Merge branch 'main' of github.com:letsencrypt/boulder into revert-rat…

…elimit-500
letsencrypt · Dec 20, 2024 · 8a293fc · 8a293fc
2 parents ec5776b + 6402a22
commit 8a293fc
Show file tree

Hide file tree

Showing 434 changed files with 5,079 additions and 2,255 deletions.
diff --git a/Makefile b/Makefile
@@ -6,9 +6,8 @@ VERSION ?= 1.0.0
 EPOCH ?= 1
 MAINTAINER ?= "Community"
 
-CMDS = $(shell find ./cmd -maxdepth 1 -mindepth 1 -type d | grep -v testdata)
-CMD_BASENAMES = $(shell echo $(CMDS) | xargs -n1 basename)
-CMD_BINS = $(addprefix bin/, $(CMD_BASENAMES) )
+CMDS = admin boulder ceremony ct-test-srv
+CMD_BINS = $(addprefix bin/, $(CMDS) )
 OBJECTS = $(CMD_BINS)
 
 # Build environment variables (referencing core/util.go)
@@ -25,7 +24,7 @@ BUILD_TIME_VAR = github.com/letsencrypt/boulder/core.BuildTime
 
 GO_BUILD_FLAGS = -ldflags "-X \"$(BUILD_ID_VAR)=$(BUILD_ID)\" -X \"$(BUILD_TIME_VAR)=$(BUILD_TIME)\" -X \"$(BUILD_HOST_VAR)=$(BUILD_HOST)\""
 
-.PHONY: all build build_cmds rpm deb tar
+.PHONY: all build build_cmds deb tar
 all: build
 
 build: $(OBJECTS)
@@ -38,24 +37,13 @@ $(CMD_BINS): build_cmds
 build_cmds: | $(OBJDIR)
 	echo $(OBJECTS)
 	GOBIN=$(OBJDIR) GO111MODULE=on go install -mod=vendor $(GO_BUILD_FLAGS) ./...
-	./link.sh
 
-# Building an RPM requires `fpm` from https://github.com/jordansissel/fpm
+# Building a .deb requires `fpm` from https://github.com/jordansissel/fpm
 # which you can install with `gem install fpm`.
 # It is recommended that maintainers use environment overrides to specify
 # Version and Epoch, such as:
 #
-# VERSION=0.1.9 EPOCH=52 MAINTAINER="$(whoami)" ARCHIVEDIR=/tmp make build rpm
-rpm: build
-	fpm -f -s dir -t rpm --rpm-digest sha256 --name "boulder" \
-		--license "Mozilla Public License v2.0" --vendor "ISRG" \
-		--url "https://github.com/letsencrypt/boulder" --prefix=/opt/boulder \
-		--version "$(VERSION)" --iteration "$(COMMIT_ID)" --epoch "$(EPOCH)" \
-		--package "$(ARCHIVEDIR)/boulder-$(VERSION)-$(COMMIT_ID).x86_64.rpm" \
-		--description "Boulder is an ACME-compatible X.509 Certificate Authority" \
-		--maintainer "$(MAINTAINER)" \
-		test/config/ sa/db data/ $(OBJECTS)
-
+# VERSION=0.1.9 EPOCH=52 MAINTAINER="$(whoami)" ARCHIVEDIR=/tmp make build deb
 deb: build
 	fpm -f -s dir -t deb --name "boulder" \
 		--license "Mozilla Public License v2.0" --vendor "ISRG" \
@@ -64,10 +52,10 @@ deb: build
 		--package "$(ARCHIVEDIR)/boulder-$(VERSION)-$(COMMIT_ID).x86_64.deb" \
 		--description "Boulder is an ACME-compatible X.509 Certificate Authority" \
 		--maintainer "$(MAINTAINER)" \
-		test/config/ sa/db data/ $(OBJECTS) bin/ct-test-srv
+		test/config/ sa/db data/ $(OBJECTS)
 
