Merge remote-tracking branch 'le/master' into cpu-finalize-errors

Author: Daniel

CODEOWNERS

@@ -0,0 +1 @@
+* @letsencrypt/boulder-reviewers

cmd/cert-checker/main.go

@@ -40,7 +40,6 @@ const (
 // forbiddenDomains array
 var forbiddenDomainPatterns = []*regexp.Regexp{
 	regexp.MustCompile(`^\s*$`),
-	regexp.MustCompile(`\.mil$`),
 	regexp.MustCompile(`\.local$`),
 	regexp.MustCompile(`^localhost$`),
 	regexp.MustCompile(`\.localhost$`),

cmd/cert-checker/main_test.go

@@ -172,16 +172,14 @@ func TestCheckCert(t *testing.T) {
 	problems := checker.checkCert(cert)
 
 	problemsMap := map[string]int{
-		"Stored digest doesn't match certificate digest":                            1,
-		"Stored serial doesn't match certificate serial":                            1,
-		"Stored expiration doesn't match certificate NotAfter":                      1,
-		"Certificate doesn't have basic constraints set":                            1,
-		"Certificate has a validity period longer than 2160h0m0s":                   1,
-		"Stored issuance date is outside of 6 hour window of certificate NotBefore": 1,
-		"Certificate has incorrect key usage extensions":                            1,
-		"Certificate has common name >64 characters long (65)":                      1,
-		"Policy Authority was willing to issue but domain 'foodnotbombs.mil' " +
-			"matches forbiddenDomains entry \"\\\\.mil$\"": 1,
+		"Stored digest doesn't match certificate digest":                                                 1,
+		"Stored serial doesn't match certificate serial":                                                 1,
+		"Stored expiration doesn't match certificate NotAfter":                                           1,
+		"Certificate doesn't have basic constraints set":                                                 1,
+		"Certificate has a validity period longer than 2160h0m0s":                                        1,
+		"Stored issuance date is outside of 6 hour window of certificate NotBefore":                      1,
+		"Certificate has incorrect key usage extensions":                                                 1,
+		"Certificate has common name >64 characters long (65)":                                           1,
 		"Policy Authority isn't willing to issue for '*.foodnotbombs.mil': Wildcard names not supported": 1,
 	}
 	for _, p := range problems {
@@ -194,7 +192,7 @@ func TestCheckCert(t *testing.T) {
 	for k := range problemsMap {
 		t.Errorf("Expected problem but didn't find it: '%s'.", k)
 	}
-	test.AssertEquals(t, len(problems), 10)
+	test.AssertEquals(t, len(problems), 9)
 
 	// Same settings as above, but the stored serial number in the DB is invalid.
 	cert.Serial = "not valid"
@@ -361,10 +359,6 @@ func TestIsForbiddenDomain(t *testing.T) {
 		// Whitespace only
 		{Name: "", Expected: true},
 		{Name: "   ", Expected: true},
-		// Anything .mil
-		{Name: "foodnotbombs.mil", Expected: true},
-		{Name: "www.foodnotbombs.mil", Expected: true},
-		{Name: ".mil", Expected: true},
 		// Anything .local
 		{Name: "yokel.local", Expected: true},
 		{Name: "off.on.remote.local", Expected: true},

cmd/ocsp-responder/main.go

@@ -90,11 +90,12 @@ func (src *DBSource) Response(req *ocsp.Request) ([]byte, http.Header, error) {
 		"SELECT ocspResponse, ocspLastUpdated FROM certificateStatus WHERE serial = :serial",
 		map[string]interface{}{"serial": serialString},
 	)
-	if err != nil && err != sql.ErrNoRows {
-		src.log.AuditErr(fmt.Sprintf("Failed to retrieve response from certificateStatus table: %s", err))
+	if err == sql.ErrNoRows {
+		return nil, nil, cfocsp.ErrNotFound
 	}
 	if err != nil {
-		return nil, nil, cfocsp.ErrNotFound
+		src.log.AuditErr(fmt.Sprintf("Looking up OCSP response: %s", err))
+		return nil, nil, err
 	}
 	if response.OCSPLastUpdated.IsZero() {
 		src.log.Debug(fmt.Sprintf("OCSP Response not sent (ocspLastUpdated is zero) for CA=%s, Serial=%s", hex.EncodeToString(src.caKeyHash), serialString))

cmd/ocsp-responder/main_test.go

@@ -134,9 +134,9 @@ func TestErrorLog(t *testing.T) {
 	test.AssertNotError(t, err, "Failed to parse OCSP request")
 
 	_, _, err = src.Response(ocspReq)
-	test.AssertEquals(t, err, cfocsp.ErrNotFound)
+	test.AssertEquals(t, err.Error(), "Failure!")
 
