https-github-com-bit
diff --git a/‎ca/ca.go‎
Lines changed: 54 additions & 154 deletions b/‎ca/ca.go‎
Lines changed: 54 additions & 154 deletions
diff --git a/‎ca/ca_test.go‎
Lines changed: 63 additions & 119 deletions b/‎ca/ca_test.go‎
Lines changed: 63 additions & 119 deletions
diff --git a/‎ca/ocsp.go‎
Lines changed: 122 additions & 2 deletions b/‎ca/ocsp.go‎
Lines changed: 122 additions & 2 deletions
diff --git a/‎ca/ocsp_test.go‎
Lines changed: 87 additions & 0 deletions b/‎ca/ocsp_test.go‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎ca/proto/ca.pb.go‎
Lines changed: 2 additions & 1 deletion b/‎ca/proto/ca.pb.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎ca/proto/ca.proto‎
Lines changed: 1 addition & 0 deletions b/‎ca/proto/ca.proto‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cmd/boulder-ca/main.go‎
Lines changed: 51 additions & 20 deletions b/‎cmd/boulder-ca/main.go‎
Lines changed: 51 additions & 20 deletions
diff --git a/‎cmd/ocsp-updater/main.go‎
Lines changed: 1 addition & 0 deletions b/‎cmd/ocsp-updater/main.go‎
Lines changed: 1 addition & 0 deletions
@@ -1,20 +1,140 @@
 package ca
 
-// TODO(##5226): Move the GenerateOCSP service into this file too.
-
 import (
+	"context"
+	"errors"
 	"fmt"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/jmhodges/clock"
+	"github.com/miekg/pkcs11"
 	"github.com/prometheus/client_golang/prometheus"
 	"golang.org/x/crypto/ocsp"
 
+	capb "github.com/letsencrypt/boulder/ca/proto"
+	"github.com/letsencrypt/boulder/core"
+	berrors "github.com/letsencrypt/boulder/errors"
+	"github.com/letsencrypt/boulder/issuance"
 	blog "github.com/letsencrypt/boulder/log"
 )
 
+// ocspImpl provides a backing implementation for the OCSP gRPC service.
+type ocspImpl struct {
+	capb.UnimplementedOCSPGeneratorServer
+	sa certificateStorage
+	// TODO(#5152): Replace IssuerID with IssuerNameID.
+	issuers        map[issuance.IssuerID]*issuance.Issuer
+	ocspLifetime   time.Duration
+	ocspLogQueue   *ocspLogQueue
+	log            blog.Logger
+	signatureCount *prometheus.CounterVec
+	signErrorCount *prometheus.CounterVec
+	clk            clock.Clock
+}
+
+func NewOCSPImpl(
+	sa certificateStorage,
+	issuers []*issuance.Issuer,
+	ocspLifetime time.Duration,
+	ocspLogMaxLength int,
+	ocspLogPeriod time.Duration,
+	logger blog.Logger,
+	stats prometheus.Registerer,
+	signatureCount *prometheus.CounterVec,
+	signErrorCount *prometheus.CounterVec,
+	clk clock.Clock,
+) (*ocspImpl, error) {
+	issuersByID := make(map[issuance.IssuerID]*issuance.Issuer, len(issuers))
+	for _, issuer := range issuers {
+		issuersByID[issuer.ID()] = issuer
+	}
+
+	var ocspLogQueue *ocspLogQueue
+	if ocspLogMaxLength > 0 {
+		ocspLogQueue = newOCSPLogQueue(ocspLogMaxLength, ocspLogPeriod, stats, logger)
