Ceremony: remove support for AIA OCSP URIs (#8397)

Remove the ability to configure an ocsp-url from the ceremony tool's
root, intermediate, cross-sign, and csr ceremony types. We have not used
this field in our last several ceremonies, and do not plan to go back to
including AIA OCSP URIs in our CA certificates at any time in the
foreseeable future.

Author: aarongable

cmd/ceremony/README.md

@@ -127,7 +127,6 @@ certificate-profile:
     country: US
     not-before: 2020-01-01 12:00:00
     not-after: 2040-01-01 12:00:00
-    ocsp-url: http://good-guys.com/ocsp
     crl-url:  http://good-guys.com/crl
     issuer-url:  http://good-guys.com/root
     policies:
@@ -192,7 +191,6 @@ certificate-profile:
     country: US
     not-before: 2020-01-01 12:00:00
     not-after: 2040-01-01 12:00:00
-    ocsp-url: http://good-guys.com/ocsp
     crl-url:  http://good-guys.com/crl
     issuer-url:  http://good-guys.com/root
     policies:
@@ -363,7 +361,6 @@ The certificate profile defines a restricted set of fields that are used to gene
 | `country` | Specifies the subject country |
 | `not-before` | Specifies the certificate notBefore date, in the format `2006-01-02 15:04:05`. The time will be interpreted as UTC. |
 | `not-after` | Specifies the certificate notAfter date, in the format `2006-01-02 15:04:05`. The time will be interpreted as UTC. |
-| `ocsp-url` | Specifies the AIA OCSP responder URL |
 | `crl-url` | Specifies the cRLDistributionPoints URL |
 | `issuer-url` | Specifies the AIA caIssuer URL |
 | `policies` | Specifies contents of a certificatePolicies extension. Should contain a list of policies with the field `oid`, indicating the policy OID. |

cmd/ceremony/cert.go

@@ -41,9 +41,6 @@ type certProfile struct {
 	// always be UTC.
 	NotAfter string `yaml:"not-after"`
 
-	// OCSPURL should contain the URL at which a OCSP responder that
-	// can respond to OCSP requests for this certificate operates
-	OCSPURL string `yaml:"ocsp-url"`
 	// CRLURL should contain the URL at which CRLs for this certificate
 	// can be found
 	CRLURL string `yaml:"crl-url"`
@@ -100,9 +97,6 @@ func (profile *certProfile) verifyProfile(ct certType) error {
 		if profile.SignatureAlgorithm != "" {
 			return errors.New("signature-algorithm cannot be set for a CSR")
 		}
-		if profile.OCSPURL != "" {
-			return errors.New("ocsp-url cannot be set for a CSR")
-		}
 		if profile.CRLURL != "" {
 			return errors.New("crl-url cannot be set for a CSR")
 		}
@@ -205,10 +199,6 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 		return nil, fmt.Errorf("toBeCrossSigned cert field was nil, but was required to gather EKUs for the lint cert")
 	}
 
-	var ocspServer []string
-	if profile.OCSPURL != "" {
-		ocspServer = []string{profile.OCSPURL}
-	}
 	var crlDistributionPoints []string
 	if profile.CRLURL != "" {
 		crlDistributionPoints = []string{profile.CRLURL}
@@ -246,7 +236,6 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 		Subject:               profile.Subject(),
-		OCSPServer:            ocspServer,
 		CRLDistributionPoints: crlDistributionPoints,
 		IssuingCertificateURL: issuingCertificateURL,
 		KeyUsage:              ku,

