Bump boulder version to release-2022-08-29

2026-01-27 10:19:34 +00:00 · 2022-09-01 19:11:39 +02:00
parent f53590f664
commit d48c385704
11 changed files with 38 additions and 52 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,9 @@ _site
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out

+# IDE
+*.code-workspace
+
 # Project specific
 gui/data/
 gui/bin/
--- a/4
+++ b/4
@@ -24,7 +24,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2022-08-15"
+boulderTag="release-2022-08-29"

 # Feature flags
 flag_skip_redis=true
@@ -606,7 +606,6 @@ config_boulder() {
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/ocsp-responder.json" < $cloneDir/patches/config_ocsp-responder.patch &>>$installLog
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/publisher.json" < $cloneDir/patches/config_publisher.patch &>>$installLog
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/wfe2.json" < $cloneDir/patches/config_wfe2.patch &>>$installLog
-    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/rocsp-tool.json" < $cloneDir/patches/config_rocsp-tool.patch &>>$installLog
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/orphan-finder.json" < $cloneDir/patches/config_orphan-finder.patch &>>$installLog
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/crl-storer.json" < $cloneDir/patches/config_crl-storer.patch &>>$installLog
    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/crl-updater.json" < $cloneDir/patches/config_crl-updater.patch &>>$installLog
@@ -632,7 +631,6 @@ config_boulder() {
    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json
    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json
-    sed -i -e "s|.hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/rocsp-tool.json
    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/orphan-finder.json
    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-storer.json
    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-updater.json
--- a/patches/cmd_shell.patch
+++ b/patches/cmd_shell.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/shell.go b/cmd/shell.go
-index 39668103..6d872d56 100644
+index 2d4394e5..70a2de1f 100644
 --- a/cmd/shell.go
 +++ b/cmd/shell.go
-@@ -185,7 +185,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger {
+@@ -190,7 +190,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger {
 	// Boulder's conception of time.
 	go func() {
 		for {
--- a/patches/config_crl-storer.patch
+++ b/patches/config_crl-storer.patch
@@ -13,5 +13,5 @@ index 61f14d79..a620896f 100644
     ],
 +    "localStorePath": "/wwwstatic/crl",
     "s3Endpoint": "http://localhost:7890",
-     "s3Region": "us-west-1",
     "s3Bucket": "lets-encrypt-crls",
+     "awsConfigFile": "test/config/crl-storer.ini",
--- a/patches/config_rocsp-tool.patch
+++ b/patches/config_rocsp-tool.patch
@@ -1,16 +0,0 @@
-diff --git a/test/config/rocsp-tool.json b/test/config/rocsp-tool.json
-index 9b0a1d13..eace2cf9 100644
--- a/test/config/rocsp-tool.json
-+++ b/test/config/rocsp-tool.json
-@@ -34,10 +34,7 @@
-       }
-     },
-     "issuers": {
-      ".hierarchy/intermediate-cert-ecdsa-a.pem": 1,
-      ".hierarchy/intermediate-cert-ecdsa-b.pem": 2,
-      ".hierarchy/intermediate-cert-rsa-a.pem": 3,
-      ".hierarchy/intermediate-cert-rsa-b.pem": 4
-+      ".hierarchy/intermediate-cert-rsa-a.pem": 1
-     }
-   },
-   "syslog": {
--- a/patches/contact-auditor_main.patch
+++ b/patches/contact-auditor_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/contact-auditor/main.go b/cmd/contact-auditor/main.go
-index e595af47..b00458c5 100644
+index 90a61d89..b1967e92 100644
 --- a/cmd/contact-auditor/main.go
 +++ b/cmd/contact-auditor/main.go
@@ -11,6 +11,7 @@ import (
@@ -10,12 +10,13 @@ index e595af47..b00458c5 100644
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/policy"
 	"github.com/letsencrypt/boulder/sa"
-@@ -48,9 +49,12 @@ func validateContacts(id int64, createdAt string, contacts []string) error {
+@@ -48,9 +49,13 @@ func validateContacts(id int64, createdAt string, contacts []string) error {
 		fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\t%q\n", id, createdAt, contact, prob, contacts)
 	}
 
