diff --git a/.gitignore b/.gitignore index ed84e8b..cab0bcc 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,9 @@ _site # Output of the go coverage tool, specifically when used with LiteIDE *.out +# IDE +*.code-workspace + # Project specific gui/data/ gui/bin/ diff --git a/install b/install index c9f4453..7a69b7a 100755 --- a/install +++ b/install @@ -24,7 +24,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2022-08-15" +boulderTag="release-2022-08-29" # Feature flags flag_skip_redis=true @@ -606,7 +606,6 @@ config_boulder() { sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/ocsp-responder.json" < $cloneDir/patches/config_ocsp-responder.patch &>>$installLog sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/publisher.json" < $cloneDir/patches/config_publisher.patch &>>$installLog sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/wfe2.json" < $cloneDir/patches/config_wfe2.patch &>>$installLog - sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/rocsp-tool.json" < $cloneDir/patches/config_rocsp-tool.patch &>>$installLog sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/orphan-finder.json" < $cloneDir/patches/config_orphan-finder.patch &>>$installLog sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/crl-storer.json" < $cloneDir/patches/config_crl-storer.patch &>>$installLog sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/crl-updater.json" < $cloneDir/patches/config_crl-updater.patch &>>$installLog @@ -632,7 +631,6 @@ config_boulder() { sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/publisher.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json - sed -i -e "s|.hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/rocsp-tool.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/orphan-finder.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-storer.json sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/crl-updater.json diff --git a/patches/cmd_shell.patch b/patches/cmd_shell.patch index 425e033..584c644 100644 --- a/patches/cmd_shell.patch +++ b/patches/cmd_shell.patch @@ -1,8 +1,8 @@ diff --git a/cmd/shell.go b/cmd/shell.go -index 39668103..6d872d56 100644 +index 2d4394e5..70a2de1f 100644 --- a/cmd/shell.go +++ b/cmd/shell.go -@@ -185,7 +185,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger { +@@ -190,7 +190,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger { // Boulder's conception of time. go func() { for { diff --git a/patches/config_crl-storer.patch b/patches/config_crl-storer.patch index fa83218..d2f7b69 100644 --- a/patches/config_crl-storer.patch +++ b/patches/config_crl-storer.patch @@ -13,5 +13,5 @@ index 61f14d79..a620896f 100644 ], + "localStorePath": "/wwwstatic/crl", "s3Endpoint": "http://localhost:7890", - "s3Region": "us-west-1", "s3Bucket": "lets-encrypt-crls", + "awsConfigFile": "test/config/crl-storer.ini", diff --git a/patches/config_rocsp-tool.patch b/patches/config_rocsp-tool.patch deleted file mode 100644 index 5f2b82f..0000000 --- a/patches/config_rocsp-tool.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/test/config/rocsp-tool.json b/test/config/rocsp-tool.json -index 9b0a1d13..eace2cf9 100644 ---- a/test/config/rocsp-tool.json -+++ b/test/config/rocsp-tool.json -@@ -34,10 +34,7 @@ - } - }, - "issuers": { -- ".hierarchy/intermediate-cert-ecdsa-a.pem": 1, -- ".hierarchy/intermediate-cert-ecdsa-b.pem": 2, -- ".hierarchy/intermediate-cert-rsa-a.pem": 3, -- ".hierarchy/intermediate-cert-rsa-b.pem": 4 -+ ".hierarchy/intermediate-cert-rsa-a.pem": 1 - } - }, - "syslog": { diff --git a/patches/contact-auditor_main.patch b/patches/contact-auditor_main.patch index 8451ada..26582be 100644 --- a/patches/contact-auditor_main.patch +++ b/patches/contact-auditor_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/contact-auditor/main.go b/cmd/contact-auditor/main.go -index e595af47..b00458c5 100644 +index 