Merge branch 'main' into multiplat

Author: sheurich

cmd/admin/cert.go

@@ -14,8 +14,6 @@ import (
 	"sync/atomic"
 	"unicode"
 
-	"golang.org/x/crypto/ocsp"
-
 	core "github.com/letsencrypt/boulder/core"
 	berrors "github.com/letsencrypt/boulder/errors"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
@@ -76,24 +74,18 @@ func (s *subcommandRevokeCert) Run(ctx context.Context, a *admin) error {
 		return fmt.Errorf("got unacceptable parallelism %d", s.parallelism)
 	}
 
-	reasonCode := revocation.Reason(-1)
-	for code := range revocation.AdminAllowedReasons {
-		if s.reasonStr == revocation.ReasonToString[code] {
-			reasonCode = code
-			break
-		}
-	}
-	if reasonCode == revocation.Reason(-1) {
-		return fmt.Errorf("got unacceptable revocation reason %q", s.reasonStr)
+	reasonCode, err := revocation.StringToReason(s.reasonStr)
+	if err != nil {
+		return fmt.Errorf("looking up revocation reason: %w", err)
 	}
 
-	if s.skipBlock && reasonCode == ocsp.KeyCompromise {
+	if s.skipBlock && reasonCode == revocation.KeyCompromise {
 		// We would only add the SPKI hash of the pubkey to the blockedKeys table if
 		// the revocation reason is keyCompromise.
 		return errors.New("-skip-block-key only makes sense with -reason=1")
 	}
 
-	if s.malformed && reasonCode == ocsp.KeyCompromise {
+	if s.malformed && reasonCode == revocation.KeyCompromise {
 		// This is because we can't extract and block the pubkey if we can't
 		// parse the certificate.
 		return errors.New("cannot revoke malformed certs for reason keyCompromise")

cmd/bad-key-revoker/main.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/jmhodges/clock"
 	"github.com/prometheus/client_golang/prometheus"
-	"golang.org/x/crypto/ocsp"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/emptypb"
 
@@ -20,6 +19,7 @@ import (
 	bgrpc "github.com/letsencrypt/boulder/grpc"
 	blog "github.com/letsencrypt/boulder/log"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
+	"github.com/letsencrypt/boulder/revocation"
 	"github.com/letsencrypt/boulder/sa"
 )
 
@@ -190,7 +190,7 @@ func (bkr *badKeyRevoker) revokeCerts(certs []unrevokedCertificate) error {
 		_, err := bkr.raClient.AdministrativelyRevokeCertificate(context.Background(), &rapb.AdministrativelyRevokeCertificateRequest{
 			Cert:      cert.DER,
 			Serial:    cert.Serial,
-			Code:      int64(ocsp.KeyCompromise),
+			Code:      int64(revocation.KeyCompromise),
 			AdminName: "bad-key-revoker",
 		})
 		if err != nil {

cmd/ceremony/README.md

@@ -13,7 +13,6 @@ ceremony --config path/to/config.yml
 - `cross-csr`: creates a CSR for signing by a third party, outputting a PEM CSR.
 - `cross-certificate`: issues a certificate for one root, signed by another root. This is distinct from an intermediate because there is no path length constraint and there are no EKUs.
 - `key`: generates a signing key on HSM, outputting a PEM public key
-- `ocsp-response`: creates a OCSP response for the provided certificate and signs it using a signing key already on a HSM, outputting a base64 encoded response
 - `crl`: creates a CRL with the IDP extension and `onlyContainsCACerts = true` from the provided profile and signs it using a signing key already on a HSM, outputting a PEM CRL
 
 These modes are set in the `ceremony-type` field of the configuration file.
@@ -128,7 +127,6 @@ certificate-profile:
     country: US
     not-before: 2020-01-01 12:00:00
     not-after: 2040-01-01 12:00:00
-    ocsp-url: http://good-guys.com/ocsp
     crl-url:  http://good-guys.com/crl
     issuer-url:  http://good-guys.com/root
     policies:
@@ -193,7 +191,6 @@ certificate-profile:
     country: US
     not-before: 2020-01-01 12:00:00
     not-after: 2040-01-01 12:00:00
-    ocsp-url: http://good-guys.com/ocsp
     crl-url:  http://good-guys.com/crl
     issuer-url:  http://good-guys.com/root
     policies:
@@ -296,61 +293,6 @@ outputs:
 
 This config generates an ECDSA P-384 key in the HSM with the object label `intermediate signing key`. The public key is written to `/home/user/intermediate-signing-pub.pem`.
 
