From cdda2d0b26e6d7bace967389f3527ea141140ff4 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Tue, 11 Aug 2020 20:00:22 +0200 Subject: [PATCH] Bump boulder version to release-2020-06-08 --- config_expiration-mailer.patch | 4 +-- config_notify-mailer.patch | 24 +++++++++++++++ core_interfaces.patch | 12 ++++++++ docker-compose.patch | 47 +++++++++++------------------ gui/apply-boulder | 4 +-- install | 16 +++++++++- notify-mailer_main.patch | 54 ++++++++++++++++++++++++++++++++-- policy_pa.patch | 48 ++++++++++++++++++++++++------ ra_ra.patch | 21 +++++++++++++ test_config_ca_a.patch | 12 ++++---- test_config_ca_b.patch | 12 ++++---- 11 files changed, 198 insertions(+), 56 deletions(-) create mode 100644 config_notify-mailer.patch create mode 100644 core_interfaces.patch create mode 100644 ra_ra.patch diff --git a/config_expiration-mailer.patch b/config_expiration-mailer.patch index 771c885..419dad3 100644 --- a/config_expiration-mailer.patch +++ b/config_expiration-mailer.patch @@ -2,7 +2,7 @@ diff --git a/test/config/expiration-mailer.json b/test/config/expiration-mailer. index 444beae43..e9bd228ef 100644 --- a/test/config/expiration-mailer.json +++ b/test/config/expiration-mailer.json -@@ -12,6 +12,11 @@ +@@ -11,6 +12,11 @@ "nagCheckInterval": "24h", "emailTemplate": "test/example-expiration-template", "debugAddr": ":8008", @@ -14,7 +14,7 @@ index 444beae43..e9bd228ef 100644 "tls": { "caCertFile": "test/grpc-creds/minica.pem", "certFile": "test/grpc-creds/expiration-mailer.boulder/cert.pem", -@@ -28,5 +33,10 @@ +@@ -27,5 +33,10 @@ "syslog": { "stdoutlevel": 6, "sysloglevel": 6 diff --git a/config_notify-mailer.patch b/config_notify-mailer.patch new file mode 100644 index 0000000..7b6ddaa --- /dev/null +++ b/config_notify-mailer.patch @@ -0,0 +1,24 @@ +diff --git a/test/config/notify-mailer.json b/test/config/notify-mailer.json +index 04405da..57f850e 100644 +--- a/test/config/notify-mailer.json ++++ b/test/config/notify-mailer.json +@@ -2,11 +2,19 @@ + "notifyMailer": { + "server": "localhost", + "port": "9380", ++ "hostnamePolicyFile": "test/hostname-policy.yaml", + "username": "cert-master@example.com", + "passwordFile": "test/secrets/smtp_password", + "dbConnectFile": "test/secrets/mailer_dburl", + "maxDBConns": 10 + }, ++ "pa": { ++ "challenges": { ++ "http-01": true, ++ "dns-01": true, ++ "tls-alpn-01": true ++ } ++ }, + "syslog": { + "stdoutLevel": 7, + "syslogLevel": 7 diff --git a/core_interfaces.patch b/core_interfaces.patch new file mode 100644 index 0000000..79f6d6f --- /dev/null +++ b/core_interfaces.patch @@ -0,0 +1,12 @@ +diff --git a/core/interfaces.go b/core/interfaces.go +index c57358c9b..5c5087c2f 100644 +--- a/core/interfaces.go ++++ b/core/interfaces.go +@@ -108,6 +108,7 @@ type PolicyAuthority interface { + WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error + ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error) + ChallengeTypeEnabled(t string) bool ++ ValidEmail(address string) error + } + + // StorageGetter are the Boulder SA's read-only methods diff --git a/docker-compose.patch b/docker-compose.patch index 761a14c..80b2ff4 100644 --- a/docker-compose.patch +++ b/docker-compose.patch @@ -1,34 +1,34 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index e67d892a6..9b097c8b6 100644 +index a915b77ad..14fdb1fa6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml -@@ -6,7 +6,7 @@ services: +@@ -5,7 +5,7 @@ services: + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.14.1}:2020-06-01 environment: - FAKE_DNS: 10.77.77.77 - PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657 -- BOULDER_CONFIG_DIR: test/config -+ BOULDER_CONFIG_DIR: labca/config - GO111MODULE: "on" - GOFLAGS: "-mod=vendor" + - FAKE_DNS=10.77.77.77 +- - BOULDER_CONFIG_DIR=test/config ++ - BOULDER_CONFIG_DIR=labca/config + - GOFLAGS=-mod=vendor # This is required so Python doesn't throw an error when printing -@@ -14,6 +14,7 @@ services: - PYTHONIOENCODING: "utf-8" + # non-ASCII to stdout. +@@ -18,6 +18,7 @@ services: + - RACE volumes: - - .:/go/src/github.com/letsencrypt/boulder + - .:/go/src/github.com/letsencrypt/boulder:cached + - /home/labca/boulder_labca:/go/src/github.com/letsencrypt/boulder/labca - - ./.gocache:/root/.cache/go-build + - ./.gocache:/root/.cache/go-build:cached networks: bluenet: -@@ -54,7 +55,7 @@ services: +@@ -57,7 +58,7 @@ services: + - 8055:8055 # dns-test-srv updates depends_on: - - bhsm - bmysql - entrypoint: test/entrypoint.sh + entrypoint: labca/entrypoint.sh working_dir: /go/src/github.com/letsencrypt/boulder # This works around a kernel bug that is tickled by Go 1.14: # https://github.com/golang/go/issues/37436 -@@ -63,6 +64,12 @@ services: +@@ -66,8 +67,16 @@ services: memlock: soft: -1 hard: -1 @@ -37,19 +37,6 @@ index e67d892a6..9b097c8b6 100644 + options: + max-size: "500k" + max-file: "5" -+ restart: always - bhsm: - # To minimize fetching this should be the same version used above - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.14.1}:2020-04-23 -@@ -75,8 +82,16 @@ services: - bluenet: - aliases: - - boulder-hsm -+ logging: -+ driver: "json-file" -+ options: -+ max-size: "500k" -+ max-file: "5" + restart: always bmysql: image: mariadb:10.3 @@ -58,7 +45,7 @@ index e67d892a6..9b097c8b6 100644 networks: bluenet: aliases: -@@ -90,20 +105,36 @@ services: +@@ -81,20 +90,36 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -70,7 +57,7 @@ index e67d892a6..9b097c8b6 100644 + max-file: "5" + restart: always + labca: - image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.14.1}:2020-04-23 + image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.14.1}:2020-06-01 - environment: - GO111MODULE: "on" - GOFLAGS: "-mod=vendor" diff --git a/gui/apply-boulder b/gui/apply-boulder index 8b92431..f1e4302 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -62,10 +62,10 @@ rm -f test-root.der cp -p $PKI_INT_CERT_BASE.key test-ca.key cp -p $PKI_INT_CERT_BASE.key.der test-ca.key.der cp -p $PKI_INT_CERT_BASE.pem test-ca.pem -openssl rsa -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.der +openssl rsa -in $PKI_INT_CERT_BASE.key -pubout > test-ca.pubkey.pem cp -p $PKI_ROOT_CERT_BASE.key test-root.key cp -p $PKI_ROOT_CERT_BASE.key.der test-root.key.der cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem -openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.der +openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.pem chown -R `ls -l rate-limit-policies.yml | cut -d" " -f 3,4 | sed 's/ /:/g'` . diff --git a/install b/install index accaff3..b5b29c1 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="1.22.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2020-05-18" +boulderTag="release-2020-06-08" # # Color configuration @@ -480,9 +480,15 @@ config_boulder() { sudo -u labca patch -p1 < $cloneDir/docker-compose.patch &>>$installLog cp docker-compose.yml "$boulderLabCADir/.backup/" + sudo -u labca patch -p1 < $cloneDir/core_interfaces.patch &>>$installLog + cp core/interfaces.go "$boulderLabCADir/.backup/" + sudo -u labca patch -p1 < $cloneDir/policy_pa.patch &>>$installLog cp policy/pa.go "$boulderLabCADir/.backup/" + sudo -u labca patch -p1 < $cloneDir/ra_ra.patch &>>$installLog + cp ra/ra.go "$boulderLabCADir/.backup/" + sudo -u labca patch -p1 < $cloneDir/mail_mailer.patch &>>$installLog cp mail/mailer.go "$boulderLabCADir/.backup/" @@ -499,6 +505,7 @@ config_boulder() { sudo -u labca patch -p1 -o "$boulderLabCADir/config/ca-b.json" < $cloneDir/test_config_ca_b.patch &>>$installLog sudo -u labca patch -p1 -o "$boulderLabCADir/config/expiration-mailer.json" < $cloneDir/config_expiration-mailer.patch &>>$installLog + sudo -u labca patch -p1 -o "$boulderLabCADir/config/notify-mailer.json" < $cloneDir/config_notify-mailer.patch &>>$installLog #sudo -u labca patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/config_bad-key-revoker.patch &>>$installLog sed -i -e "s|https://letsencrypt.org/docs/rate-limits/|http://$LABCA_FQDN/rate-limits|" errors/errors.go &>>$installLog @@ -517,6 +524,13 @@ config_boulder() { sed -i -e "s/test-ca2.pem/test-ca.pem/" config/ra.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe.json sed -i -e "s/test-ca2.pem/test-ca.pem/" config/wfe2.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/akamai-purger.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-responder.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ocsp-updater.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json + sed -i -e "s|/tmp/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json sed -i -e "s/5001/443/g" config/va.json sed -i -e "s/5002/80/g" config/va.json sed -i -e "s|http://boulder:4000/terms/v1|http://$LABCA_FQDN/terms/v1|" config/wfe.json diff --git a/notify-mailer_main.patch b/notify-mailer_main.patch index daff61d..7576a1e 100644 --- a/notify-mailer_main.patch +++ b/notify-mailer_main.patch @@ -1,8 +1,50 @@ diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go -index bb8945236..e278cdc16 100644 +index 0445a04c0..ba2be9e2f 100644 --- a/cmd/notify-mailer/main.go +++ b/cmd/notify-mailer/main.go -@@ -468,6 +468,7 @@ func main() { +@@ -37,6 +37,7 @@ type mailer struct { + destinations []recipient + targetRange interval + sleepInterval time.Duration ++ pa *policy.AuthorityImpl + } + + // interval defines a range of email addresses to send to, alphabetically. +@@ -146,7 +147,7 @@ func (m *mailer) run() error { + m.log.Debugf("skipping %q: out of target range") + continue + } +- if err := policy.ValidEmail(address); err != nil { ++ if err := m.pa.ValidEmail(address); err != nil { + m.log.Infof("skipping %q: %s", address, err) + continue + } +@@ -410,7 +411,9 @@ func main() { + cmd.PasswordConfig + cmd.SMTPConfig + Features map[string]bool ++ cmd.HostnamePolicyConfig + } ++ PA cmd.PAConfig + Syslog cmd.SyslogConfig + } + configFile := flag.String("config", "", "File containing a JSON config.") +@@ -461,6 +464,14 @@ func main() { + end: *end, + } + ++ // Validate PA config and set defaults if needed ++ cmd.FailOnError(cfg.PA.CheckChallenges(), "Invalid PA configuration") ++ ++ pa, err := policy.New(cfg.PA.Challenges) ++ cmd.FailOnError(err, "Failed to create PA") ++ err = pa.SetHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile) ++ cmd.FailOnError(err, "Failed to load HostnamePolicyFile") ++ + var mailClient bmail.Mailer + if *dryRun { + log.Infof("Doing a dry run.") +@@ -474,6 +485,7 @@ func main() { cfg.NotifyMailer.Username, smtpPassword, nil, @@ -10,3 +52,11 @@ index bb8945236..e278cdc16 100644 *address, log, metrics.NoopRegisterer, +@@ -491,6 +503,7 @@ func main() { + emailTemplate: template, + targetRange: targetRange, + sleepInterval: *sleep, ++ pa: pa, + } + + err = m.run() diff --git a/policy_pa.patch b/policy_pa.patch index d2bbef2..1b59d18 100644 --- a/policy_pa.patch +++ b/policy_pa.patch @@ -1,8 +1,8 @@ diff --git a/policy/pa.go b/policy/pa.go -index f6c908363..5de2d9ddc 100644 +index 230eaa1e0..4f9c09633 100644 --- a/policy/pa.go +++ b/policy/pa.go -@@ -29,6 +29,8 @@ type AuthorityImpl struct { +@@ -30,6 +30,8 @@ type AuthorityImpl struct { blocklist map[string]bool exactBlocklist map[string]bool wildcardExactBlocklist map[string]bool @@ -11,7 +11,7 @@ index f6c908363..5de2d9ddc 100644 blocklistMu sync.RWMutex enabledChallenges map[string]bool -@@ -69,6 +71,9 @@ type blockedNamesPolicy struct { +@@ -70,6 +72,9 @@ type blockedNamesPolicy struct { // time above and beyond the high-risk domains. Managing these entries separately // from HighRiskBlockedNames makes it easier to vet changes accurately. AdminBlockedNames []string `yaml:"AdminBlockedNames"` @@ -21,7 +21,7 @@ index f6c908363..5de2d9ddc 100644 } // SetHostnamePolicyFile will load the given policy file, returning error if it -@@ -137,10 +142,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error +@@ -138,10 +143,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error // wildcardNameMap to block issuance for `*.