5de2d9ddc 100644
 	// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
 	icannTLD, err := iana.ExtractSuffix(domain)
 	if err != nil {
-@@ -322,14 +345,44 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+@@ -308,7 +331,7 @@ var forbiddenMailDomains = map[string]bool{
+ // ValidEmail returns an error if the input doesn't parse as an email address,
+ // the domain isn't a valid hostname in Preferred Name Syntax, or its on the
+ // list of domains forbidden for mail (because they are often used in examples).
+-func ValidEmail(address string) error {
+func (pa *AuthorityImpl) ValidEmail(address string) error {
+ 	email, err := mail.ParseAddress(address)
+ 	if err != nil {
+ 		if len(address) > 254 {
+@@ -318,7 +341,7 @@ func ValidEmail(address string) error {
+ 	}
+ 	splitEmail := strings.SplitN(email.Address, "@", -1)
+ 	domain := strings.ToLower(splitEmail[len(splitEmail)-1])
+-	if err := ValidDomain(domain); err != nil {
+	if err := pa.ValidDomain(domain); err != nil {
+ 		return berrors.InvalidEmailError(
+ 			"contact email %q has invalid domain : %s",
+ 			email.Address, err)
+@@ -357,10 +380,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+ 	}
+ 	domain := id.Value
+ 
+-	if err := ValidDomain(domain); err != nil {
+	if err := pa.ValidDomain(domain); err != nil {
 		return err
 	}
 
@@ -67,10 +99,8 @@ index f6c908363..5de2d9ddc 100644
 +
 	// Require no match against hostname block lists
 	if err := pa.checkHostLists(domain); err != nil {
-+		fmt.Print("*** oopsie hij komt niet door checkhostlists...\n")
 		return err
- 	}
- 
+@@ -369,6 +396,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
 	return nil
 }
 
--- a/ra_ra.patch
+++ b/ra_ra.patch
@@ -0,0 +1,21 @@
+diff --git a/ra/ra.go b/ra/ra.go
+index 23445de96..30203a80a 100644
+--- a/ra/ra.go
+++ b/ra/ra.go
+@@ -28,7 +28,6 @@ import (
+ 	"github.com/letsencrypt/boulder/identifier"
+ 	blog "github.com/letsencrypt/boulder/log"
+ 	"github.com/letsencrypt/boulder/metrics"
+-	"github.com/letsencrypt/boulder/policy"
+ 	"github.com/letsencrypt/boulder/probs"
+ 	rapb "github.com/letsencrypt/boulder/ra/proto"
+ 	"github.com/letsencrypt/boulder/ratelimit"
+@@ -394,7 +393,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
+ 				contact,
+ 			)
+ 		}
+-		if err := policy.ValidEmail(parsed.Opaque); err != nil {
+		if err := ra.PA.ValidEmail(parsed.Opaque); err != nil {
+ 			return err
+ 		}
+ 	}
--- a/test_config_ca_a.patch
+++ b/test_config_ca_a.patch
@@ -1,15 +1,17 @@
 diff --git a/test/config/ca-a.json b/test/config/ca-a.json
-index 355cfae2..c93fa5a3 100644
+index be064a52e..e7ef8fcf6 100644
 --- a/test/config/ca-a.json
 +++ b/test/config/ca-a.json
-@@ -29,10 +29,6 @@
+@@ -29,11 +29,7 @@
     },
     "Issuers": [{
       "ConfigFile": "test/test-ca.key-pkcs11.json",
-      "CertFile": "test/test-ca2.pem",
+-      "CertFile": "/tmp/intermediate-cert-rsa-a.pem",
 -      "NumSessions": 2
-    }, {
+-    },{
 -      "ConfigFile": "test/test-ca.key-pkcs11.json",
-       "CertFile": "test/test-ca.pem",
+-      "CertFile": "/tmp/intermediate-cert-rsa-b.pem",
+      "CertFile": "test/test-ca.pem",
       "NumSessions": 2
     }],
+     "expiry": "2160h",
--- a/test_config_ca_b.patch
+++ b/test_config_ca_b.patch
@@ -1,15 +1,17 @@
 diff --git a/test/config/ca-b.json b/test/config/ca-b.json
-index 355cfae2..c93fa5a3 100644
+index ed2498f1a..4d24ffa94 100644
 --- a/test/config/ca-b.json
 +++ b/test/config/ca-b.json
-@@ -29,10 +29,6 @@
+@@ -29,11 +29,7 @@
     },
     "Issuers": [{
       "ConfigFile": "test/test-ca.key-pkcs11.json",
-      "CertFile": "test/test-ca2.pem",
+-      "CertFile": "/tmp/intermediate-cert-rsa-a.pem",
 -      "NumSessions": 2
-    }, {
+-    },{
 -      "ConfigFile": "test/test-ca.key-pkcs11.json",
-       "CertFile": "test/test-ca.pem",
+-      "CertFile": "/tmp/intermediate-cert-rsa-b.pem",
+      "CertFile": "test/test-ca.pem",
       "NumSessions": 2
     }],
+     "expiry": "2160h",