-	test.AssertEquals(t, len(mockLog.GetAllMatching("Failed to retrieve response from certificateStatus table")), 1)
+	test.AssertEquals(t, len(mockLog.GetAllMatching("Looking up OCSP response")), 1)
 }
 
 func mustRead(path string) []byte {

cmd/ocsp-updater/main_test.go

@@ -21,6 +21,7 @@ import (
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
 	"github.com/letsencrypt/boulder/publisher/mock_publisher"
+	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	"github.com/letsencrypt/boulder/revocation"
 	"github.com/letsencrypt/boulder/sa"
 	"github.com/letsencrypt/boulder/sa/satest"
@@ -109,6 +110,10 @@ func (p *mockPub) SubmitToSingleCT(_ context.Context, _, logPublicKey string, _
 	return err
 }
 
+func (p *mockPub) SubmitToSingleCTWithResult(_ context.Context, _ *pubpb.Request) (*pubpb.Result, error) {
+	return nil, nil
+}
+
 var log = blog.UseMock()
 
 const (

core/interfaces.go

@@ -11,6 +11,7 @@ import (
 
 	caPB "github.com/letsencrypt/boulder/ca/proto"
 	corepb "github.com/letsencrypt/boulder/core/proto"
+	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
 	"github.com/letsencrypt/boulder/revocation"
 	sapb "github.com/letsencrypt/boulder/sa/proto"
@@ -134,6 +135,7 @@ type StorageGetter interface {
 	GetOrder(ctx context.Context, req *sapb.OrderRequest) (*corepb.Order, error)
 	GetOrderForNames(ctx context.Context, req *sapb.GetOrderForNamesRequest) (*corepb.Order, error)
 	GetOrderAuthorizations(ctx context.Context, req *sapb.GetOrderAuthorizationsRequest) (map[string]*Authorization, error)
+	GetValidOrderAuthorizations(ctx context.Context, req *sapb.GetValidOrderAuthorizationsRequest) (map[string]*Authorization, error)
 	CountInvalidAuthorizations(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest) (count *sapb.Count, err error)
 	GetAuthorizations(ctx context.Context, req *sapb.GetAuthorizationsRequest) (*sapb.Authorizations, error)
 }
@@ -170,4 +172,5 @@ type StorageAuthority interface {
 type Publisher interface {
 	SubmitToCT(ctx context.Context, der []byte) error
 	SubmitToSingleCT(ctx context.Context, logURL, logPublicKey string, der []byte) error
+	SubmitToSingleCTWithResult(ctx context.Context, req *pubpb.Request) (*pubpb.Result, error)
 }

core/objects.go

@@ -591,3 +591,11 @@ type Order struct {
 	Authorizations    []Authorization
 	Status            AcmeStatus
 }
+
+// SCTDER is a convenience type that helps differentiate what the
+// underlying byte slice contains
+type SCTDER []byte
+
+// CertDER is a convenience type that helps differentiate what the
+// underlying byte slice contains
+type CertDER []byte

ctpolicy/ctpolicy.go

@@ -0,0 +1,108 @@
+package ctpolicy
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/letsencrypt/boulder/cmd"
+	"github.com/letsencrypt/boulder/core"
+	blog "github.com/letsencrypt/boulder/log"
+	pubpb "github.com/letsencrypt/boulder/publisher/proto"
+)
+
+// CTPolicy is used to hold information about SCTs required from various
+// groupings
+type CTPolicy struct {
+	pub    core.Publisher
+	groups [][]cmd.LogDescription
+	log    blog.Logger
+}
+
+// New creates a new CTPolicy struct
+func New(pub core.Publisher, groups [][]cmd.LogDescription, log blog.Logger) *CTPolicy {
+	return &CTPolicy{
+		pub:    pub,
+		groups: groups,
+		log:    log,
+	}
+}
+
+type result struct {
+	sct core.SCTDER
+	err error
+}
+
+// race submits an SCT to each log in a group and waits for the first response back,
+// once it has the first SCT it cancels all of the other submissions and returns.
+// It allows up to len(group)-1 of the submissions to fail as we only care about
+// getting a single SCT.
+func (ctp *CTPolicy) race(ctx context.Context, cert core.CertDER, group []cmd.LogDescription) (core.SCTDER, error) {
+	results := make(chan result, len(group))
+	subCtx, cancel := context.WithCancel(ctx)
+	defer cancel()
+	for _, l := range group {
+		go func(l cmd.LogDescription) {
+			sct, err := ctp.pub.SubmitToSingleCTWithResult(subCtx, &pubpb.Request{
+				LogURL:       &l.URI,
+				LogPublicKey: &l.Key,
+				Der:          cert,
+			})
+			if err != nil {
+				// Only log the error if it is not a result of canceling subCtx
+				if err != context.Canceled {
+					ctp.log.Warning(fmt.Sprintf("ct submission to %q failed: %s", l.URI, err))
+				}
+				results <- result{err: err}
+				return
+			}
+			results <- result{sct: sct.Sct}
+		}(l)
+	}
+
+	for i := 0; i < len(group); i++ {
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case res := <-results:
+			if res.sct != nil {
+				// Return the very first SCT we get back and cancel any other
+				// in progress work.
+				cancel()
+				return res.sct, nil
+			}
+			// We will continue waiting for an SCT until we've seen the same number
+			// of errors as there are logs in the group as we may still get a SCT
+			// back from another log.
+		}
+	}
+	return nil, errors.New("all submissions for group failed")
+}
+
+// GetSCTs attempts to retrieve a SCT from each configured grouping of logs and returns
+// the set of SCTs to the caller.
+func (ctp *CTPolicy) GetSCTs(ctx context.Context, cert core.CertDER) ([]core.SCTDER, error) {
+	results := make(chan result, len(ctp.groups))
+	subCtx, cancel := context.WithCancel(ctx)
+	defer cancel()
+	for _, g := range ctp.groups {
+		go func(g []cmd.LogDescription) {
+			sct, err := ctp.race(subCtx, cert, g)
+			// Only one of these will be non-nil
+			results <- result{sct: sct, err: err}
+		}(g)
+	}
+
+	var ret []core.SCTDER
+	for i := 0; i < len(ctp.groups); i++ {
+		res := <-results
+		// If any one group fails to get a SCT then we fail out immediately
+		// cancel any other in progress work as we can't continue
+		if res.err != nil {
+			cancel()
+			return nil, res.err
+		}
+		ret = append(ret, res.sct)
+	}
+	return ret, nil
+}

