ca/cert-checker: Support test log submissions (#8522)

Fixes #8508

Author: beautifulentropy

cmd/boulder-ca/main.go

@@ -87,6 +87,11 @@ type Config struct {
 		// https://www.gstatic.com/ct/log_list/v3/log_list_schema.json
 		CTLogListFile string
 
+		// CTIncludeTestLogs allows logs marked as "test" to be included in the
+		// CT log list used for linting. This should be enabled in environments
+		// configured to submit SCTs to test logs.
+		CTIncludeTestLogs bool
+
 		// DisableCertService causes the CertificateAuthority gRPC service to not
 		// start, preventing any certificates or precertificates from being issued.
 		DisableCertService bool
@@ -159,7 +164,7 @@ func main() {
 	// Do this before creating the issuers to ensure the log list is loaded before
 	// the linters are initialized.
 	if c.CA.CTLogListFile != "" {
-		err = loglist.InitLintList(c.CA.CTLogListFile)
+		err = loglist.InitLintList(c.CA.CTLogListFile, c.CA.CTIncludeTestLogs)
 		cmd.FailOnError(err, "Failed to load CT Log List")
 	}
 

cmd/cert-checker/main.go

@@ -559,6 +559,11 @@ type Config struct {
 		// https://www.gstatic.com/ct/log_list/v3/log_list_schema.json
 		CTLogListFile string
 
+		// CTIncludeTestLogs allows logs marked as "test" to be included in the
+		// CT log list used for linting. This should be enabled in environments
+		// configured to submit SCTs to test logs.
+		CTIncludeTestLogs bool
+
 		Features features.Config
 	}
 	PA     cmd.PAConfig
@@ -616,7 +621,7 @@ func main() {
 	cmd.FailOnError(err, "Failed to load HostnamePolicyFile")
 
 	if config.CertChecker.CTLogListFile != "" {
-		err = loglist.InitLintList(config.CertChecker.CTLogListFile)
+		err = loglist.InitLintList(config.CertChecker.CTLogListFile, config.CertChecker.CTIncludeTestLogs)
 		cmd.FailOnError(err, "Failed to load CT Log List")
 	}
 

cmd/cert-checker/main_test.go

@@ -583,7 +583,7 @@ func TestIgnoredLint(t *testing.T) {
 		saCleanup()
 	}()
 
-	err = loglist.InitLintList("../../test/ct-test-srv/log_list.json")
+	err = loglist.InitLintList("../../test/ct-test-srv/log_list.json", false)
 	test.AssertNotError(t, err, "failed to load ct log list")
 	testKey, _ := rsa.GenerateKey(rand.Reader, 2048)
 	checker := newChecker(saDbMap, clock.NewFake(), pa, kp, time.Hour, testValidityDurations, nil, blog.NewMock())

ctpolicy/ctconfig/ctconfig.go

@@ -11,8 +11,9 @@ type CTConfig struct {
 	// from one operator group to accept a certificate before attempting
 	// submission to a log run by a different operator instead.
 	Stagger config.Duration
-	// LogListFile is a path to a JSON log list file. The file must match Chrome's
-	// schema: https://www.gstatic.com/ct/log_list/v3/log_list_schema.json
+	// LogListFile is the path to a JSON file on disk containing the set of all
+	// logs trusted by Chrome. The file must match the v3 log list schema:
+	// https://www.gstatic.com/ct/log_list/v3/log_list_schema.json
 	LogListFile string `validate:"required"`
 	// SCTLogs is a list of CT log names to submit precerts to in order to get SCTs.
 	SCTLogs []string `validate:"min=1,dive,required"`

ctpolicy/loglist/lintlist.go

@@ -9,20 +9,21 @@ var lintlist struct {
 }
 
 // InitLintList creates and stores a loglist intended for linting (i.e. with
-// purpose Validation). We have to store this in a global because the zlint
-// framework doesn't (yet) support configuration, so the e_scts_from_same_operator
-// lint cannot load a log list on its own. Instead, we have the CA call this
-// initialization function at startup, and have the lint call the getter below
-// to get access to the cached list.
-func InitLintList(path string) error {
+// purpose Validation). Test logs are included only when submitToTestLogs is
+// true. We have to store this in a global because the zlint framework doesn't
+// (yet) support configuration, so the e_scts_from_same_operator lint cannot
+// load a log list on its own. Instead, we have the CA call this initialization
+// function at startup, and have the lint call the getter below to get access to
+// the cached list.
+func InitLintList(path string, submitToTestLogs bool) error {
 	lintlist.Do(func() {
 		l, err := New(path)
 		if err != nil {
 			lintlist.err = err
 			return
 		}
 
-		l, err = l.forPurpose(Validation, false)
+		l, err = l.forPurpose(Validation, submitToTestLogs)
 		if err != nil {
 			lintlist.err = err
 			return

issuance/cert_test.go

@@ -656,7 +656,7 @@ func TestIssueSCTList(t *testing.T) {
 	fc := clock.NewFake()
 	fc.Set(time.Now())
 
-	err := loglist.InitLintList("../test/ct-test-srv/log_list.json")
+	err := loglist.InitLintList("../test/ct-test-srv/log_list.json", false)
 	test.AssertNotError(t, err, "failed to load log list")
 
 	pc := defaultProfileConfig()
@@ -807,7 +807,7 @@ func TestInvalidProfile(t *testing.T) {
 	fc := clock.NewFake()
 	fc.Set(time.Now())
 
-	err := loglist.InitLintList("../test/ct-test-srv/log_list.json")
+	err := loglist.InitLintList("../test/ct-test-srv/log_list.json", false)
 	test.AssertNotError(t, err, "failed to load log list")
 
 	signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc)
@@ -850,7 +850,7 @@ func TestInvalidProfile(t *testing.T) {
 func TestMismatchedProfiles(t *testing.T) {
 	fc := clock.NewFake()
 	fc.Set(time.Now())
-	err := loglist.InitLintList("../test/ct-test-srv/log_list.json")
+	err := loglist.InitLintList("../test/ct-test-srv/log_list.json", false)
 	test.AssertNotError(t, err, "failed to load log list")
 
 	issuer1, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc)