RA: delete GenerateOCSP method (#8350)

aarongable · web-flow · commit 6e1615a9ecd6 · 2025-08-19T07:42:21.000-07:00
Remove the RA.GenerateOCSP gRPC method. This must be completed (and the corresponding production config changes made) before we can remove the underlying CA.GenerateOCSP method. Fixes #8348
diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
@@ -41,10 +41,13 @@ type Config struct {
 		SAService           *cmd.GRPCClientConfig
 		VAService           *cmd.GRPCClientConfig
 		CAService           *cmd.GRPCClientConfig
-		OCSPService         *cmd.GRPCClientConfig
 		PublisherService    *cmd.GRPCClientConfig
 		AkamaiPurgerService *cmd.GRPCClientConfig
 
+		// Deprecated: TODO(#8349): Remove this when removing the corresponding
+		// service from the CA.
+		OCSPService *cmd.GRPCClientConfig
+
 		Limiter struct {
 			// Redis contains the configuration necessary to connect to Redis
 			// for rate limiting. This field is required to enable rate
@@ -100,7 +103,7 @@ type Config struct {
 		//
 		// Deprecated: This field no longer has any effect, all Must-Staple requests
 		// are rejected.
-		// TODO(#8177): Remove this field.
+		// TODO(#8345): Remove this field.
 		MustStapleAllowList string `validate:"omitempty"`
 
 		// GoodKey is an embedded config stanza for the goodkey library.
@@ -192,10 +195,6 @@ func main() {
 	cmd.FailOnError(err, "Unable to create CA client")
 	cac := capb.NewCertificateAuthorityClient(caConn)
 
-	ocspConn, err := bgrpc.ClientSetup(c.RA.OCSPService, tlsConfig, scope, clk)
-	cmd.FailOnError(err, "Unable to create CA OCSP client")
-	ocspc := capb.NewOCSPGeneratorClient(ocspConn)
-
 	saConn, err := bgrpc.ClientSetup(c.RA.SAService, tlsConfig, scope, clk)
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
 	sac := sapb.NewStorageAuthorityClient(saConn)
@@ -302,7 +301,6 @@ func main() {
 		CAAClient: caaClient,
 	}
 	rai.CA = cac
-	rai.OCSP = ocspc
 	rai.SA = sac
 
 	start, err := bgrpc.NewServer(c.RA.GRPC, logger).Add(
diff --git a/ra/proto/ra.pb.go b/ra/proto/ra.pb.go
diff --git a/ra/proto/ra.proto b/ra/proto/ra.proto
@@ -4,7 +4,6 @@ package ra;
 option go_package = "github.com/letsencrypt/boulder/ra/proto";
 
 import "core/proto/core.proto";
-import "ca/proto/ca.proto";
 import "google/protobuf/empty.proto";
 import "google/protobuf/duration.proto";
 
@@ -20,8 +19,6 @@ service RegistrationAuthority {
   rpc NewOrder(NewOrderRequest) returns (core.Order) {}
   rpc GetAuthorization(GetAuthorizationRequest) returns (core.Authorization) {}
   rpc FinalizeOrder(FinalizeOrderRequest) returns (core.Order) {}
-  // Generate an OCSP response based on the DB's current status and reason code.
-  rpc GenerateOCSP(GenerateOCSPRequest) returns (ca.OCSPResponse) {}
   rpc UnpauseAccount(UnpauseAccountRequest) returns (UnpauseAccountResponse) {}
   rpc AddRateLimitOverride(AddRateLimitOverrideRequest) returns (AddRateLimitOverrideResponse) {}
 }
diff --git a/ra/proto/ra_grpc.pb.go b/ra/proto/ra_grpc.pb.go
diff --git a/ra/ra.go b/ra/ra.go
@@ -76,7 +76,6 @@ type RegistrationAuthorityImpl struct {
 	rapb.UnsafeRegistrationAuthorityServer
 	rapb.UnsafeSCTProviderServer
 	CA        capb.CertificateAuthorityClient
-	OCSP      capb.OCSPGeneratorClient
 	VA        va.RemoteClients
 	SA        sapb.StorageAuthorityClient
 	PA        core.PolicyAuthority
@@ -2201,45 +2200,6 @@ func (ra *RegistrationAuthorityImpl) DeactivateAuthorization(ctx context.Context
 	return &emptypb.Empty{}, nil
 }
 