 +	var pa *policy.AuthorityImpl
-+	pa, _ = policy.New(map[core.AcmeChallenge]bool{})
+	logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7})
+	pa, _ = policy.New(map[core.AcmeChallenge]bool{}, logger)
 +
 	for _, contact := range contacts {
 		if strings.HasPrefix(contact, "mailto:") {
--- a/patches/core_interfaces.patch
+++ b/patches/core_interfaces.patch
@@ -2,7 +2,7 @@ diff --git a/core/interfaces.go b/core/interfaces.go
 index d19eb4fb8..3ae50d737 100644
 --- a/core/interfaces.go
 +++ b/core/interfaces.go
-@@ -11,4 +11,5 @@ type PolicyAuthority interface {
+@@ -10,4 +10,5 @@ type PolicyAuthority interface {
 	WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
 	ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
 	ChallengeTypeEnabled(t AcmeChallenge) bool
--- a/patches/crl-storer_main.patch
+++ b/patches/crl-storer_main.patch
@@ -1,10 +1,10 @@
 diff --git a/cmd/crl-storer/main.go b/cmd/crl-storer/main.go
-index 74d525c4..6a91ddab 100644
+index 4212f1849..a1369113d 100644
 --- a/cmd/crl-storer/main.go
 +++ b/cmd/crl-storer/main.go
-@@ -47,6 +47,9 @@ type Config struct {
+@@ -49,6 +49,9 @@ type Config struct {
 		// https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html.
- 		S3CredsFile string
+ 		AWSCredsFile string
 
 +		// If this is set, store the files locally instead of using (fake) S3
 +		LocalStorePath string
--- a/patches/notify-mailer_main.patch
+++ b/patches/notify-mailer_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go
-index 34f07a9b..ed957946 100644
+index f39ff696..8ab2de84 100644
 --- a/cmd/notify-mailer/main.go
 +++ b/cmd/notify-mailer/main.go
@@ -36,6 +36,7 @@ type mailer struct {
@@ -29,14 +29,15 @@ index 34f07a9b..ed957946 100644
 	Syslog cmd.SyslogConfig
 }
 
-@@ -569,6 +572,14 @@ func main() {
+@@ -569,6 +572,15 @@ func main() {
 		log.Infof("While reading the recipient list file %s", probs)
 	}
 
 +	// Validate PA config and set defaults if needed
 +	cmd.FailOnError(cfg.PA.CheckChallenges(), "Invalid PA configuration")
 +
-+	pa, err := policy.New(cfg.PA.Challenges)
+	logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7})
+	pa, err := policy.New(cfg.PA.Challenges, logger)
 +	cmd.FailOnError(err, "Failed to create PA")
 +	err = pa.SetHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile)
 +	cmd.FailOnError(err, "Failed to load HostnamePolicyFile")
@@ -44,7 +45,7 @@ index 34f07a9b..ed957946 100644
 	var mailClient bmail.Mailer
 	if *dryRun {
 		log.Infof("Starting %s in dry-run mode", cmd.VersionString())
-@@ -584,6 +595,7 @@ func main() {
+@@ -584,6 +596,7 @@ func main() {
 			cfg.NotifyMailer.Username,
 			smtpPassword,
 			nil,
@@ -52,7 +53,7 @@ index 34f07a9b..ed957946 100644
 			*address,
 			log,
 			metrics.NoopRegisterer,
-@@ -604,6 +616,7 @@ func main() {
+@@ -604,6 +617,7 @@ func main() {
 			end:   *end,
 		},
 		sleepInterval: *sleep,
--- a/patches/policy_pa.patch
+++ b/patches/policy_pa.patch
@@ -1,5 +1,5 @@
 diff --git a/policy/pa.go b/policy/pa.go
-index d3494495..184f7186 100644
+index 8f5fa6dd5..17875e232 100644
 --- a/policy/pa.go
 +++ b/policy/pa.go
@@ -31,6 +31,8 @@ type AuthorityImpl struct {
@@ -46,12 +46,12 @@ index d3494495..184f7186 100644
 // * exactly equal to an IANA registered TLD
 //
 // It does _not_ check that the domain isn't on any PA blocked lists.
-func ValidDomain(domain string) error {
+-func validDomain(domain string) error {
 +func (pa *AuthorityImpl) ValidDomain(domain string) error {
 	if domain == "" {
 		return errEmptyName
 	}
-@@ -289,6 +304,14 @@ func ValidDomain(domain string) error {
+@@ -289,6 +304,14 @@ func validDomain(domain string) error {
 		}
 	}
 
