Merge branch main into refactor-dns

Author: aarongable

.github/workflows/boulder-ci.yml

@@ -54,12 +54,19 @@ jobs:
           - "./t.sh --unit --enable-race-detection"
           - "./tn.sh --unit --enable-race-detection"
           - "./t.sh --start-py"
+          # Same cases but backed by Vitess + MySQL 8 instead of ProxySQL + MariaDB
+          - "./t.sh --use-vitess --integration"
+          - "./tn.sh --use-vitess --integration"
+          - "./t.sh --use-vitess --unit --enable-race-detection"
+          - "./tn.sh --use-vitess --unit --enable-race-detection"
+          - "./t.sh --use-vitess --start-py"
 
     env:
       # This sets the docker image tag for the boulder-tools repository to
       # use in tests. It will be set appropriately for each tag in the list
       # defined in the matrix.
       BOULDER_TOOLS_TAG: ${{ matrix.BOULDER_TOOLS_TAG }}
+      BOULDER_VTCOMBOSERVER_TAG: vitessv23.0.0_2025-12-02
 
     # Sequence of tasks that will be executed as part of the job.
     steps:

.gitignore

@@ -43,3 +43,11 @@ test/proxysql/*.log*
 
 # Coverage files
 test/coverage
+
+# DSN symlinks
+test/secrets/badkeyrevoker_dburl
+test/secrets/cert_checker_dburl
+test/secrets/incidents_dburl
+test/secrets/revoker_dburl
+test/secrets/sa_dburl
+test/secrets/sa_ro_dburl

cmd/ceremony/README.md

@@ -40,7 +40,7 @@ This tool always generates key pairs such that the public and private key are bo
     | Field | Description |
     | --- | --- |
     | `type` | Specifies the type of key to be generated, either `rsa` or `ecdsa`. If `rsa` the generated key will have an exponent of 65537 and a modulus length specified by `rsa-mod-length`. If `ecdsa` the curve is specified by `ecdsa-curve`. |
-    | `ecdsa-curve` | Specifies the ECDSA curve to use when generating key, either `P-224`, `P-256`, `P-384`, or `P-521`. |
+    | `ecdsa-curve` | Specifies the ECDSA curve to use when generating key, either `P-256`, `P-384`, or `P-521`. |
     | `rsa-mod-length` | Specifies the length of the RSA modulus, either `2048` or `4096`. |
 
 - `outputs`: object containing paths to write outputs.
@@ -267,7 +267,7 @@ This config generates a CSR signed by a key in the HSM, identified by the object
     | Field | Description |
     | --- | --- |
     | `type` | Specifies the type of key to be generated, either `rsa` or `ecdsa`. If `rsa` the generated key will have an exponent of 65537 and a modulus length specified by `rsa-mod-length`. If `ecdsa` the curve is specified by `ecdsa-curve`. |
-    | `ecdsa-curve` | Specifies the ECDSA curve to use when generating key, either `P-224`, `P-256`, `P-384`, or `P-521`. |
+    | `ecdsa-curve` | Specifies the ECDSA curve to use when generating key, either `P-256`, `P-384`, or `P-521`. |
     | `rsa-mod-length` | Specifies the length of the RSA modulus, either `2048` or `4096`. |
 
 - `outputs`: object containing paths to write outputs.

cmd/ceremony/ecdsa.go

@@ -13,15 +13,13 @@ import (
 )
 
 var stringToCurve = map[string]elliptic.Curve{
-	elliptic.P224().Params().Name: elliptic.P224(),
 	elliptic.P256().Params().Name: elliptic.P256(),
 	elliptic.P384().Params().Name: elliptic.P384(),
 	elliptic.P521().Params().Name: elliptic.P521(),
 }
 
 // curveToOIDDER maps the name of the curves to their DER encoded OIDs
 var curveToOIDDER = map[string][]byte{
-	elliptic.P224().Params().Name: {6, 5, 43, 129, 4, 0, 33},
 	elliptic.P256().Params().Name: {6, 8, 42, 134, 72, 206, 61, 3, 1, 7},
 	elliptic.P384().Params().Name: {6, 5, 43, 129, 4, 0, 34},
 	elliptic.P521().Params().Name: {6, 5, 43, 129, 4, 0, 35},

cmd/ceremony/main.go

@@ -101,7 +101,6 @@ type keyGenConfig struct {
 }
 
 var allowedCurves = map[string]bool{
-	"P-224": true,
 	"P-256": true,
 	"P-384": true,
 	"P-521": true,
@@ -121,7 +120,7 @@ func (kgc keyGenConfig) validate() error {
 		return errors.New("if key.type = 'rsa' then key.ecdsa-curve is not used")
 	}
 	if kgc.Type == "ecdsa" && !allowedCurves[kgc.ECDSACurve] {
-		return errors.New("key.ecdsa-curve can only be 'P-224', 'P-256', 'P-384', or 'P-521'")
+		return errors.New("key.ecdsa-curve can only be 'P-256', 'P-384', or 'P-521'")
 	}
 	if kgc.Type == "ecdsa" && kgc.RSAModLength != 0 {
 		return errors.New("if key.type = 'ecdsa' then key.rsa-mod-length is not used")

cmd/ceremony/main_test.go

@@ -117,7 +117,7 @@ func TestKeyGenConfigValidate(t *testing.T) {
 				Type:       "ecdsa",
 				ECDSACurve: "bad",
 			},
-			expectedError: "key.ecdsa-curve can only be 'P-224', 'P-256', 'P-384', or 'P-521'",
+			expectedError: "key.ecdsa-curve can only be 'P-256', 'P-384', or 'P-521'",
 		},
 		{
 			name: "key.type is ecdsa but key.rsa-mod-length is present",

ctpolicy/loglist/loglist.go

@@ -65,6 +65,12 @@ func usableForPurpose(s loglist3.LogStatus, p purpose) bool {
 	return false
 }
 