-### OCSP Response ceremony
-
-- `ceremony-type`: string describing the ceremony type, `ocsp-response`.
-- `pkcs11`: object containing PKCS#11 related fields.
-
-    | Field | Description |
-    | --- | --- |
-    | `module` | Path to the PKCS#11 module to use to communicate with a HSM. |
-    | `pin` | Specifies the login PIN, should only be provided if the HSM device requires one to interact with the slot. |
-    | `signing-key-slot` | Specifies which HSM object slot the signing key is in. |
-    | `signing-key-label` | Specifies the HSM object label for the signing keypair's public key. |
-
-- `inputs`: object containing paths for inputs
-
-    | Field | Description |
-    | --- | --- |
-    | `certificate-path` | Path to PEM certificate to create a response for. |
-    | `issuer-certificate-path` | Path to PEM issuer certificate. |
-    | `delegated-issuer-certificate-path` | Path to PEM delegated issuer certificate, if one is being used. |
-
-- `outputs`: object containing paths to write outputs.
-
-    | Field | Description |
-    | --- | --- |
-    | `response-path` | Path to store signed base64 encoded response. |
-
-- `ocsp-profile`: object containing profile for the OCSP response.
-
-    | Field | Description |
-    | --- | --- |
-    | `this-update` | Specifies the OCSP response thisUpdate date, in the format `2006-01-02 15:04:05`. The time will be interpreted as UTC. |
-    | `next-update` | Specifies the OCSP response nextUpdate date, in the format `2006-01-02 15:04:05`. The time will be interpreted as UTC. |
-    | `status` | Specifies the OCSP response status, either `good` or `revoked`. |
-
-Example:
-
-```yaml
-ceremony-type: ocsp-response
-pkcs11:
-    module: /usr/lib/opensc-pkcs11.so
-    signing-key-slot: 0
-    signing-key-label: root signing key
-inputs:
-    certificate-path: /home/user/certificate.pem
-    issuer-certificate-path: /home/user/root-cert.pem
-outputs:
-    response-path: /home/user/ocsp-resp.b64
-ocsp-profile:
-    this-update: 2020-01-01 12:00:00
-    next-update: 2021-01-01 12:00:00
-    status: good
-```
-
-This config generates a OCSP response signed by a key in the HSM, identified by the object label `root signing key` and object ID `ffff`. The response will be for the certificate in `/home/user/certificate.pem`, and will be written to `/home/user/ocsp-resp.b64`.
-
 ### CRL ceremony
 
 - `ceremony-type`: string describing the ceremony type, `crl`.
@@ -419,7 +361,6 @@ The certificate profile defines a restricted set of fields that are used to gene
 | `country` | Specifies the subject country |
 | `not-before` | Specifies the certificate notBefore date, in the format `2006-01-02 15:04:05`. The time will be interpreted as UTC. |
 | `not-after` | Specifies the certificate notAfter date, in the format `2006-01-02 15:04:05`. The time will be interpreted as UTC. |
-| `ocsp-url` | Specifies the AIA OCSP responder URL |
 | `crl-url` | Specifies the cRLDistributionPoints URL |
 | `issuer-url` | Specifies the AIA caIssuer URL |
 | `policies` | Specifies contents of a certificatePolicies extension. Should contain a list of policies with the field `oid`, indicating the policy OID. |

cmd/ceremony/cert.go

@@ -41,9 +41,6 @@ type certProfile struct {
 	// always be UTC.
 	NotAfter string `yaml:"not-after"`
 
-	// OCSPURL should contain the URL at which a OCSP responder that
-	// can respond to OCSP requests for this certificate operates
-	OCSPURL string `yaml:"ocsp-url"`
 	// CRLURL should contain the URL at which CRLs for this certificate
 	// can be found
 	CRLURL string `yaml:"crl-url"`
@@ -100,9 +97,6 @@ func (profile *certProfile) verifyProfile(ct certType) error {
 		if profile.SignatureAlgorithm != "" {
 			return errors.New("signature-algorithm cannot be set for a CSR")
 		}
-		if profile.OCSPURL != "" {
-			return errors.New("ocsp-url cannot be set for a CSR")
-		}
 		if profile.CRLURL != "" {
 			return errors.New("crl-url cannot be set for a CSR")
 		}
@@ -205,10 +199,6 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 		return nil, fmt.Errorf("toBeCrossSigned cert field was nil, but was required to gather EKUs for the lint cert")
 	}
 
