RA: compute CRL shard upon revocation

letsencrypt · Nov 2, 2023 · c92ba2b · c92ba2b
1 parent 1d31a22
commit c92ba2b
Show file tree

Hide file tree

Showing 8 changed files with 294 additions and 89 deletions.
diff --git a/cmd/admin-revoker/main_test.go b/cmd/admin-revoker/main_test.go
@@ -70,6 +70,7 @@ func TestRevokeSerialBatchFile(t *testing.T) {
 	}
 	err = testCtx.revoker.revokeSerialBatchFile(context.Background(), serialFile.Name(), 0, 2)
 	test.AssertNotError(t, err, "revokeBatch failed")
+	test.AssertEquals(t, len(testCtx.log.GetAllMatching("failed to revoke")), 0)
 
 	for _, e := range entries {
 		status, err := testCtx.ssa.GetCertificateStatus(context.Background(), &sapb.Serial{Serial: core.SerialToString(e.serial)})
@@ -110,6 +111,7 @@ func TestRevokeIncidentTableSerials(t *testing.T) {
 
 	err = testCtx.revoker.revokeIncidentTableSerials(ctx, "incident_foo", 0, 1)
 	test.AssertNotError(t, err, "revokeIncidentTableSerials failed")
+	test.AssertEquals(t, len(testCtx.log.GetAllMatching("failed to revoke")), 0)
 
 	// Ensure that a populated incident table results in the expected log output.
 	test.AssertNotError(t, err, "revokeIncidentTableSerials failed")
@@ -398,18 +400,31 @@ func (c testCtx) addRegistation(t *testing.T, names []string, jwk string) int64
 
 func (c testCtx) addCertificate(t *testing.T, serial *big.Int, names []string, pubKey rsa.PublicKey, regId int64) *x509.Certificate {
 	t.Helper()
+	now := time.Now()
+
 	template := &x509.Certificate{
 		SerialNumber: serial,
 		Subject:      pkix.Name{Organization: []string{"tests"}},
-		NotBefore:    time.Now(),
-		NotAfter:     time.Now().AddDate(0, 0, 1),
+		NotBefore:    now,
+		NotAfter:     now.AddDate(0, 0, 1),
 		DNSNames:     names,
 	}
 
 	rawCert, err := x509.CreateCertificate(rand.Reader, template, c.issuer.Certificate, &pubKey, c.signer)
 	test.AssertNotError(t, err, "Failed to generate test cert")
 
-	now := time.Now()
+	_, err = c.ssa.AddSerial(
+		context.Background(), &sapb.AddSerialRequest{
+			RegID:     regId,
+			Serial:    core.SerialToString(serial),
+			CreatedNS: now.UnixNano(),
+			Created:   timestamppb.New(now),
+			ExpiresNS: now.AddDate(0, 0, 1).UnixNano(),
+			Expires:   timestamppb.New(now.AddDate(0, 0, 1)),
+		},
+	)
+	test.AssertNotError(t, err, "Failed to add test serial")
+
 	_, err = c.ssa.AddPrecertificate(
 		context.Background(), &sapb.AddCertificateRequest{
 			Der:          rawCert,
@@ -488,6 +503,9 @@ func setup(t *testing.T) testCtx {
 		nil,
 		&mockPurger{},
 		[]*issuance.Certificate{issuer},
+		"http://c.boulder.test",
+		10,
+		24*time.Hour,
 	)
 	ra.SA = isa.SA{Impl: ssa}
 	ra.OCSP = &mockOCSPA{}

diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
@@ -90,6 +90,25 @@ type Config struct {
 		// generate OCSP URLs to purge during revocation.
 		IssuerCerts []string `validate:"min=1,dive,required"`
 
+		// CRLDPBase is the piece of the CRL Distribution Point URI which is common
+		// across all issuers and shards. It must use the http:// scheme, and must
+		// not end with a slash. Example: "http://prod.c.lencr.org".
+		// Warning: This value must exactly match the CA config.
+		// TODO(#7904): Make this mandatory once the configs are in place.
+		CRLDPBase string `validate:"omitempty,url,startswith=http://,endsnotwith=/"`
+
+		// CRLNumShards is the number of shards into which each issuer's "full and
+		// complete" CRL is split.
+		// Warning: This value must exactly match the crl-updater config.
+		// TODO(#7904): Make this mandatory once the configs are in place.
+		CRLNumShards int `validate:"omitempty,min=1"`
+
+		// CRLShardWidth is the amount of time (width on a timeline) that a single
+		// shard covers.
+		// Warning: This value must exactly match the crl-updater config.
+		// TODO(#7904): Make this mandatory once the configs are in place.
+		CRLShardWidth config.Duration `validate:"-"`
+
 		Features map[string]bool
 	}
 
@@ -244,6 +263,9 @@ func main() {
 		ctp,
 		apc,
 		issuerCerts,
+		c.RA.CRLDPBase,
+		c.RA.CRLNumShards,
+		c.RA.CRLShardWidth.Duration,
 	)
 	defer rai.DrainFinalize()
 

diff --git a/ra/proto/ra.pb.go b/ra/proto/ra.pb.go
diff --git a/ra/proto/ra.proto b/ra/proto/ra.proto
@@ -54,16 +54,18 @@ message RevokeCertByKeyRequest {
 }
 
 message AdministrativelyRevokeCertificateRequest {
-  // The `cert` field may be omitted. If it is omitted,
-  // the revocation reason (`code`) must not be keyCompromise,
-  // and purging the Akamai cache will not happen because the
-  // base URL for the certificate's OCSP server is not known.
+  // The `cert` field may be omitted. If it is omitted, the revocation reason
+  // (`code`) must not be keyCompromise, the crlShard field must be populated,
+  // and purging the Akamai cache will not happen because the base URL for the
+  // certificate's OCSP server is not known.
   bytes cert = 1;
   // The `serial` field is required.
   string serial = 4;
   int64 code = 2;
   string adminName = 3;
   bool skipBlockKey = 5;
+  // The `crlShard` field is required if the `cert` field is omitted.
+  int64 crlShard = 6;
 }
 
 message NewOrderRequest {