https-github-com-bit
diff --git a/‎ca/ca.go‎
Lines changed: 49 additions & 72 deletions b/‎ca/ca.go‎
Lines changed: 49 additions & 72 deletions
diff --git a/‎ca/ca_test.go‎
Lines changed: 24 additions & 21 deletions b/‎ca/ca_test.go‎
Lines changed: 24 additions & 21 deletions
@@ -7,7 +7,6 @@ import (
 	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha256"
 	"crypto/x509"
 	"encoding/asn1"
 	"encoding/hex"
@@ -37,8 +36,8 @@ import (
 	corepb "github.com/letsencrypt/boulder/core/proto"
 	csrlib "github.com/letsencrypt/boulder/csr"
 	berrors "github.com/letsencrypt/boulder/errors"
-	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
+	"github.com/letsencrypt/boulder/issuercerts"
 	blog "github.com/letsencrypt/boulder/log"
 	sapb "github.com/letsencrypt/boulder/sa/proto"
 )
@@ -116,11 +115,9 @@ const (
 type CertificateAuthorityImpl struct {
 	rsaProfile   string
 	ecdsaProfile string
-	// A map from issuer cert common name to an internalIssuer struct
-	issuers map[string]*internalIssuer
 	// A map from issuer ID to internalIssuer
-	idToIssuer map[int64]*internalIssuer
-	// The common name of the default issuer cert
+	idToIssuer map[issuercerts.ID]*internalIssuer
+	// The issuer that will be used for issuance (as opposed to OCSP signing)
 	defaultIssuer      *internalIssuer
 	sa                 certificateStorage
 	pa                 core.PolicyAuthority
@@ -166,11 +163,12 @@ func makeInternalIssuers(
 	issuers []Issuer,
 	policy *cfsslConfig.Signing,
 	lifespanOCSP time.Duration,
-) (map[string]*internalIssuer, error) {
+) (map[issuercerts.ID]*internalIssuer, error) {
 	if len(issuers) == 0 {
 		return nil, errors.New("No issuers specified.")
 	}
-	internalIssuers := make(map[string]*internalIssuer)
+	internalIssuers := make(map[issuercerts.ID]*internalIssuer)
+	cns := make(map[string]bool)
 	for _, iss := range issuers {
 		if iss.Cert == nil || iss.Signer == nil {
 			return nil, errors.New("Issuer with nil cert or signer specified.")
@@ -181,10 +179,11 @@ func makeInternalIssuers(
 		}
 
 		cn := iss.Cert.Subject.CommonName
-		if internalIssuers[cn] != nil {
+		if cns[cn] {
 			return nil, errors.New("Multiple issuer certs with the same CommonName are not supported")
 		}
-		internalIssuers[cn] = &internalIssuer{
+		id := issuercerts.FromCert(iss.Cert).ID()
+		internalIssuers[id] = &internalIssuer{
 			cert:       iss.Cert,
 			eeSigner:   eeSigner,
 			ocspSigner: iss.Signer,
@@ -193,16 +192,8 @@ func makeInternalIssuers(
 	return internalIssuers, nil
 }
 
-// idForIssuer generates a stable ID for an issuer certificate. This
-// is used for identifying which issuer issued a certificate in the
-// certificateStatus table.
-func idForIssuer(cert *x509.Certificate) int64 {
-	h := sha256.Sum256(cert.Raw)
-	return big.NewInt(0).SetBytes(h[:4]).Int64()
-}
-
 // NewCertificateAuthorityImpl creates a CA instance that can sign certificates
-// from a single issuer (the first first in the issuers slice), and can sign OCSP
+// from a single issuer (the first in the issuers slice), and can sign OCSP
 // for any of the issuer certificates provided.
 func NewCertificateAuthorityImpl(
 	config ca_config.CAConfig,
@@ -251,7 +242,7 @@ func NewCertificateAuthorityImpl(
 	if err != nil {
 		return nil, err
 	}
-	defaultIssuer := internalIssuers[issuers[0].Cert.Subject.CommonName]
+	defaultIssuer := internalIssuers[issuercerts.FromCert(issuers[0].Cert).ID()]
 