`+parts[1] wildcardNameMap[parts[1]] = true } @@ -42,7 +42,16 @@ index f6c908363..5de2d9ddc 100644 pa.blocklistMu.Unlock() return nil } -@@ -280,6 +295,14 @@ func (pa *AuthorityImpl) ValidDomain(domain string) error { +@@ -214,7 +229,7 @@ var ( + // * exactly equal to an IANA registered TLD + // + // It does _not_ check that the domain isn't on any PA blocked lists. +-func ValidDomain(domain string) error { ++func (pa *AuthorityImpl) ValidDomain(domain string) error { + if domain == "" { + return errEmptyName + } +@@ -281,6 +296,14 @@ func ValidDomain(domain string) error { } } @@ -57,7 +66,30 @@ index f6c908363..5de2d9ddc 100644 // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. icannTLD, err := iana.ExtractSuffix(domain) if err != nil { -@@ -322,14 +345,44 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { +@@ -308,7 +331,7 @@ var forbiddenMailDomains = map[string]bool{ + // ValidEmail returns an error if the input doesn't parse as an email address, + // the domain isn't a valid hostname in Preferred Name Syntax, or its on the + // list of domains forbidden for mail (because they are often used in examples). +-func ValidEmail(address string) error { ++func (pa *AuthorityImpl) ValidEmail(address string) error { + email, err := mail.ParseAddress(address) + if err != nil { + if len(address) > 254 { +@@ -318,7 +341,7 @@ func ValidEmail(address string) error { + } + splitEmail := strings.SplitN(email.Address, "@", -1) + domain := strings.ToLower(splitEmail[len(splitEmail)-1]) +- if err := ValidDomain(domain); err != nil { ++ if err := pa.ValidDomain(domain); err != nil { + return berrors.InvalidEmailError( + "contact email %q has invalid domain : %s", + email.Address, err) +@@ -357,10 +380,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { + } + domain := id.Value + +- if err := ValidDomain(domain); err != nil { ++ if err := pa.ValidDomain(domain); err != nil { return err } @@ -67,10 +99,8 @@ index f6c908363..5de2d9ddc 100644 + // Require no match against hostname block lists if err := pa.checkHostLists(domain); err != nil { -+ fmt.Print("*** oopsie hij komt niet door checkhostlists...\n") return err - } - +@@ -369,6 +396,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { return nil } diff --git a/ra_ra.patch b/ra_ra.patch new file mode 100644 index 0000000..14547db --- /dev/null +++ b/ra_ra.patch @@ -0,0 +1,21 @@ +diff --git a/ra/ra.go b/ra/ra.go +index 23445de96..30203a80a 100644 +--- a/ra/ra.go ++++ b/ra/ra.go +@@ -28,7 +28,6 @@ import ( + "github.com/letsencrypt/boulder/identifier" + blog "github.com/letsencrypt/boulder/log" + "github.com/letsencrypt/boulder/metrics" +- "github.com/letsencrypt/boulder/policy" + "github.com/letsencrypt/boulder/probs" + rapb "github.com/letsencrypt/boulder/ra/proto" + "github.com/letsencrypt/boulder/ratelimit" +@@ -394,7 +393,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta + contact, + ) + } +- if err := policy.ValidEmail(parsed.Opaque); err != nil { ++ if err := ra.PA.ValidEmail(parsed.Opaque); err != nil { + return err + } + } diff --git a/test_config_ca_a.patch b/test_config_ca_a.patch index 7af9aef..1312e17 100644 --- a/test_config_ca_a.patch +++ b/test_config_ca_a.patch @@ -1,15 +1,17 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json -index 355cfae2..c93fa5a3 100644 +index be064a52e..e7ef8fcf6 100644 --- a/test/config/ca-a.json +++ b/test/config/ca-a.json -@@ -29,10 +29,6 @@ +@@ -29,11 +29,7 @@ }, "Issuers": [{ "ConfigFile": "test/test-ca.key-pkcs11.json", -- "CertFile": "test/test-ca2.pem", +- "CertFile": "/tmp/intermediate-cert-rsa-a.pem", - "NumSessions": 2 -- }, { +- },{ - "ConfigFile": "test/test-ca.key-pkcs11.json", - "CertFile": "test/test-ca.pem", +- "CertFile": "/tmp/intermediate-cert-rsa-b.pem", ++ "CertFile": "test/test-ca.pem", "NumSessions": 2 }], + "expiry": "2160h", diff --git a/test_config_ca_b.patch b/test_config_ca_b.patch index 527bd58..fc21282 100644 --- a/test_config_ca_b.patch +++ b/test_config_ca_b.patch @@ -1,15 +1,17 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json -index 355cfae2..c93fa5a3 100644 +index ed2498f1a..4d24ffa94 100644 --- a/test/config/ca-b.json +++ b/test/config/ca-b.json -@@ -29,10 +29,6 @@ +@@ -29,11 +29,7 @@ }, "Issuers": [{ "ConfigFile": "test/test-ca.key-pkcs11.json", -- "CertFile": "test/test-ca2.pem", +- "CertFile": "/tmp/intermediate-cert-rsa-a.pem", - "NumSessions": 2 -- }, { +- },{ - "ConfigFile": "test/test-ca.key-pkcs11.json", - "CertFile": "test/test-ca.pem", +- "CertFile": "/tmp/intermediate-cert-rsa-b.pem", ++ "CertFile": "test/test-ca.pem", "NumSessions": 2 }], + "expiry": "2160h",