90a61d89..b1967e92 100644 --- a/cmd/contact-auditor/main.go +++ b/cmd/contact-auditor/main.go @@ -11,6 +11,7 @@ import ( @@ -10,12 +10,13 @@ index e595af47..b00458c5 100644 blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/policy" "github.com/letsencrypt/boulder/sa" -@@ -48,9 +49,12 @@ func validateContacts(id int64, createdAt string, contacts []string) error { +@@ -48,9 +49,13 @@ func validateContacts(id int64, createdAt string, contacts []string) error { fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\t%q\n", id, createdAt, contact, prob, contacts) } + var pa *policy.AuthorityImpl -+ pa, _ = policy.New(map[core.AcmeChallenge]bool{}) ++ logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7}) ++ pa, _ = policy.New(map[core.AcmeChallenge]bool{}, logger) + for _, contact := range contacts { if strings.HasPrefix(contact, "mailto:") { diff --git a/patches/core_interfaces.patch b/patches/core_interfaces.patch index 034a183..ee798e1 100644 --- a/patches/core_interfaces.patch +++ b/patches/core_interfaces.patch @@ -2,7 +2,7 @@ diff --git a/core/interfaces.go b/core/interfaces.go index d19eb4fb8..3ae50d737 100644 --- a/core/interfaces.go +++ b/core/interfaces.go -@@ -11,4 +11,5 @@ type PolicyAuthority interface { +@@ -10,4 +10,5 @@ type PolicyAuthority interface { WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error) ChallengeTypeEnabled(t AcmeChallenge) bool diff --git a/patches/crl-storer_main.patch b/patches/crl-storer_main.patch index 2e02252..a3411ee 100644 --- a/patches/crl-storer_main.patch +++ b/patches/crl-storer_main.patch @@ -1,10 +1,10 @@ diff --git a/cmd/crl-storer/main.go b/cmd/crl-storer/main.go -index 74d525c4..6a91ddab 100644 +index 4212f1849..a1369113d 100644 --- a/cmd/crl-storer/main.go +++ b/cmd/crl-storer/main.go -@@ -47,6 +47,9 @@ type Config struct { +@@ -49,6 +49,9 @@ type Config struct { // https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html. - S3CredsFile string + AWSCredsFile string + // If this is set, store the files locally instead of using (fake) S3 + LocalStorePath string diff --git a/patches/notify-mailer_main.patch b/patches/notify-mailer_main.patch index 21f6eab..18136a2 100644 --- a/patches/notify-mailer_main.patch +++ b/patches/notify-mailer_main.patch @@ -1,5 +1,5 @@ diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go -index 34f07a9b..ed957946 100644 +index f39ff696..8ab2de84 100644 --- a/cmd/notify-mailer/main.go +++ b/cmd/notify-mailer/main.go @@ -36,6 +36,7 @@ type mailer struct { @@ -29,14 +29,15 @@ index 34f07a9b..ed957946 100644 Syslog cmd.SyslogConfig } -@@ -569,6 +572,14 @@ func main() { +@@ -569,6 +572,15 @@ func main() { log.Infof("While reading the recipient list file %s", probs) } + // Validate PA config and set defaults if needed + cmd.FailOnError(cfg.PA.CheckChallenges(), "Invalid PA configuration") + -+ pa, err := policy.New(cfg.PA.Challenges) ++ logger := cmd.NewLogger(cmd.SyslogConfig{StdoutLevel: 7}) ++ pa, err := policy.New(cfg.PA.Challenges, logger) + cmd.FailOnError(err, "Failed to create PA") + err = pa.SetHostnamePolicyFile(cfg.NotifyMailer.HostnamePolicyFile) + cmd.FailOnError(err, "Failed to load HostnamePolicyFile") @@ -44,7 +45,7 @@ index 34f07a9b..ed957946 100644 var mailClient bmail.Mailer if *dryRun { log.Infof("Starting %s in dry-run mode", cmd.VersionString()) -@@ -584,6 +595,7 @@ func main() { +@@ -584,6 +596,7 @@ func main() { cfg.NotifyMailer.Username, smtpPassword, nil, @@ -52,7 +53,7 @@ index 34f07a9b..ed957946 100644 *address, log, metrics.NoopRegisterer, -@@ -604,6 +616,7 @@ func main() { +@@ -604,6 +617,7 @@ func main() { end: *end, }, sleepInterval: *sleep, diff --git a/patches/policy_pa.patch b/patches/policy_pa.patch index 9f62878..a871c10 100644 --- a/patches/policy_pa.patch +++ b/patches/policy_pa.patch @@ -1,5 +1,5 @@ diff --git a/policy/pa.go b/policy/pa.go -index d3494495..184f7186 