 	rsaProfile := config.RSAProfile
 	ecdsaProfile := config.ECDSAProfile
@@ -301,7 +292,6 @@ func NewCertificateAuthorityImpl(
 	ca = &CertificateAuthorityImpl{
 		sa:                 sa,
 		pa:                 pa,
-		issuers:            internalIssuers,
 		defaultIssuer:      defaultIssuer,
 		rsaProfile:         rsaProfile,
 		ecdsaProfile:       ecdsaProfile,
@@ -319,9 +309,9 @@ func NewCertificateAuthorityImpl(
 		signErrorCounter:   signErrorCounter,
 	}
 
-	ca.idToIssuer = make(map[int64]*internalIssuer)
-	for _, ii := range ca.issuers {
-		id := idForIssuer(ii.cert)
+	ca.idToIssuer = make(map[issuercerts.ID]*internalIssuer)
+	for _, ii := range internalIssuers {
+		id := issuercerts.FromCert(ii.cert).ID()
 		ca.idToIssuer[id] = ii
 	}
 
@@ -433,48 +423,33 @@ var ocspStatusToCode = map[string]int{
 func (ca *CertificateAuthorityImpl) GenerateOCSP(ctx context.Context, req *caPB.GenerateOCSPRequest) (*caPB.OCSPResponse, error) {
 	var issuer *internalIssuer
 	var serial *big.Int
+	if req.IssuerID == nil {
+		return nil, fmt.Errorf("no issuerID provided")
+	}
+	if req.Serial == nil {
+		return nil, fmt.Errorf("no serial provided")
+	}
 	// Once the feature is enabled we need to support both RPCs that include
 	// IssuerID and those that don't as we still need to be able to update rows
 	// that didn't have an IssuerID set when they were created. Once this feature
 	// has been enabled for a full OCSP lifetime cycle we can remove this
 	// functionality.
-	if features.Enabled(features.StoreIssuerInfo) && req.IssuerID != nil {
-		serialInt, err := core.StringToSerial(*req.Serial)
-		if err != nil {
-			return nil, err
-		}
-		serial = serialInt
-		var ok bool
-		issuer, ok = ca.idToIssuer[*req.IssuerID]
-		if !ok {
-			return nil, fmt.Errorf("This CA doesn't have an issuer cert with ID %d", *req.IssuerID)
-		}
-		exists, err := ca.sa.SerialExists(ctx, &sapb.Serial{Serial: req.Serial})
-		if err != nil {
-			return nil, err
-		}
-		if !*exists.Exists {
-			return nil, fmt.Errorf("GenerateOCSP was asked to sign OCSP for certification with unknown serial %q", *req.Serial)
-		}
-	} else {
-		cert, err := x509.ParseCertificate(req.CertDER)
-		if err != nil {
-			ca.log.AuditErr(err.Error())
-			return nil, err
-		}
-
-		serial = cert.SerialNumber
-		cn := cert.Issuer.CommonName
-		issuer = ca.issuers[cn]
-		if issuer == nil {
-			return nil, fmt.Errorf("This CA doesn't have an issuer cert with CommonName %q", cn)
-		}
-		err = cert.CheckSignatureFrom(issuer.cert)
-		if err != nil {
-			return nil, fmt.Errorf("GenerateOCSP was asked to sign OCSP for cert "+
-				"%s from %q, but the cert's signature was not valid: %s.",
-				core.SerialToString(cert.SerialNumber), cn, err)
-		}
+	serialInt, err := core.StringToSerial(*req.Serial)
+	if err != nil {
+		return nil, err
+	}
+	serial = serialInt
+	var ok bool
+	issuer, ok = ca.idToIssuer[issuercerts.ID(*req.IssuerID)]
+	if !ok {
+		return nil, fmt.Errorf("This CA doesn't have an issuer cert with ID %d", *req.IssuerID)
+	}
+	exists, err := ca.sa.SerialExists(ctx, &sapb.Serial{Serial: req.Serial})
+	if err != nil {
+		return nil, err
+	}
+	if !*exists.Exists {
+		return nil, fmt.Errorf("GenerateOCSP was asked to sign OCSP for certification with unknown serial %q", *req.Serial)
 	}
 
 	now := ca.clk.Now().Truncate(time.Hour)
@@ -523,10 +498,16 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 		return nil, err
 	}
 