ctpolicy/ctpolicy_test.go

@@ -0,0 +1,109 @@
+package ctpolicy
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/letsencrypt/boulder/cmd"
+	"github.com/letsencrypt/boulder/core"
+	blog "github.com/letsencrypt/boulder/log"
+	pubpb "github.com/letsencrypt/boulder/publisher/proto"
+	"github.com/letsencrypt/boulder/test"
+)
+
+type mockPub struct {
+}
+
+func (mp *mockPub) SubmitToCT(ctx context.Context, der []byte) error {
+	return nil
+}
+func (mp *mockPub) SubmitToSingleCT(ctx context.Context, logURL, logPublicKey string, der []byte) error {
+	return nil
+}
+func (mp *mockPub) SubmitToSingleCTWithResult(_ context.Context, _ *pubpb.Request) (*pubpb.Result, error) {
+	return &pubpb.Result{Sct: []byte{0}}, nil
+}
+
+type alwaysFail struct {
+	mockPub
+}
+
+func (mp *alwaysFail) SubmitToSingleCTWithResult(_ context.Context, _ *pubpb.Request) (*pubpb.Result, error) {
+	return nil, errors.New("BAD")
+}
+
+func TestGetSCTs(t *testing.T) {
+	expired, cancel := context.WithDeadline(context.Background(), time.Now())
+	defer cancel()
+	testCases := []struct {
+		name   string
+		mock   core.Publisher
+		groups [][]cmd.LogDescription
+		ctx    context.Context
+		result []core.SCTDER
+		err    error
+	}{
+		{
+			name: "basic success case",
+			mock: &mockPub{},
+			groups: [][]cmd.LogDescription{
+				{
+					{URI: "abc", Key: "def"},
+					{URI: "ghi", Key: "jkl"},
+				},
+				{
+					{URI: "abc", Key: "def"},
+					{URI: "ghi", Key: "jkl"},
+				},
+			},
+			ctx:    context.Background(),
+			result: []core.SCTDER{[]byte{0}, []byte{0}},
+		},
+		{
+			name: "basic failure case",
+			mock: &alwaysFail{},
+			groups: [][]cmd.LogDescription{
+				{
+					{URI: "abc", Key: "def"},
+					{URI: "ghi", Key: "jkl"},
+				},
+				{
+					{URI: "abc", Key: "def"},
+					{URI: "ghi", Key: "jkl"},
+				},
+			},
+			ctx: context.Background(),
+			err: errors.New("all submissions for group failed"),
+		},
+		{
+			name: "parent context timeout failure case",
+			mock: &alwaysFail{},
+			groups: [][]cmd.LogDescription{
+				{
+					{URI: "abc", Key: "def"},
+					{URI: "ghi", Key: "jkl"},
+				},
+				{
+					{URI: "abc", Key: "def"},
+					{URI: "ghi", Key: "jkl"},
+				},
+			},
+			ctx: expired,
+			err: context.DeadlineExceeded,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ctp := New(tc.mock, tc.groups, blog.NewMock())
+			ret, err := ctp.GetSCTs(tc.ctx, []byte{0})
+			if tc.result != nil {
+				test.AssertDeepEquals(t, ret, tc.result)
+			} else if tc.err != nil {
+				test.AssertDeepEquals(t, err, tc.err)
+			}
+		})
+	}
+}