100644 +index 8f5fa6dd5..17875e232 100644 --- a/policy/pa.go +++ b/policy/pa.go @@ -31,6 +31,8 @@ type AuthorityImpl struct { @@ -46,12 +46,12 @@ index d3494495..184f7186 100644 // * exactly equal to an IANA registered TLD // // It does _not_ check that the domain isn't on any PA blocked lists. --func ValidDomain(domain string) error { +-func validDomain(domain string) error { +func (pa *AuthorityImpl) ValidDomain(domain string) error { if domain == "" { return errEmptyName } -@@ -289,6 +304,14 @@ func ValidDomain(domain string) error { +@@ -289,6 +304,14 @@ func validDomain(domain string) error { } } @@ -79,29 +79,29 @@ index d3494495..184f7186 100644 } splitEmail := strings.SplitN(email.Address, "@", -1) domain := strings.ToLower(splitEmail[len(splitEmail)-1]) -- err = ValidDomain(domain) +- err = validDomain(domain) + err = pa.ValidDomain(domain) if err != nil { return berrors.InvalidEmailError( "contact email %q has invalid domain : %s", -@@ -369,11 +392,15 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { +@@ -366,11 +389,15 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error { } domain := id.Value -- err := ValidDomain(domain) +- err := validDomain(domain) + err := pa.ValidDomain(domain) if err != nil { return err } + if ok, _ := pa.checkWhitelist(domain); ok { -+ return nil -+ } ++ return nil ++ } + // Require no match against hostname block lists err = pa.checkHostLists(domain) if err != nil { -@@ -383,6 +410,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { +@@ -380,6 +407,31 @@ func (pa *AuthorityImpl) willingToIssue(id identifier.ACMEIdentifier) error { return nil } diff --git a/patches/storer_storer.patch b/patches/storer_storer.patch index ab77e4e..c3477ac 100644 --- a/patches/storer_storer.patch +++ b/patches/storer_storer.patch @@ -1,5 +1,5 @@ diff --git a/crl/storer/storer.go b/crl/storer/storer.go -index b2514eb4..77955b0c 100644 +index 859abc9f..749b3818 100644 --- a/crl/storer/storer.go +++ b/crl/storer/storer.go @@ -9,6 +9,9 @@ import ( @@ -9,10 +9,10 @@ index b2514eb4..77955b0c 100644 + "os" + "path/filepath" + "sort" + "time" "github.com/aws/aws-sdk-go-v2/service/s3" - "github.com/aws/aws-sdk-go-v2/service/s3/types" -@@ -32,6 +35,7 @@ type crlStorer struct { +@@ -34,6 +37,7 @@ type crlStorer struct { cspb.UnimplementedCRLStorerServer s3Client s3Putter s3Bucket string @@ -20,7 +20,7 @@ index b2514eb4..77955b0c 100644 issuers map[issuance.IssuerNameID]*issuance.Certificate uploadCount *prometheus.CounterVec sizeHistogram *prometheus.HistogramVec -@@ -44,6 +48,7 @@ func New( +@@ -46,6 +50,7 @@ func New( issuers []*issuance.Certificate, s3Client s3Putter, s3Bucket string, @@ -28,7 +28,7 @@ index b2514eb4..77955b0c 100644 stats prometheus.Registerer, log blog.Logger, clk clock.Clock, -@@ -77,6 +82,7 @@ func New( +@@ -79,6 +84,7 @@ func New( issuers: issuersByNameID, s3Client: s3Client, s3Bucket: s3Bucket, @@ -36,7 +36,7 @@ index b2514eb4..77955b0c 100644 uploadCount: uploadCount, sizeHistogram: sizeHistogram, latencyHistogram: latencyHistogram, -@@ -153,15 +159,19 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error { +@@ -160,15 +166,19 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error { checksum := sha256.Sum256(crlBytes) checksumb64 := base64.StdEncoding.EncodeToString(checksum[:]) crlContentType := "application/pkix-crl" @@ -64,8 +64,8 @@ index b2514eb4..77955b0c 100644 + } if err != nil { cs.uploadCount.WithLabelValues(issuer.Subject.CommonName, "failed") - cs.log.AuditErrf( -@@ -186,3 +196,46 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error { + cs.log.AuditErrf("CRL upload failed: id=[%s] err=[%s]", crlId, err) +@@ -189,3 +199,46 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error { return stream.SendAndClose(&emptypb.Empty{}) } @@ -112,4 +112,3 @@ index b2514eb4..77955b0c 100644 + + return nil +} -\ No newline at end of file