cmd/ceremony/cert_test.go

@@ -109,7 +109,6 @@ func TestMakeTemplateRoot(t *testing.T) {
 	profile.CommonName = "common name"
 	profile.Organization = "organization"
 	profile.Country = "country"
-	profile.OCSPURL = "ocsp"
 	profile.CRLURL = "crl"
 	profile.IssuerURL = "issuer"
 	cert, err := makeTemplate(randReader, profile, pubKey, nil, rootCert)
@@ -119,8 +118,6 @@ func TestMakeTemplateRoot(t *testing.T) {
 	test.AssertEquals(t, cert.Subject.Organization[0], profile.Organization)
 	test.AssertEquals(t, len(cert.Subject.Country), 1)
 	test.AssertEquals(t, cert.Subject.Country[0], profile.Country)
-	test.AssertEquals(t, len(cert.OCSPServer), 1)
-	test.AssertEquals(t, cert.OCSPServer[0], profile.OCSPURL)
 	test.AssertEquals(t, len(cert.CRLDistributionPoints), 1)
 	test.AssertEquals(t, cert.CRLDistributionPoints[0], profile.CRLURL)
 	test.AssertEquals(t, len(cert.IssuingCertificateURL), 1)
@@ -147,7 +144,6 @@ func TestMakeTemplateRestrictedCrossCertificate(t *testing.T) {
 		Organization:       "organization",
 		Country:            "country",
 		KeyUsages:          []string{"Digital Signature", "CRL Sign"},
-		OCSPURL:            "ocsp",
 		CRLURL:             "crl",
 		IssuerURL:          "issuer",
 		NotAfter:           "2020-10-10 11:31:00",
@@ -237,7 +233,6 @@ func TestVerifyProfile(t *testing.T) {
 				CommonName:         "d",
 				Organization:       "e",
 				Country:            "f",
-				OCSPURL:            "g",
 			},
 			certType:    []certType{intermediateCert, crossCert},
 			expectedErr: "crl-url is required for subordinate CAs",
@@ -250,7 +245,6 @@ func TestVerifyProfile(t *testing.T) {
 				CommonName:         "d",
 				Organization:       "e",
 				Country:            "f",
-				OCSPURL:            "g",
 				CRLURL:             "h",
 			},
 			certType:    []certType{intermediateCert, crossCert},
@@ -264,7 +258,6 @@ func TestVerifyProfile(t *testing.T) {
 				CommonName:         "d",
 				Organization:       "e",
 				Country:            "f",
-				OCSPURL:            "g",
 				CRLURL:             "h",
 				IssuerURL:          "i",
 			},
@@ -279,7 +272,6 @@ func TestVerifyProfile(t *testing.T) {
 				CommonName:         "d",
 				Organization:       "e",
 				Country:            "f",
-				OCSPURL:            "g",
 				CRLURL:             "h",
 				IssuerURL:          "i",
 				Policies:           []policyInfoConfig{{OID: "1.2.3"}, {OID: "4.5.6"}},
@@ -319,13 +311,6 @@ func TestVerifyProfile(t *testing.T) {
 			certType:    []certType{requestCert},
 			expectedErr: "signature-algorithm cannot be set for a CSR",
 		},
-		{
-			profile: certProfile{
-				OCSPURL: "a",
-			},
-			certType:    []certType{requestCert},
-			expectedErr: "ocsp-url cannot be set for a CSR",
-		},
 		{
 			profile: certProfile{
 				CRLURL: "a",

cmd/ceremony/main_test.go

@@ -403,7 +403,6 @@ func TestIntermediateConfigValidate(t *testing.T) {
 					CommonName:         "d",
 					Organization:       "e",
 					Country:            "f",
-					OCSPURL:            "g",
 					CRLURL:             "h",
 					IssuerURL:          "i",
 					Policies:           []policyInfoConfig{{OID: "2.23.140.1.2.1"}, {OID: "6.6.6"}},
@@ -438,7 +437,6 @@ func TestIntermediateConfigValidate(t *testing.T) {
 					CommonName:         "d",
 					Organization:       "e",
 					Country:            "f",
-					OCSPURL:            "g",
 					CRLURL:             "h",
 					IssuerURL:          "i",
 					Policies:           []policyInfoConfig{},
@@ -473,7 +471,6 @@ func TestIntermediateConfigValidate(t *testing.T) {
 					CommonName:         "d",
 					Organization:       "e",
 					Country:            "f",
-					OCSPURL:            "g",
 					CRLURL:             "h",
 					IssuerURL:          "i",
 					Policies:           []policyInfoConfig{{OID: "2.23.140.1.2.1"}},
@@ -631,7 +628,6 @@ func TestCrossCertConfigValidate(t *testing.T) {
 					CommonName:         "d",
 					Organization:       "e",
 					Country:            "f",
-					OCSPURL:            "g",
 					CRLURL:             "h",
 					IssuerURL:          "i",
 					Policies:           []policyInfoConfig{{OID: "2.23.140.1.2.1"}, {OID: "6.6.6"}},
@@ -668,7 +664,6 @@ func TestCrossCertConfigValidate(t *testing.T) {
 					CommonName:         "d",
 					Organization:       "e",
 					Country:            "f",
-					OCSPURL:            "g",
 					CRLURL:             "h",
 					IssuerURL:          "i",
 					Policies:           []policyInfoConfig{},
@@ -705,7 +700,6 @@ func TestCrossCertConfigValidate(t *testing.T) {
 					CommonName:         "d",
 					Organization:       "e",
 					Country:            "f",
-					OCSPURL:            "g",
 					CRLURL:             "h",
 					IssuerURL:          "i",
 					Policies:           []policyInfoConfig{{OID: "2.23.140.1.2.1"}},