+	}
+
+	oi := &ocspImpl{
+		sa:             sa,
+		issuers:        issuersByID,
+		ocspLifetime:   ocspLifetime,
+		ocspLogQueue:   ocspLogQueue,
+		log:            logger,
+		signatureCount: signatureCount,
+		signErrorCount: signErrorCount,
+		clk:            clk,
+	}
+	return oi, nil
+}
+
+// LogOCSPLoop collects OCSP generation log events into bundles, and logs
+// them periodically.
+func (oi *ocspImpl) LogOCSPLoop() {
+	if oi.ocspLogQueue != nil {
+		oi.ocspLogQueue.loop()
+	}
+}
+
+// Stop asks this ocspImpl to shut down. It must be called after the
+// corresponding RPC service is shut down and there are no longer any inflight
+// RPCs. It will attempt to drain any logging queues (which may block), and will
+// return only when done.
+func (oi *ocspImpl) Stop() {
+	if oi.ocspLogQueue != nil {
+		oi.ocspLogQueue.stop()
+	}
+}
+
+// GenerateOCSP produces a new OCSP response and returns it
+func (oi *ocspImpl) GenerateOCSP(ctx context.Context, req *capb.GenerateOCSPRequest) (*capb.OCSPResponse, error) {
+	// req.Status, req.Reason, and req.RevokedAt are often 0, for non-revoked certs.
+	if core.IsAnyNilOrZero(req, req.Serial, req.IssuerID) {
+		return nil, berrors.InternalServerError("Incomplete generate OCSP request")
+	}
+
+	serialInt, err := core.StringToSerial(req.Serial)
+	if err != nil {
+		return nil, err
+	}
+	serial := serialInt
+
+	// TODO(#5152): Replace IssuerID with IssuerNameID.
+	var ok bool
+	issuer, ok := oi.issuers[issuance.IssuerID(req.IssuerID)]
+	if !ok {
+		return nil, fmt.Errorf("This CA doesn't have an issuer cert with ID %d", req.IssuerID)
+	}
+
+	now := oi.clk.Now().Truncate(time.Hour)
+	tbsResponse := ocsp.Response{
+		Status:       ocspStatusToCode[req.Status],
+		SerialNumber: serial,
+		ThisUpdate:   now,
+		NextUpdate:   now.Add(oi.ocspLifetime),
+	}
+	if tbsResponse.Status == ocsp.Revoked {
+		tbsResponse.RevokedAt = time.Unix(0, req.RevokedAt)
+		tbsResponse.RevocationReason = int(req.Reason)
+	}
+
+	if oi.ocspLogQueue != nil {
+		oi.ocspLogQueue.enqueue(serial.Bytes(), now, ocsp.ResponseStatus(tbsResponse.Status))
+	}
+
+	ocspResponse, err := ocsp.CreateResponse(issuer.Cert.Certificate, issuer.Cert.Certificate, tbsResponse, issuer.Signer)
+	if err == nil {
+		oi.signatureCount.With(prometheus.Labels{"purpose": "ocsp", "issuer": issuer.Name()}).Inc()
+	} else {
+		var pkcs11Error *pkcs11.Error
+		if errors.As(err, &pkcs11Error) {
+			oi.signErrorCount.WithLabelValues("HSM").Inc()
+		}
+	}
+	return &capb.OCSPResponse{Response: ocspResponse}, err
+}
+
 // ocspLogQueue accumulates OCSP logging events and writes several of them
 // in a single log line. This reduces the number of log lines and bytes,
 // which would otherwise be quite high. As of Jan 2021 we do approximately
 