 tar: build
 	fpm -f -s dir -t tar --name "boulder" --prefix=/opt/boulder \
 		--package "$(ARCHIVEDIR)/boulder-$(VERSION)-$(COMMIT_ID).amd64.tar" \
-		test/config/ sa/db data/ $(OBJECTS) bin/ct-test-srv
+		test/config/ sa/db data/ $(OBJECTS)
 	gzip -f "$(ARCHIVEDIR)/boulder-$(VERSION)-$(COMMIT_ID).amd64.tar"
diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
@@ -273,7 +273,7 @@ func main() {
 		source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, scope)
 		limiter, err = ratelimits.NewLimiter(clk, source, scope)
 		cmd.FailOnError(err, "Failed to create rate limiter")
-		txnBuilder, err = ratelimits.NewTransactionBuilder(c.RA.Limiter.Defaults, c.RA.Limiter.Overrides)
+		txnBuilder, err = ratelimits.NewTransactionBuilderFromFiles(c.RA.Limiter.Defaults, c.RA.Limiter.Overrides)
 		cmd.FailOnError(err, "Failed to create rate limits transaction builder")
 	}
 

diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
@@ -365,7 +365,7 @@ func main() {
 		source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, stats)
 		limiter, err = ratelimits.NewLimiter(clk, source, stats)
 		cmd.FailOnError(err, "Failed to create rate limiter")
-		txnBuilder, err = ratelimits.NewTransactionBuilder(c.WFE.Limiter.Defaults, c.WFE.Limiter.Overrides)
+		txnBuilder, err = ratelimits.NewTransactionBuilderFromFiles(c.WFE.Limiter.Defaults, c.WFE.Limiter.Overrides)
 		cmd.FailOnError(err, "Failed to create rate limits transaction builder")
 	}
 

diff --git a/cmd/boulder/main.go b/cmd/boulder/main.go
@@ -85,37 +85,31 @@ var boulderUsage = fmt.Sprintf(`Usage: %s <subcommand> [flags]
 
 func main() {
 	defer cmd.AuditPanic()
-	var command string
-	if core.Command() == "boulder" {
-		// Operator passed the boulder component as a subcommand.
-		if len(os.Args) <= 1 {
-			// No arguments passed.
-			fmt.Fprint(os.Stderr, boulderUsage)
-			return
-		}
 
-		if os.Args[1] == "--help" || os.Args[1] == "-help" {
-			// Help flag passed.
-			fmt.Fprint(os.Stderr, boulderUsage)
-			return
-		}
+	if len(os.Args) <= 1 {
+		// No arguments passed.
+		fmt.Fprint(os.Stderr, boulderUsage)
+		return
+	}
 
-		if os.Args[1] == "--list" || os.Args[1] == "-list" {
-			// List flag passed.
-			for _, c := range cmd.AvailableCommands() {
-				fmt.Println(c)
-			}
-			return
-		}
-		command = os.Args[1]
+	if os.Args[1] == "--help" || os.Args[1] == "-help" {
+		// Help flag passed.
+		fmt.Fprint(os.Stderr, boulderUsage)
+		return
+	}
 
-		// Remove the subcommand from the arguments.
-		os.Args = os.Args[1:]
-	} else {
-		// Operator ran a boulder component using a symlink.
-		command = core.Command()
+	if os.Args[1] == "--list" || os.Args[1] == "-list" {
+		// List flag passed.
+		for _, c := range cmd.AvailableCommands() {
+			fmt.Println(c)
+		}
+		return
 	}
 
+	// Remove the subcommand from the arguments.
+	command := os.Args[1]
+	os.Args = os.Args[1:]
+
 	config := getConfigPath()
 	if config != "" {
 		// Config flag passed.

diff --git a/cmd/cert-checker/main_test.go b/cmd/cert-checker/main_test.go
@@ -631,11 +631,11 @@ func TestIgnoredLint(t *testing.T) {
 		Expires: subjectCert.NotAfter,
 	}
 