+	// we currently only use one issuer, in the future when we support multiple
+	// the issuer will need to be derived from issueReq
+	issuerID := int64(issuercerts.FromCert(ca.defaultIssuer.cert).ID())
+
 	status := string(core.OCSPStatusGood)
 	ocspResp, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
-		CertDER: precertDER,
-		Status:  &status,
+		Serial:   &serialHex,
+		CertDER:  precertDER,
+		Status:   &status,
+		IssuerID: &issuerID,
 	})
 	if err != nil {
 		err = berrors.InternalServerError(err.Error())
@@ -535,17 +516,13 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 	}
 
 	req := &sapb.AddCertificateRequest{
-		Der:    precertDER,
-		RegID:  &regID,
-		Ocsp:   ocspResp.Response,
-		Issued: &nowNanos,
+		Der:      precertDER,
+		RegID:    &regID,
+		Ocsp:     ocspResp.Response,
+		Issued:   &nowNanos,
+		IssuerID: &issuerID,
 	}
 
-	// we currently only use one issuer, in the future when we support multiple
-	// the issuer will need to be derived from issueReq
-	issuerID := idForIssuer(ca.defaultIssuer.cert)
-	req.IssuerID = &issuerID
-
 	_, err = ca.sa.AddPrecertificate(ctx, req)
 	if err != nil {
 		ca.orphanCount.With(prometheus.Labels{"type": "precert"}).Inc()
 
@@ -39,6 +39,7 @@ import (
 	berrors "github.com/letsencrypt/boulder/errors"
 	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
+	"github.com/letsencrypt/boulder/issuercerts"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
 	"github.com/letsencrypt/boulder/policy"
@@ -492,10 +493,16 @@ func TestOCSP(t *testing.T) {
 	test.AssertNotError(t, err, "Failed to issue")
 	parsedCert, err := x509.ParseCertificate(cert.DER)
 	test.AssertNotError(t, err, "Failed to parse cert")
+
+	caCertIssuerID := int64(issuercerts.FromCert(caCert).ID())
+	serial := core.SerialToString(parsedCert.SerialNumber)
 	status := string(core.OCSPStatusGood)
+
 	ocspResp, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
-		CertDER: cert.DER,
-		Status:  &status,
+		IssuerID: &caCertIssuerID,
+		Serial:   &serial,
+		CertDER:  cert.DER,
+		Status:   &status,
 	})
 	test.AssertNotError(t, err, "Failed to generate OCSP")
 	parsed, err := ocsp.ParseResponse(ocspResp.Response, caCert)
@@ -504,13 +511,6 @@ func TestOCSP(t *testing.T) {
 	test.AssertEquals(t, parsed.RevocationReason, 0)
 	test.AssertEquals(t, parsed.SerialNumber.Cmp(parsedCert.SerialNumber), 0)
 
-	// Test that signatures are checked.
-	_, err = ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
-		CertDER: append(cert.DER, byte(0)),
-		Status:  &status,
-	})
-	test.AssertError(t, err, "Generated OCSP for cert with bad signature")
-
 	// Load multiple issuers, including the old issuer, and ensure OCSP is still
 	// signed correctly.
 	newIssuerCert, err := core.LoadCert("../test/test-ca2.pem")
@@ -543,14 +543,16 @@ func TestOCSP(t *testing.T) {
 	parsedNewCert, err := x509.ParseCertificate(newCert.DER)
 	test.AssertNotError(t, err, "Failed to parse newCert")
 
