issuance: Remove last vestiges of OCSP support (#8398)

The AIA OCSP URI is always omitted, and therefore the
CRLDistributionPoint URL is always included. This implicitly drops
support for "temporal sharding" (mapping certs to CRLs by their
notAfter, rather than by their baked-in CRLDP) but that had in fact
already become unsupported when OmitOCSP was made non-functional.

Fixes #8177

Author: aarongable

crl/checker/checker_test.go

@@ -61,8 +61,8 @@ func TestDiff(t *testing.T) {
 				CertFile: "../../test/hierarchy/int-e1.cert.pem",
 			},
 			IssuerURL:  "http://not-example.com/issuer-url",
-			OCSPURL:    "http://not-example.com/ocsp",
 			CRLURLBase: "http://not-example.com/crl/",
+			CRLShards:  1,
 		}, clock.NewFake())
 	test.AssertNotError(t, err, "loading test issuer")
 

crl/storer/storer_test.go

@@ -62,8 +62,8 @@ func setupTestUploadCRL(t *testing.T) (*crlStorer, *issuance.Issuer) {
 				CertFile: "../../test/hierarchy/int-e1.cert.pem",
 			},
 			IssuerURL:  "http://not-example.com/issuer-url",
-			OCSPURL:    "http://not-example.com/ocsp",
 			CRLURLBase: "http://not-example.com/crl/",
+			CRLShards:  1,
 		}, clock.NewFake())
 	test.AssertNotError(t, err, "loading fake ECDSA issuer cert")
 

issuance/cert.go

@@ -59,6 +59,9 @@ type ProfileConfig struct {
 	OmitOCSP bool
 	// IncludeCRLDistributionPoints causes the CRLDistributionPoints extension to
 	// be added to all certificates issued by this profile.
+	//
+	// Deprecated: This has no effect; CRLDP is always included.
+	// TODO(#8177): Remove this.
 	IncludeCRLDistributionPoints bool
 
 	MaxValidityPeriod   config.Duration
@@ -84,8 +87,6 @@ type Profile struct {
 	omitClientAuth      bool
 	omitSKID            bool
 
-	includeCRLDistributionPoints bool
-
 	maxBackdate time.Duration
 	maxValidity time.Duration
 
@@ -123,14 +124,13 @@ func NewProfile(profileConfig *ProfileConfig) (*Profile, error) {
 	}
 
 	sp := &Profile{
-		omitCommonName:               profileConfig.OmitCommonName,
-		omitKeyEncipherment:          profileConfig.OmitKeyEncipherment,
-		omitClientAuth:               profileConfig.OmitClientAuth,
-		omitSKID:                     profileConfig.OmitSKID,
-		includeCRLDistributionPoints: profileConfig.IncludeCRLDistributionPoints,
-		maxBackdate:                  profileConfig.MaxValidityBackdate.Duration,
-		maxValidity:                  profileConfig.MaxValidityPeriod.Duration,
-		lints:                        lints,
+		omitCommonName:      profileConfig.OmitCommonName,
+		omitKeyEncipherment: profileConfig.OmitKeyEncipherment,
+		omitClientAuth:      profileConfig.OmitClientAuth,
+		omitSKID:            profileConfig.OmitSKID,
+		maxBackdate:         profileConfig.MaxValidityBackdate.Duration,
+		maxValidity:         profileConfig.MaxValidityPeriod.Duration,
+		lints:               lints,
 	}
 
 	return sp, nil
@@ -381,18 +381,12 @@ func (i *Issuer) Prepare(prof *Profile, req *IssuanceRequest) ([]byte, *issuance
 		return nil, nil, errors.New("invalid request contains neither sctList nor precertDER")
 	}
 