-	// Without any ignored lints we expect one error level result due to the
-	// missing OCSP url in the template.
+	// Without any ignored lints we expect several errors and warnings about SCTs,
+	// the common name, and the subject key identifier extension.
 	expectedProblems := []string{
-		"zlint error: e_sub_cert_aia_does_not_contain_ocsp_url",
 		"zlint warn: w_subject_common_name_included",
+		"zlint warn: w_ext_subject_key_identifier_not_recommended_subscriber",
 		"zlint info: w_ct_sct_policy_count_unsatisfied Certificate had 0 embedded SCTs. Browser policy may require 2 for this certificate.",
 		"zlint error: e_scts_from_same_operator Certificate had too few embedded SCTs; browser policy requires 2.",
 	}
@@ -650,10 +650,10 @@ func TestIgnoredLint(t *testing.T) {
 	// Check the certificate again with an ignore map that excludes the affected
 	// lints. This should return no problems.
 	_, problems = checker.checkCert(context.Background(), cert, map[string]bool{
-		"e_sub_cert_aia_does_not_contain_ocsp_url": true,
-		"w_subject_common_name_included":           true,
-		"w_ct_sct_policy_count_unsatisfied":        true,
-		"e_scts_from_same_operator":                true,
+		"w_subject_common_name_included":                          true,
+		"w_ext_subject_key_identifier_not_recommended_subscriber": true,
+		"w_ct_sct_policy_count_unsatisfied":                       true,
+		"e_scts_from_same_operator":                               true,
 	})
 	test.AssertEquals(t, len(problems), 0)
 }

diff --git a/go.mod b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
 	github.com/weppos/publicsuffix-go v0.40.3-0.20240815124645-a8ed110559c9
 	github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c
-	github.com/zmap/zlint/v3 v3.6.0
+	github.com/zmap/zlint/v3 v3.6.4
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0
 	go.opentelemetry.io/otel v1.30.0

diff --git a/go.sum b/go.sum
@@ -267,8 +267,8 @@ github.com/zmap/zcrypto v0.0.0-20201211161100-e54a5822fb7e/go.mod h1:aPM7r+JOkfL
 github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c h1:U1b4THKcgOpJ+kILupuznNwPiURtwVW3e9alJvji9+s=
 github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c/go.mod h1:GSDpFDD4TASObxvfZfvpZZ3OWHIUHMlhVWlkOe4ewVk=
 github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8=
-github.com/zmap/zlint/v3 v3.6.0 h1:vTEaDRtYN0d/1Ax60T+ypvbLQUHwHxbvYRnUMVr35ug=
-github.com/zmap/zlint/v3 v3.6.0/go.mod h1:NVgiIWssgzp0bNl8P4Gz94NHV2ep/4Jyj9V69uTmZyg=
+github.com/zmap/zlint/v3 v3.6.4 h1:r2kHfRF7mIsxW0IH4Og2iZnrlpCLTZBFjnXy1x/ZnZI=
+github.com/zmap/zlint/v3 v3.6.4/go.mod h1:KQLVUquVaO5YJDl5a4k/7RPIbIW2v66+sRoBPNZusI8=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0 h1:hCq2hNMwsegUvPzI7sPOvtO9cqyy5GbWt/Ybp2xrx8Q=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0/go.mod h1:LqaApwGx/oUmzsbqxkzuBvyoPpkxk3JQWnqfVrJ3wCA=

diff --git a/issuance/cert.go b/issuance/cert.go
@@ -105,18 +105,7 @@ func NewProfile(profileConfig *ProfileConfig) (*Profile, error) {
 		return nil, fmt.Errorf("validity period %q is too large", profileConfig.MaxValidityPeriod.Duration)
 	}
 
-	// TODO(#7756): These lint names don't yet exist in our current zlint v3.6.0 but exist in v3.6.2.
-	// In order to upgrade without throwing errors, we need to add these to our ignored lints.
-	// However, v3.6.0 will error if it sees ignored lints it doesn't recognize. Solution: filter
-	// out these specific lints. As part of the PR that updates to v3.6.2, we will remove this code.
-	var ignoredLints []string
-	for _, lintName := range profileConfig.IgnoredLints {
-		if lintName != "e_cab_dv_subject_invalid_values" && lintName != "w_ext_subject_key_identifier_not_recommended_subscriber" {
-			ignoredLints = append(ignoredLints, lintName)
-		}
-	}
-
-	lints, err := linter.NewRegistry(ignoredLints)
+	lints, err := linter.NewRegistry(profileConfig.IgnoredLints)
 	cmd.FailOnError(err, "Failed to create zlint registry")
 	if profileConfig.LintConfig != "" {
 		lintconfig, err := lint.NewConfigFromFile(profileConfig.LintConfig)