@@ -1,10 +1,14 @@
 package ca
 
 import (
+	"context"
+	"crypto/x509"
 	"encoding/hex"
 	"testing"
 	"time"
 
+	capb "github.com/letsencrypt/boulder/ca/proto"
+	"github.com/letsencrypt/boulder/core"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
 	"github.com/letsencrypt/boulder/test"
@@ -20,6 +24,89 @@ func serial(t *testing.T) []byte {
 
 }
 
+func TestOCSP(t *testing.T) {
+	testCtx := setup(t)
+	ca, err := NewCertificateAuthorityImpl(
+		&mockSA{},
+		testCtx.pa,
+		testCtx.ocsp,
+		testCtx.boulderIssuers,
+		nil,
+		testCtx.certExpiry,
+		testCtx.certBackdate,
+		testCtx.serialPrefix,
+		testCtx.maxNames,
+		testCtx.keyPolicy,
+		nil,
+		testCtx.logger,
+		testCtx.stats,
+		testCtx.signatureCount,
+		testCtx.signErrorCount,
+		testCtx.fc)
+	test.AssertNotError(t, err, "Failed to create CA")
+	ocspi := testCtx.ocsp
+
+	// Issue a certificate from the RSA issuer caCert, then check OCSP comes from the same issuer.
+	rsaIssuerID := ca.issuers.byAlg[x509.RSA].ID()
+	rsaCertPB, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID})
+	test.AssertNotError(t, err, "Failed to issue certificate")
+	rsaCert, err := x509.ParseCertificate(rsaCertPB.DER)
+	test.AssertNotError(t, err, "Failed to parse rsaCert")
+	rsaOCSPPB, err := ocspi.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
+		Serial:   core.SerialToString(rsaCert.SerialNumber),
+		IssuerID: int64(rsaIssuerID),
+		Status:   string(core.OCSPStatusGood),
+	})
+	test.AssertNotError(t, err, "Failed to generate OCSP")
+	rsaOCSP, err := ocsp.ParseResponse(rsaOCSPPB.Response, caCert.Certificate)
+	test.AssertNotError(t, err, "Failed to parse / validate OCSP for rsaCert")
+	test.AssertEquals(t, rsaOCSP.Status, 0)
+	test.AssertEquals(t, rsaOCSP.RevocationReason, 0)
+	test.AssertEquals(t, rsaOCSP.SerialNumber.Cmp(rsaCert.SerialNumber), 0)
+
+	// Issue a certificate from the ECDSA issuer caCert2, then check OCSP comes from the same issuer.
+	ecdsaIssuerID := ca.issuers.byAlg[x509.ECDSA].ID()
+	ecdsaCertPB, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: ECDSACSR, RegistrationID: arbitraryRegID})
+	test.AssertNotError(t, err, "Failed to issue certificate")
+	ecdsaCert, err := x509.ParseCertificate(ecdsaCertPB.DER)
+	test.AssertNotError(t, err, "Failed to parse ecdsaCert")
+	ecdsaOCSPPB, err := ocspi.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
+		Serial:   core.SerialToString(ecdsaCert.SerialNumber),
+		IssuerID: int64(ecdsaIssuerID),
+		Status:   string(core.OCSPStatusGood),
+	})
+	test.AssertNotError(t, err, "Failed to generate OCSP")
+	ecdsaOCSP, err := ocsp.ParseResponse(ecdsaOCSPPB.Response, caCert2.Certificate)
+	test.AssertNotError(t, err, "Failed to parse / validate OCSP for ecdsaCert")
+	test.AssertEquals(t, ecdsaOCSP.Status, 0)
+	test.AssertEquals(t, ecdsaOCSP.RevocationReason, 0)
+	test.AssertEquals(t, ecdsaOCSP.SerialNumber.Cmp(ecdsaCert.SerialNumber), 0)
+
+	// GenerateOCSP with a bad IssuerID should fail.
+	_, err = ocspi.GenerateOCSP(context.Background(), &capb.GenerateOCSPRequest{
+		Serial:   core.SerialToString(rsaCert.SerialNumber),
+		IssuerID: int64(666),
+		Status:   string(core.OCSPStatusGood),
+	})
+	test.AssertError(t, err, "GenerateOCSP didn't fail with invalid IssuerID")
+
+	// GenerateOCSP with a bad Serial should fail.
+	_, err = ocspi.GenerateOCSP(context.Background(), &capb.GenerateOCSPRequest{
+		Serial:   "BADDECAF",
+		IssuerID: int64(rsaIssuerID),
+		Status:   string(core.OCSPStatusGood),
+	})
+	test.AssertError(t, err, "GenerateOCSP didn't fail with invalid Serial")
+
+	// GenerateOCSP with a valid-but-nonexistent Serial should *not* fail.
+	_, err = ocspi.GenerateOCSP(context.Background(), &capb.GenerateOCSPRequest{
+		Serial:   "03DEADBEEFBADDECAFFADEFACECAFE30",
+		IssuerID: int64(rsaIssuerID),
+		Status:   string(core.OCSPStatusGood),
+	})
+	test.AssertNotError(t, err, "GenerateOCSP failed with fake-but-valid Serial")
+}
+
 // Set up an ocspLogQueue with a very long period and a large maxLen,
 // to ensure any buffered entries get flushed on `.stop()`.
 func TestOcspLogFlushOnExit(t *testing.T) {
 
@@ -44,6 +44,7 @@ message GenerateOCSPRequest {
   int32 reason = 3;
   int64 revokedAt = 4;
   string serial = 5;
+  // TODO(#5152): Replace issuerID with issuerNameID.
   int64 issuerID = 6;
 }
 
 
@@ -7,6 +7,7 @@ import (
 	"sync"
 
 	"github.com/beeker1121/goque"
+	"github.com/prometheus/client_golang/prometheus"
 	"google.golang.org/grpc/health"
 	healthpb "google.golang.org/grpc/health/grpc_health_v1"
 
@@ -165,6 +166,22 @@ func main() {
 	defer logger.AuditPanic()
 	logger.Info(cmd.VersionString())
 
+	// These two metrics are created and registered here so they can be shared
+	// between NewCertificateAuthorityImpl and NewOCSPImpl.
+	signatureCount := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "signatures",
+			Help: "Number of signatures",
+		},
+		[]string{"purpose", "issuer"})
+	scope.MustRegister(signatureCount)
+
+	signErrorCount := prometheus.NewCounterVec(prometheus.CounterOpts{
+		Name: "signature_errors",
+		Help: "A counter of signature errors labelled by error type",
+	}, []string{"type"})
+	scope.MustRegister(signErrorCount)
+
 	cmd.FailOnError(c.PA.CheckChallenges(), "Invalid PA configuration")
 
 	pa, err := policy.New(c.PA.Challenges)
@@ -200,32 +217,58 @@ func main() {
 		defer func() { _ = orphanQueue.Close() }()
 	}
 
