Switch GenerateOCSP to directly use protos instead of wrapper (letsencrypt#4549)

rolandshoemaker · web-flow · commit b8ee84da7b0d · 2019-11-14T11:10:33.000-08:00
diff --git a/ca/ca.go b/ca/ca.go
@@ -392,8 +392,8 @@ var ocspStatusToCode = map[string]int{
 }
 
 // GenerateOCSP produces a new OCSP response and returns it
-func (ca *CertificateAuthorityImpl) GenerateOCSP(ctx context.Context, xferObj core.OCSPSigningRequest) ([]byte, error) {
-	cert, err := x509.ParseCertificate(xferObj.CertDER)
+func (ca *CertificateAuthorityImpl) GenerateOCSP(ctx context.Context, req *caPB.GenerateOCSPRequest) (*caPB.OCSPResponse, error) {
+	cert, err := x509.ParseCertificate(req.CertDER)
 	if err != nil {
 		ca.log.AuditErr(err.Error())
 		return nil, err
@@ -414,22 +414,22 @@ func (ca *CertificateAuthorityImpl) GenerateOCSP(ctx context.Context, xferObj co
 
 	now := ca.clk.Now().Truncate(time.Hour)
 	tbsResponse := ocsp.Response{
-		Status:       ocspStatusToCode[xferObj.Status],
+		Status:       ocspStatusToCode[*req.Status],
 		SerialNumber: cert.SerialNumber,
 		ThisUpdate:   now,
 		NextUpdate:   now.Add(ca.ocspLifetime),
 	}
 	if tbsResponse.Status == ocsp.Revoked {
-		tbsResponse.RevokedAt = xferObj.RevokedAt
-		tbsResponse.RevocationReason = int(xferObj.Reason)
+		tbsResponse.RevokedAt = time.Unix(0, *req.RevokedAt)
+		tbsResponse.RevocationReason = int(*req.Reason)
 	}
 
 	ocspResponse, err := ocsp.CreateResponse(issuer.cert, issuer.cert, tbsResponse, issuer.ocspSigner)
 	ca.noteSignError(err)
 	if err == nil {
 		ca.signatureCount.With(prometheus.Labels{"purpose": "ocsp"}).Inc()
 	}
-	return ocspResponse, err
+	return &caPB.OCSPResponse{Response: ocspResponse}, err
 }
 
 func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, issueReq *caPB.IssueCertificateRequest) (*caPB.IssuePrecertificateResponse, error) {
@@ -458,9 +458,10 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 		return nil, err
 	}
 
-	ocspResp, err := ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
+	status := string(core.OCSPStatusGood)
+	ocspResp, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
 		CertDER: precertDER,
-		Status:  string(core.OCSPStatusGood),
+		Status:  &status,
 	})
 	if err != nil {
 		err = berrors.InternalServerError(err.Error())
@@ -471,7 +472,7 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 	_, err = ca.sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:    precertDER,
 		RegID:  &regID,
-		Ocsp:   ocspResp,
+		Ocsp:   ocspResp.Response,
 		Issued: &nowNanos,
 	})
 	if err != nil {
@@ -482,7 +483,7 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 			ca.queueOrphan(&orphanedCert{
 				DER:      precertDER,
 				RegID:    regID,
-				OCSPResp: ocspResp,
+				OCSPResp: ocspResp.Response,
 				Precert:  true,
 			})
 		}
diff --git a/ca/ca_test.go b/ca/ca_test.go
@@ -24,14 +24,14 @@ import (
 	"github.com/cloudflare/cfssl/helpers"
 	"github.com/cloudflare/cfssl/signer"
 	"github.com/cloudflare/cfssl/signer/local"
-	"github.com/google/certificate-transparency-go"
+	ct "github.com/google/certificate-transparency-go"
 	cttls "github.com/google/certificate-transparency-go/tls"
 	"github.com/jmhodges/clock"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/zmap/zlint/lints"
 	"golang.org/x/crypto/ocsp"
 