+// isTestLog returns true if the log type is test is "test" or "monitoring_only".
+// The schema documents a third option, "prod", which does not currently appear in Google's lists.
+func isTestLog(log Log) bool {
+	return log.Type == "test" || log.Type == "monitoring_only"
+}
+
 // New returns a LogList of all operators and all logs parsed from the file at
 // the given path. The file must conform to the JSON Schema published by Google:
 // https://www.gstatic.com/ct/log_list/v3/log_list_schema.json
@@ -186,10 +192,13 @@ func (ll List) forPurpose(p purpose, submitToTestLogs bool) (List, error) {
 	// interprets this as "UndefinedLogStatus", which causes usableForPurpose()
 	// to return false. To account for this, we skip this check for test logs.
 	for _, log := range ll {
-		if log.Type == "test" && !submitToTestLogs {
+		// Only consider test logs if we are submitting to test logs:
+		if isTestLog(log) && !submitToTestLogs {
 			continue
 		}
-		if log.Type != "test" && !usableForPurpose(log.State, p) {
+		// Check the log is usable for a purpose.
+		// But test logs aren't ever marked Usable.
+		if !isTestLog(log) && !usableForPurpose(log.State, p) {
 			continue
 		}
 		res = append(res, log)

ctpolicy/loglist/loglist_test.go

@@ -95,6 +95,7 @@ func TestForPurpose(t *testing.T) {
 		Log{Name: "Log A1", Operator: "A", State: loglist3.UsableLogStatus},
 		Log{Name: "Log B1", Operator: "B", State: loglist3.UsableLogStatus},
 		Log{Name: "Log T1", Operator: "T", Type: "test", State: loglist3.UndefinedLogStatus},
+		Log{Name: "Log M1", Operator: "M", Type: "monitoring_only", State: loglist3.UndefinedLogStatus},
 	}
 	expected = List{
 		Log{Name: "Log A1", Operator: "A", State: loglist3.UsableLogStatus},
@@ -108,6 +109,7 @@ func TestForPurpose(t *testing.T) {
 		Log{Name: "Log A1", Operator: "A", State: loglist3.UsableLogStatus},
 		Log{Name: "Log B1", Operator: "B", State: loglist3.UsableLogStatus},
 		Log{Name: "Log T1", Operator: "T", Type: "test", State: loglist3.UndefinedLogStatus},
+		Log{Name: "Log M1", Operator: "M", Type: "monitoring_only", State: loglist3.UndefinedLogStatus},
 	}
 	actual, err = input.forPurpose(Issuance, true)
 	test.AssertNotError(t, err, "should have two acceptable logs with submitToTestLogs=[true]")

docker-compose.yml

@@ -50,8 +50,9 @@ services:
       - 4001:4001 # ACMEv2
       - 4003:4003 # SFE
     depends_on:
-      - bmysql
+      - bmariadb
       - bproxysql
+      - bvitess
       - bredis_1
       - bredis_2
       - bconsul
@@ -74,12 +75,12 @@ services:
       # with a "docker compose up bsetup".
       - setup
 
-  bmysql:
+  bmariadb:
     image: mariadb:10.11.13
     networks:
       bouldernet:
         aliases:
-          - boulder-mysql
+          - boulder-mariadb
     environment:
       MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
     # Send slow queries to a table so we can check for them in the
@@ -101,7 +102,7 @@ services:
     volumes:
       - ./test/:/test/:cached
     depends_on:
-      - bmysql
+      - bmariadb
     networks:
       bouldernet:
         aliases:
@@ -144,6 +145,21 @@ services:
     networks:
       - bouldernet
 
+  bvitess:
+    # The `letsencrypt/boulder-vtcomboserver:latest` tag is automatically built
+    # in local dev environments. In CI a specific BOULDER_VTCOMBOSERVER_TAG is
+    # passed, and it is pulled with `docker compose pull`.
+    image: letsencrypt/boulder-vtcomboserver:${BOULDER_VTCOMBOSERVER_TAG:-latest}
+    environment:
+      # By specifying KEYSPACES vttestserver will create the corresponding
+      # databases on startup.
+      KEYSPACES: boulder_sa_test,boulder_sa_integration,incidents_sa_test,incidents_sa_integration
+      NUM_SHARDS: 1,1,1,1
+    networks:
+      bouldernet:
+        aliases:
+          - boulder-vitess
+
 networks:
   # This network represents the data-center internal network. It is used for
   # boulder services and their infrastructure, such as consul, mariadb, and

features/features.go

@@ -81,6 +81,11 @@ type Config struct {
 	// during certificate issuance. This flag must be set to true in the
 	// RA, VA, and WFE2 services for full functionality.
 	DNSAccount01Enabled bool
+
+	// StoreAuthzsInOrders causes the SA to write to the `authzs`
+	// column in NewOrder and read from it in GetOrder. It should be enabled
+	// after the migration to add that column has been run.
+	StoreAuthzsInOrders bool
 }
 
 var fMu = new(sync.RWMutex)