-// GenerateOCSP looks up a certificate's status, then requests a signed OCSP
-// response for it from the CA. If the certificate status is not available
-// or the certificate is expired, it returns berrors.NotFoundError.
-func (ra *RegistrationAuthorityImpl) GenerateOCSP(ctx context.Context, req *rapb.GenerateOCSPRequest) (*capb.OCSPResponse, error) {
-	status, err := ra.SA.GetCertificateStatus(ctx, &sapb.Serial{Serial: req.Serial})
-	if errors.Is(err, berrors.NotFound) {
-		_, err := ra.SA.GetSerialMetadata(ctx, &sapb.Serial{Serial: req.Serial})
-		if errors.Is(err, berrors.NotFound) {
-			return nil, berrors.UnknownSerialError()
-		} else {
-			return nil, berrors.NotFoundError("certificate not found")
-		}
-	} else if err != nil {
-		return nil, err
-	}
-
-	// If we get an OCSP query for a certificate where the status is still
-	// OCSPStatusNotReady, that means an error occurred, not here but at issuance
-	// time. Specifically, we succeeded in storing the linting certificate (and
-	// corresponding certificateStatus row), but failed before calling
-	// SetCertificateStatusReady. We expect this to be rare, and we expect such
-	// certificates not to get OCSP queries, so InternalServerError is appropriate.
-	if status.Status == string(core.OCSPStatusNotReady) {
-		return nil, errors.New("serial belongs to a certificate that errored during issuance")
-	}
-
-	if ra.clk.Now().After(status.NotAfter.AsTime()) {
-		return nil, berrors.NotFoundError("certificate is expired")
-	}
-
-	return ra.OCSP.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
-		Serial:    req.Serial,
-		Status:    status.Status,
-		Reason:    int32(status.RevokedReason), //nolint: gosec // Revocation reasons are guaranteed to be small, no risk of overflow.
-		RevokedAt: status.RevokedDate,
-		IssuerID:  status.IssuerID,
-	})
-}
-
 // NewOrder creates a new order object
 func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.NewOrderRequest) (*corepb.Order, error) {
 	if req == nil || req.RegistrationID == 0 {
diff --git a/ra/ra_test.go b/ra/ra_test.go
@@ -388,7 +388,6 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, sapb.StorageAutho
 	ra.SA = sa
 	ra.VA = va
 	ra.CA = ca
-	ra.OCSP = &mocks.MockOCSPGenerator{}
 	ra.PA = pa
 	return dummyVA, sa, ra, rlSource, fc, cleanUp
 }
@@ -3630,125 +3629,16 @@ func (msar *mockSARevocation) UpdateRevokedCertificate(_ context.Context, req *s
 	return &emptypb.Empty{}, nil
 }
 
-type mockOCSPA struct {
-	mocks.MockCA
-}
-
-func (mcao *mockOCSPA) GenerateOCSP(context.Context, *capb.GenerateOCSPRequest, ...grpc.CallOption) (*capb.OCSPResponse, error) {
-	return &capb.OCSPResponse{Response: []byte{1, 2, 3}}, nil
-}
-
 type mockPurger struct{}
 
 func (mp *mockPurger) Purge(context.Context, *akamaipb.PurgeRequest, ...grpc.CallOption) (*emptypb.Empty, error) {
 	return &emptypb.Empty{}, nil
 }
 