+	serverMetrics := bgrpc.NewServerMetrics(scope)
+	var wg sync.WaitGroup
+
+	ocspi, err := ca.NewOCSPImpl(
+		sa,
+		boulderIssuers,
+		c.CA.LifespanOCSP.Duration,
+		c.CA.OCSPLogMaxLength,
+		c.CA.OCSPLogPeriod.Duration,
+		logger,
+		scope,
+		signatureCount,
+		signErrorCount,
+		clk,
+	)
+	cmd.FailOnError(err, "Failed to create OCSP impl")
+	go ocspi.LogOCSPLoop()
+
+	ocspSrv, ocspListener, err := bgrpc.NewServer(c.CA.GRPCOCSPGenerator, tlsConfig, serverMetrics, clk)
+	cmd.FailOnError(err, "Unable to setup CA gRPC server")
+	capb.RegisterOCSPGeneratorServer(ocspSrv, ocspi)
+	ocspHealth := health.NewServer()
+	healthpb.RegisterHealthServer(ocspSrv, ocspHealth)
+	wg.Add(1)
+	go func() {
+		cmd.FailOnError(cmd.FilterShutdownErrors(ocspSrv.Serve(ocspListener)),
+			"OCSPGenerator gRPC service failed")
+		wg.Done()
+	}()
+
 	cai, err := ca.NewCertificateAuthorityImpl(
 		sa,
 		pa,
+		ocspi,
 		boulderIssuers,
 		c.CA.ECDSAAllowedAccounts,
 		c.CA.Expiry.Duration,
 		c.CA.Backdate.Duration,
 		c.CA.SerialPrefix,
 		c.CA.MaxNames,
-		c.CA.LifespanOCSP.Duration,
 		kp,
 		orphanQueue,
-		c.CA.OCSPLogMaxLength,
-		c.CA.OCSPLogPeriod.Duration,
 		logger,
 		scope,
+		signatureCount,
+		signErrorCount,
 		clk)
 	cmd.FailOnError(err, "Failed to create CA impl")
 
 	if orphanQueue != nil {
 		go cai.OrphanIntegrationLoop()
 	}
-	go cai.LogOCSPLoop()
-
-	serverMetrics := bgrpc.NewServerMetrics(scope)
-	var wg sync.WaitGroup
 
 	caSrv, caListener, err := bgrpc.NewServer(c.CA.GRPCCA, tlsConfig, serverMetrics, clk)
 	cmd.FailOnError(err, "Unable to setup CA gRPC server")
@@ -238,25 +281,13 @@ func main() {
 		wg.Done()
 	}()
 
-	ocspSrv, ocspListener, err := bgrpc.NewServer(c.CA.GRPCOCSPGenerator, tlsConfig, serverMetrics, clk)
-	cmd.FailOnError(err, "Unable to setup CA gRPC server")
-	capb.RegisterOCSPGeneratorServer(ocspSrv, cai)
-	ocspHealth := health.NewServer()
-	healthpb.RegisterHealthServer(ocspSrv, ocspHealth)
-	wg.Add(1)
-	go func() {
-		cmd.FailOnError(cmd.FilterShutdownErrors(ocspSrv.Serve(ocspListener)),
-			"OCSPGenerator gRPC service failed")
-		wg.Done()
-	}()
-
 	go cmd.CatchSignals(logger, func() {
 		caHealth.Shutdown()
 		ocspHealth.Shutdown()
 		caSrv.GracefulStop()
 		ocspSrv.GracefulStop()
 		wg.Wait()
-		cai.Stop()
+		ocspi.Stop()
 	})
 
 	select {}
 
@@ -152,6 +152,7 @@ func (updater *OCSPUpdater) findStaleOCSPResponses(oldestLastUpdatedTime time.Ti
 }
 
 func (updater *OCSPUpdater) generateResponse(ctx context.Context, status core.CertificateStatus) (*core.CertificateStatus, error) {
+	// TODO(#5152): Replace IssuerID with IssuerNameID.
 	if status.IssuerID == nil || *status.IssuerID == 0 {
 		return nil, errors.New("cert status has nil or 0 IssuerID")
 	}
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ message GenerateOCSPRequest {`
`44`	`44`	`int32 reason = 3;`
`45`	`45`	`int64 revokedAt = 4;`
`46`	`46`	`string serial = 5;`
	`47`	`+ // TODO(#5152): Replace issuerID with issuerNameID.`
`47`	`48`	`int64 issuerID = 6;`
`48`	`49`	`}`
`49`	`50`
Original file line number	Diff line number	Diff line change
`@@ -152,6 +152,7 @@ func (updater *OCSPUpdater) findStaleOCSPResponses(oldestLastUpdatedTime time.Ti`
`152`	`152`	`}`
`153`	`153`
`154`	`154`	`func (updater OCSPUpdater) generateResponse(ctx context.Context, status core.CertificateStatus) (core.CertificateStatus, error) {`
	`155`	`+ // TODO(#5152): Replace IssuerID with IssuerNameID.`
`155`	`156`	`if status.IssuerID == nil \|\| *status.IssuerID == 0 {`
`156`	`157`	`return nil, errors.New("cert status has nil or 0 IssuerID")`
`157`	`158`	`}`