-	err = parsedNewCert.CheckSignatureFrom(newIssuerCert)
-	t.Logf("check sig: %s", err)
+	newIssuerID := int64(issuercerts.FromCert(newIssuers[0].Cert).ID())
+	newSerial := core.SerialToString(parsedNewCert.SerialNumber)
 
 	// ocspResp2 is a second OCSP response for `cert` (issued by caCert), and
 	// should be signed by caCert.
 	ocspResp2, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
-		CertDER: append([]byte(nil), cert.DER...),
-		Status:  &status,
+		IssuerID: &newIssuerID,
+		Serial:   &newSerial,
+		CertDER:  append([]byte(nil), cert.DER...),
+		Status:   &status,
 	})
 	test.AssertNotError(t, err, "Failed to sign second OCSP response")
 	_, err = ocsp.ParseResponse(ocspResp2.Response, caCert)
@@ -559,8 +561,10 @@ func TestOCSP(t *testing.T) {
 	// newCertOcspResp is an OCSP response for `newCert` (issued by newIssuer),
 	// and should be signed by newIssuer.
 	newCertOcspResp, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
-		CertDER: newCert.DER,
-		Status:  &status,
+		IssuerID: &newIssuerID,
+		Serial:   &newSerial,
+		CertDER:  newCert.DER,
+		Status:   &status,
 	})
 	test.AssertNotError(t, err, "Failed to generate OCSP")
 	parsedNewCertOcspResp, err := ocsp.ParseResponse(newCertOcspResp.Response, newIssuerCert)
@@ -1253,7 +1257,6 @@ func TestIssuePrecertificateLinting(t *testing.T) {
 func TestGenerateOCSPWithIssuerID(t *testing.T) {
 	testCtx := setup(t)
 	sa := &mockSA{}
-	_ = features.Set(map[string]bool{"StoreIssuerInfo": true})
 	ca, err := NewCertificateAuthorityImpl(
 		testCtx.caConfig,
 		sa,
@@ -1266,7 +1269,7 @@ func TestGenerateOCSPWithIssuerID(t *testing.T) {
 		nil)
 	test.AssertNotError(t, err, "Failed to create CA")
 
-	// GenerateOCSP with feature enabled + req contains bad IssuerID
+	// req contains bad IssuerID
 	issuerID := int64(666)
 	serial := "DEADDEADDEADDEADDEADDEADDEADDEADDEAD"
 	status := string(core.OCSPStatusGood)
@@ -1277,22 +1280,22 @@ func TestGenerateOCSPWithIssuerID(t *testing.T) {
 	})
 	test.AssertError(t, err, "GenerateOCSP didn't fail with invalid IssuerID")
 
-	// GenerateOCSP with feature enabled + req contains good IssuerID
-	issuerID = idForIssuer(ca.defaultIssuer.cert)
+	// req contains good IssuerID
+	issuerID = int64(issuercerts.FromCert(ca.defaultIssuer.cert).ID())
 	_, err = ca.GenerateOCSP(context.Background(), &caPB.GenerateOCSPRequest{
 		IssuerID: &issuerID,
 		Serial:   &serial,
 		Status:   &status,
 	})
 	test.AssertNotError(t, err, "GenerateOCSP failed")
 
-	// GenerateOCSP with feature enabled + req doesn't contain IssuerID
+	// req doesn't contain IssuerID or Serial
 	issueReq := caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID}
 	cert, err := ca.IssuePrecertificate(ctx, &issueReq)
 	test.AssertNotError(t, err, "Failed to issue")
 	_, err = ca.GenerateOCSP(context.Background(), &caPB.GenerateOCSPRequest{
 		CertDER: cert.DER,
 		Status:  &status,
 	})
-	test.AssertNotError(t, err, "GenerateOCSP failed")
+	test.AssertError(t, err, "Expected error from GenerateOCSP")
 }