-	var ocspServer []string
-	if profile.OCSPURL != "" {
-		ocspServer = []string{profile.OCSPURL}
-	}
 	var crlDistributionPoints []string
 	if profile.CRLURL != "" {
 		crlDistributionPoints = []string{profile.CRLURL}
@@ -246,7 +236,6 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 		Subject:               profile.Subject(),
-		OCSPServer:            ocspServer,
 		CRLDistributionPoints: crlDistributionPoints,
 		IssuingCertificateURL: issuingCertificateURL,
 		KeyUsage:              ku,

cmd/ceremony/cert_test.go

@@ -109,7 +109,6 @@ func TestMakeTemplateRoot(t *testing.T) {
 	profile.CommonName = "common name"
 	profile.Organization = "organization"
 	profile.Country = "country"
-	profile.OCSPURL = "ocsp"
 	profile.CRLURL = "crl"
 	profile.IssuerURL = "issuer"
 	cert, err := makeTemplate(randReader, profile, pubKey, nil, rootCert)
@@ -119,8 +118,6 @@ func TestMakeTemplateRoot(t *testing.T) {
 	test.AssertEquals(t, cert.Subject.Organization[0], profile.Organization)
 	test.AssertEquals(t, len(cert.Subject.Country), 1)
 	test.AssertEquals(t, cert.Subject.Country[0], profile.Country)
-	test.AssertEquals(t, len(cert.OCSPServer), 1)
-	test.AssertEquals(t, cert.OCSPServer[0], profile.OCSPURL)
 	test.AssertEquals(t, len(cert.CRLDistributionPoints), 1)
 	test.AssertEquals(t, cert.CRLDistributionPoints[0], profile.CRLURL)
 	test.AssertEquals(t, len(cert.IssuingCertificateURL), 1)
@@ -147,7 +144,6 @@ func TestMakeTemplateRestrictedCrossCertificate(t *testing.T) {
 		Organization:       "organization",
 		Country:            "country",
 		KeyUsages:          []string{"Digital Signature", "CRL Sign"},
-		OCSPURL:            "ocsp",
 		CRLURL:             "crl",
 		IssuerURL:          "issuer",
 		NotAfter:           "2020-10-10 11:31:00",
@@ -237,7 +233,6 @@ func TestVerifyProfile(t *testing.T) {
 				CommonName:         "d",
 				Organization:       "e",
 				Country:            "f",
-				OCSPURL:            "g",
 			},
 			certType:    []certType{intermediateCert, crossCert},
 			expectedErr: "crl-url is required for subordinate CAs",
@@ -250,7 +245,6 @@ func TestVerifyProfile(t *testing.T) {
 				CommonName:         "d",
 				Organization:       "e",
 				Country:            "f",
-				OCSPURL:            "g",
 				CRLURL:             "h",
 			},
 			certType:    []certType{intermediateCert, crossCert},
@@ -264,7 +258,6 @@ func TestVerifyProfile(t *testing.T) {
 				CommonName:         "d",
 				Organization:       "e",
 				Country:            "f",
-				OCSPURL:            "g",
 				CRLURL:             "h",
 				IssuerURL:          "i",
 			},
@@ -279,7 +272,6 @@ func TestVerifyProfile(t *testing.T) {
 				CommonName:         "d",
 				Organization:       "e",
 				Country:            "f",
-				OCSPURL:            "g",
 				CRLURL:             "h",
 				IssuerURL:          "i",
 				Policies:           []policyInfoConfig{{OID: "1.2.3"}, {OID: "4.5.6"}},
@@ -319,13 +311,6 @@ func TestVerifyProfile(t *testing.T) {
 			certType:    []certType{requestCert},
 			expectedErr: "signature-algorithm cannot be set for a CSR",
 		},
-		{
-			profile: certProfile{
-				OCSPURL: "a",
-			},
-			certType:    []certType{requestCert},
-			expectedErr: "ocsp-url cannot be set for a CSR",
-		},
 		{
 			profile: certProfile{
 				CRLURL: "a",