-// mockSAGenerateOCSP is a mock SA that always returns a good OCSP response, with a constant NotAfter.
-type mockSAGenerateOCSP struct {
-	sapb.StorageAuthorityClient
-	expiration time.Time
-}
-
-func (msgo *mockSAGenerateOCSP) GetCertificateStatus(_ context.Context, req *sapb.Serial, _ ...grpc.CallOption) (*corepb.CertificateStatus, error) {
-	return &corepb.CertificateStatus{
-		Serial:   req.Serial,
-		Status:   "good",
-		NotAfter: timestamppb.New(msgo.expiration.UTC()),
-	}, nil
-}
-
-func TestGenerateOCSP(t *testing.T) {
-	_, _, ra, _, clk, cleanUp := initAuthorities(t)
-	defer cleanUp()
-
-	ra.OCSP = &mockOCSPA{}
-	ra.SA = &mockSAGenerateOCSP{expiration: clk.Now().Add(time.Hour)}
-
-	req := &rapb.GenerateOCSPRequest{
-		Serial: core.SerialToString(big.NewInt(1)),
-	}
-
-	resp, err := ra.GenerateOCSP(context.Background(), req)
-	test.AssertNotError(t, err, "generating OCSP")
-	test.AssertByteEquals(t, resp.Response, []byte{1, 2, 3})
-
-	ra.SA = &mockSAGenerateOCSP{expiration: clk.Now().Add(-time.Hour)}
-	_, err = ra.GenerateOCSP(context.Background(), req)
-	if !errors.Is(err, berrors.NotFound) {
-		t.Errorf("expected NotFound error, got %s", err)
-	}
-}
-
-// mockSALongExpiredSerial is a mock SA that treats every serial as if it expired a long time ago.
-// Specifically, it returns NotFound to GetCertificateStatus (simulating the serial having been
-// removed from the certificateStatus table), but returns success to GetSerialMetadata (simulating
-// a serial number staying in the `serials` table indefinitely).
-type mockSALongExpiredSerial struct {
-	sapb.StorageAuthorityClient
-}
-
-func (msgo *mockSALongExpiredSerial) GetCertificateStatus(_ context.Context, req *sapb.Serial, _ ...grpc.CallOption) (*corepb.CertificateStatus, error) {
-	return nil, berrors.NotFoundError("not found")
-}
-
-func (msgo *mockSALongExpiredSerial) GetSerialMetadata(_ context.Context, req *sapb.Serial, _ ...grpc.CallOption) (*sapb.SerialMetadata, error) {
-	return &sapb.SerialMetadata{
-		Serial: req.Serial,
-	}, nil
-}
-
-func TestGenerateOCSPLongExpiredSerial(t *testing.T) {
-	_, _, ra, _, _, cleanUp := initAuthorities(t)
-	defer cleanUp()
-
-	ra.OCSP = &mockOCSPA{}
-	ra.SA = &mockSALongExpiredSerial{}
-
-	req := &rapb.GenerateOCSPRequest{
-		Serial: core.SerialToString(big.NewInt(1)),
-	}
-
-	_, err := ra.GenerateOCSP(context.Background(), req)
-	test.AssertError(t, err, "generating OCSP")
-	if !errors.Is(err, berrors.NotFound) {
-		t.Errorf("expected NotFound error, got %#v", err)
-	}
-}
-
-// mockSAUnknownSerial is a mock SA that always returns NotFound to certificate status and serial lookups.
-// It emulates an SA that has never issued a certificate.
-type mockSAUnknownSerial struct {
-	mockSALongExpiredSerial
-}
-
-func (msgo *mockSAUnknownSerial) GetSerialMetadata(_ context.Context, req *sapb.Serial, _ ...grpc.CallOption) (*sapb.SerialMetadata, error) {
-	return nil, berrors.NotFoundError("not found")
-}
-
-func TestGenerateOCSPUnknownSerial(t *testing.T) {
-	_, _, ra, _, _, cleanUp := initAuthorities(t)
-	defer cleanUp()
-
-	ra.OCSP = &mockOCSPA{}
-	ra.SA = &mockSAUnknownSerial{}
-
-	req := &rapb.GenerateOCSPRequest{
-		Serial: core.SerialToString(big.NewInt(1)),
-	}
-
-	_, err := ra.GenerateOCSP(context.Background(), req)
-	test.AssertError(t, err, "generating OCSP")
-	if !errors.Is(err, berrors.UnknownSerial) {
-		t.Errorf("expected UnknownSerial error, got %#v", err)
-	}
-}
-
 func TestRevokeCertByApplicant_Subscriber(t *testing.T) {
 	_, _, ra, _, clk, cleanUp := initAuthorities(t)
 	defer cleanUp()
 
-	ra.OCSP = &mockOCSPA{}
 	ra.purger = &mockPurger{}
 
 	// Use the same self-signed cert as both issuer and issuee for revocation.
@@ -3823,7 +3713,6 @@ func TestRevokeCertByApplicant_Controller(t *testing.T) {
 	_, _, ra, _, clk, cleanUp := initAuthorities(t)
 	defer cleanUp()
 
-	ra.OCSP = &mockOCSPA{}
 	ra.purger = &mockPurger{}
 
 	// Use the same self-signed cert as both issuer and issuee for revocation.
@@ -3864,7 +3753,6 @@ func TestRevokeCertByKey(t *testing.T) {
 	_, _, ra, _, clk, cleanUp := initAuthorities(t)
 	defer cleanUp()
 
-	ra.OCSP = &mockOCSPA{}
 	ra.purger = &mockPurger{}
 
 	// Use the same self-signed cert as both issuer and issuee for revocation.
@@ -3916,7 +3804,6 @@ func TestAdministrativelyRevokeCertificate(t *testing.T) {
 	_, _, ra, _, clk, cleanUp := initAuthorities(t)
 	defer cleanUp()
 
-	ra.OCSP = &mockOCSPA{}
 	ra.purger = &mockPurger{}
 
 	// Use the same self-signed cert as both issuer and issuee for revocation.
diff --git a/test/config-next/ca.json b/test/config-next/ca.json
@@ -14,11 +14,6 @@
 						"ra.boulder"
 					]
 				},
-				"ca.OCSPGenerator": {
-					"clientNames": [
-						"ra.boulder"
-					]
-				},
 				"ca.CRLGenerator": {
 					"clientNames": [
 						"crl-updater.boulder"
diff --git a/test/config-next/ra.json b/test/config-next/ra.json
@@ -92,16 +92,6 @@
 			"noWaitForReady": true,
 			"hostOverride": "ca.boulder"
 		},
-		"ocspService": {
-			"dnsAuthority": "consul.service.consul",
-			"srvLookup": {
-				"service": "ca",
-				"domain": "service.consul"
-			},
-			"timeout": "15s",
-			"noWaitForReady": true,
-			"hostOverride": "ca.boulder"
-		},
 		"publisherService": {
 			"dnsAuthority": "consul.service.consul",
 			"srvLookup": {