-	// If explicit CRL sharding is enabled, pick a shard based on the serial number
-	// modulus the number of shards. This gives us random distribution that is
-	// nonetheless consistent between precert and cert.
-	if prof.includeCRLDistributionPoints {
-		if i.crlShards <= 0 {
-			return nil, nil, errors.New("IncludeCRLDistributionPoints was set but CRLShards was not set")
-		}
-		shardZeroBased := big.NewInt(0).Mod(template.SerialNumber, big.NewInt(int64(i.crlShards)))
-		shard := int(shardZeroBased.Int64()) + 1
-		url := i.crlURL(shard)
-		template.CRLDistributionPoints = []string{url}
-	}
+	// Pick a CRL shard based on the serial number modulo the number of shards.
+	// This gives us random distribution that is nonetheless consistent between
+	// precert and cert.
+	shardZeroBased := big.NewInt(0).Mod(template.SerialNumber, big.NewInt(int64(i.crlShards)))
+	shard := int(shardZeroBased.Int64()) + 1
+	template.CRLDistributionPoints = []string{i.crlURL(shard)}
 
 	// check that the tbsCertificate is properly formed by signing it
 	// with a throwaway key and then linting it using zlint

issuance/cert_test.go

@@ -321,8 +321,7 @@ func TestGenerateTemplate(t *testing.T) {
 		SignatureAlgorithm:    x509.SHA256WithRSA,
 		IssuingCertificateURL: []string{"http://issuer"},
 		Policies:              []x509.OID{domainValidatedOID},
-		// These fields are only included if specified in the profile.
-		OCSPServer:            nil,
+		// This field is computed based on the serial, so is not included in the template.
 		CRLDistributionPoints: nil,
 	}
 
@@ -488,7 +487,6 @@ func TestIssueWithCRLDP(t *testing.T) {
 		t.Fatalf("ecdsa.GenerateKey: %s", err)
 	}
 	profile := defaultProfile()
-	profile.includeCRLDistributionPoints = true
 	_, issuanceToken, err := signer.Prepare(profile, &IssuanceRequest{
 		PublicKey:       MarshalablePublicKey{pk.Public()},
 		SubjectKeyId:    goodSKID,

issuance/issuer.go

@@ -142,7 +142,7 @@ func LoadChain(certFiles []string) ([]*Certificate, error) {
 type IssuerConfig struct {
 	// Active determines if the issuer can be used to sign precertificates. All
 	// issuers, regardless of this field, can be used to sign final certificates
-	// (for which an issuance token is presented), OCSP responses, and CRLs.
+	// (for which an issuance token is presented) and CRLs.
 	// All Active issuers of a given key type (RSA or ECDSA) are part of a pool
 	// and each precertificate will be issued randomly from a selected pool.
 	// The selection of which pool depends on the precertificate's key algorithm.
@@ -154,10 +154,8 @@ type IssuerConfig struct {
 	// TODO(#8177): Remove this.
 	OCSPURL string `validate:"omitempty,url"`
 
-	// Number of CRL shards.
-	// This must be nonzero if adding CRLDistributionPoints to certificates
-	// (that is, if profile.IncludeCRLDistributionPoints is true).
-	CRLShards int
+	// Number of CRL shards. Must be positive, but can be 1 for no sharding.
+	CRLShards int `validate:"required,min=1"`
 
 	Location IssuerLoc
 }
@@ -239,6 +237,9 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk
 	if !strings.HasSuffix(config.CRLURLBase, "/") {
 		return nil, fmt.Errorf("crlURLBase must end with exactly one forward slash, got %q", config.CRLURLBase)
 	}
+	if config.CRLShards <= 0 {
+		return nil, errors.New("Number of CRL shards is required")
+	}
 
 	// We require that all of our issuers be capable of both issuing certs and
 	// providing revocation information.
@@ -280,7 +281,7 @@ func (i *Issuer) KeyType() x509.PublicKeyAlgorithm {
 }
 
 // IsActive is true if the issuer is willing to issue precertificates, and false
-// if the issuer is only willing to issue final certificates, OCSP, and CRLs.
+// if the issuer is only willing to issue final certificates and CRLs.
 func (i *Issuer) IsActive() bool {
 	return i.active
 }