diff --git a/issuance/cert_test.go b/issuance/cert_test.go
@@ -387,11 +387,7 @@ func TestIssueCommonName(t *testing.T) {
 	fc.Set(time.Now())
 
 	prof := defaultProfileConfig()
-	prof.IgnoredLints = []string{
-		"w_subject_common_name_included",
-		"w_ct_sct_policy_count_unsatisfied",
-		"e_scts_from_same_operator",
-	}
+	prof.IgnoredLints = append(prof.IgnoredLints, "w_subject_common_name_included")
 	cnProfile, err := NewProfile(prof)
 	test.AssertNotError(t, err, "NewProfile failed")
 	signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc)
@@ -450,9 +446,12 @@ func TestIssueOmissions(t *testing.T) {
 	pc.OmitClientAuth = true
 	pc.OmitSKID = true
 	pc.IgnoredLints = []string{
-		"w_ext_subject_key_identifier_missing_sub_cert",
+		// Reduce the lint ignores to just the minimal (SCT-related) set.
 		"w_ct_sct_policy_count_unsatisfied",
 		"e_scts_from_same_operator",
+		// Ignore the warning about *not* including the SubjectKeyIdentifier extension:
+		// zlint has both lints (one enforcing RFC5280, the other the BRs).
+		"w_ext_subject_key_identifier_missing_sub_cert",
 	}
 	prof, err := NewProfile(pc)
 	test.AssertNotError(t, err, "building test profile")
@@ -529,7 +528,10 @@ func TestIssueSCTList(t *testing.T) {
 	test.AssertNotError(t, err, "failed to load log list")
 
 	pc := defaultProfileConfig()
-	pc.IgnoredLints = []string{}
+	pc.IgnoredLints = []string{
+		// Only ignore the SKID lint, i.e., don't ignore the "missing SCT" lints.
+		"w_ext_subject_key_identifier_not_recommended_subscriber",
+	}
 	enforceSCTsProfile, err := NewProfile(pc)
 	test.AssertNotError(t, err, "NewProfile failed")
 	signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc)
@@ -754,11 +756,7 @@ func TestMismatchedProfiles(t *testing.T) {
 	test.AssertNotError(t, err, "NewIssuer failed")
 
 	pc := defaultProfileConfig()
-	pc.IgnoredLints = []string{
-		"w_subject_common_name_included",
-		"w_ct_sct_policy_count_unsatisfied",
-		"e_scts_from_same_operator",
-	}
+	pc.IgnoredLints = append(pc.IgnoredLints, "w_subject_common_name_included")
 	cnProfile, err := NewProfile(pc)
 	test.AssertNotError(t, err, "NewProfile failed")
 
@@ -782,10 +780,6 @@ func TestMismatchedProfiles(t *testing.T) {
 	// Create a new profile that differs slightly (no common name)
 	pc = defaultProfileConfig()
 	pc.AllowCommonName = false
-	pc.IgnoredLints = []string{
-		"w_ct_sct_policy_count_unsatisfied",
-		"e_scts_from_same_operator",
-	}
 	test.AssertNotError(t, err, "building test lint registry")
 	noCNProfile, err := NewProfile(pc)
 	test.AssertNotError(t, err, "NewProfile failed")

diff --git a/issuance/issuer_test.go b/issuance/issuer_test.go
@@ -28,8 +28,12 @@ func defaultProfileConfig() *ProfileConfig {
 		MaxValidityPeriod:   config.Duration{Duration: time.Hour},
 		MaxValidityBackdate: config.Duration{Duration: time.Hour},
 		IgnoredLints: []string{
+			// Ignore the two SCT lints because these tests don't get SCTs.
 			"w_ct_sct_policy_count_unsatisfied",
 			"e_scts_from_same_operator",
+			// Ignore the warning about including the SubjectKeyIdentifier extension:
+			// we include it on purpose, but plan to remove it soon.
+			"w_ext_subject_key_identifier_not_recommended_subscriber",
 		},
 	}
 }

diff --git a/link.sh b/link.sh