@@ -79,29 +79,29 @@ index d3494495..184f7186 100644
 	}
 	splitEmail := strings.SplitN(email.Address, "@", -1)
 	domain := strings.ToLower(splitEmail[len(splitEmail)-1])
-	err = ValidDomain(domain)
+-	err = validDomain(domain)
 +	err = pa.ValidDomain(domain)
 	if err != nil {
 		return berrors.InvalidEmailError(
 			"contact email %q has invalid domain : %s",
-@@ -369,11 +392,15 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+@@ -366,11 +389,15 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
 	}
 	domain := id.Value
 
-	err := ValidDomain(domain)
+-	err := validDomain(domain)
 +	err := pa.ValidDomain(domain)
 	if err != nil {
 		return err
 	}
 
 +	if ok, _ := pa.checkWhitelist(domain); ok {
-+ 		return nil
-+ 	}
+		return nil
+	}
 +
 	// Require no match against hostname block lists
 	err = pa.checkHostLists(domain)
 	if err != nil {
-@@ -383,6 +410,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+@@ -380,6 +407,31 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error {
 	return nil
 }
 
--- a/patches/storer_storer.patch
+++ b/patches/storer_storer.patch
@@ -1,5 +1,5 @@
 diff --git a/crl/storer/storer.go b/crl/storer/storer.go
-index b2514eb4..77955b0c 100644
+index 859abc9f..749b3818 100644
 --- a/crl/storer/storer.go
 +++ b/crl/storer/storer.go
@@ -9,6 +9,9 @@ import (
@@ -9,10 +9,10 @@ index b2514eb4..77955b0c 100644
 +	"os"
 +	"path/filepath"
 +	"sort"
+ 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/service/s3"
- 	"github.com/aws/aws-sdk-go-v2/service/s3/types"
-@@ -32,6 +35,7 @@ type crlStorer struct {
+@@ -34,6 +37,7 @@ type crlStorer struct {
 	cspb.UnimplementedCRLStorerServer
 	s3Client         s3Putter
 	s3Bucket         string
@@ -20,7 +20,7 @@ index b2514eb4..77955b0c 100644
 	issuers          map[issuance.IssuerNameID]*issuance.Certificate
 	uploadCount      *prometheus.CounterVec
 	sizeHistogram    *prometheus.HistogramVec
-@@ -44,6 +48,7 @@ func New(
+@@ -46,6 +50,7 @@ func New(
 	issuers []*issuance.Certificate,
 	s3Client s3Putter,
 	s3Bucket string,
@@ -28,7 +28,7 @@ index b2514eb4..77955b0c 100644
 	stats prometheus.Registerer,
 	log blog.Logger,
 	clk clock.Clock,
-@@ -77,6 +82,7 @@ func New(
+@@ -79,6 +84,7 @@ func New(
 		issuers:          issuersByNameID,
 		s3Client:         s3Client,
 		s3Bucket:         s3Bucket,
@@ -36,7 +36,7 @@ index b2514eb4..77955b0c 100644
 		uploadCount:      uploadCount,
 		sizeHistogram:    sizeHistogram,
 		latencyHistogram: latencyHistogram,
-@@ -153,15 +159,19 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error {
+@@ -160,15 +166,19 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error {
 	checksum := sha256.Sum256(crlBytes)
 	checksumb64 := base64.StdEncoding.EncodeToString(checksum[:])
 	crlContentType := "application/pkix-crl"
@@ -64,8 +64,8 @@ index b2514eb4..77955b0c 100644
 +	}
 	if err != nil {
 		cs.uploadCount.WithLabelValues(issuer.Subject.CommonName, "failed")
- 		cs.log.AuditErrf(
-@@ -186,3 +196,46 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error {
+ 		cs.log.AuditErrf("CRL upload failed: id=[%s] err=[%s]", crlId, err)
+@@ -189,3 +199,46 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error {
 
 	return stream.SendAndClose(&emptypb.Empty{})
 }
@@ -112,4 +112,3 @@ index b2514eb4..77955b0c 100644
 +
 +	return nil
 +}
-\ No newline at end of file