-	"github.com/letsencrypt/boulder/ca/config"
+	ca_config "github.com/letsencrypt/boulder/ca/config"
 	caPB "github.com/letsencrypt/boulder/ca/proto"
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/core"
@@ -505,21 +505,22 @@ func TestOCSP(t *testing.T) {
 	test.AssertNotError(t, err, "Failed to issue")
 	parsedCert, err := x509.ParseCertificate(cert.DER)
 	test.AssertNotError(t, err, "Failed to parse cert")
-	ocspResp, err := ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
+	status := string(core.OCSPStatusGood)
+	ocspResp, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
 		CertDER: cert.DER,
-		Status:  string(core.OCSPStatusGood),
+		Status:  &status,
 	})
 	test.AssertNotError(t, err, "Failed to generate OCSP")
-	parsed, err := ocsp.ParseResponse(ocspResp, caCert)
+	parsed, err := ocsp.ParseResponse(ocspResp.Response, caCert)
 	test.AssertNotError(t, err, "Failed to parse validate OCSP")
 	test.AssertEquals(t, parsed.Status, 0)
 	test.AssertEquals(t, parsed.RevocationReason, 0)
 	test.AssertEquals(t, parsed.SerialNumber.Cmp(parsedCert.SerialNumber), 0)
 
 	// Test that signatures are checked.
-	_, err = ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
+	_, err = ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
 		CertDER: append(cert.DER, byte(0)),
-		Status:  string(core.OCSPStatusGood),
+		Status:  &status,
 	})
 	test.AssertError(t, err, "Generated OCSP for cert with bad signature")
 
@@ -560,22 +561,22 @@ func TestOCSP(t *testing.T) {
 
 	// ocspResp2 is a second OCSP response for `cert` (issued by caCert), and
 	// should be signed by caCert.
-	ocspResp2, err := ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
+	ocspResp2, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
 		CertDER: append(cert.DER),
-		Status:  string(core.OCSPStatusGood),
+		Status:  &status,
 	})
 	test.AssertNotError(t, err, "Failed to sign second OCSP response")
-	_, err = ocsp.ParseResponse(ocspResp2, caCert)
+	_, err = ocsp.ParseResponse(ocspResp2.Response, caCert)
 	test.AssertNotError(t, err, "Failed to parse / validate second OCSP response")
 
 	// newCertOcspResp is an OCSP response for `newCert` (issued by newIssuer),
 	// and should be signed by newIssuer.
-	newCertOcspResp, err := ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
+	newCertOcspResp, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
 		CertDER: newCert.DER,
-		Status:  string(core.OCSPStatusGood),
+		Status:  &status,
 	})
 	test.AssertNotError(t, err, "Failed to generate OCSP")
-	parsedNewCertOcspResp, err := ocsp.ParseResponse(newCertOcspResp, newIssuerCert)
+	parsedNewCertOcspResp, err := ocsp.ParseResponse(newCertOcspResp.Response, newIssuerCert)
 	test.AssertNotError(t, err, "Failed to parse / validate OCSP for newCert")
 	test.AssertEquals(t, parsedNewCertOcspResp.Status, 0)
 	test.AssertEquals(t, parsedNewCertOcspResp.RevocationReason, 0)
diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
@@ -149,7 +149,7 @@ func main() {
 
 	caConn, err := bgrpc.ClientSetup(c.RA.CAService, tlsConfig, clientMetrics, clk)
 	cmd.FailOnError(err, "Unable to create CA client")
-	cac := bgrpc.NewCertificateAuthorityClient(caPB.NewCertificateAuthorityClient(caConn), nil)
+	cac := bgrpc.NewCertificateAuthorityClient(caPB.NewCertificateAuthorityClient(caConn))
 
 	var ctp *ctpolicy.CTPolicy
 	conn, err := bgrpc.ClientSetup(c.RA.PublisherService, tlsConfig, clientMetrics, clk)
diff --git a/cmd/ocsp-updater/main.go b/cmd/ocsp-updater/main.go
@@ -42,7 +42,7 @@ type OCSPUpdater struct {
 
 	dbMap ocspDB
 
-	cac core.CertificateAuthority
+	ogc capb.OCSPGeneratorClient
 	sac core.StorageAuthority
 
 	// Used to calculate how far back stale OCSP responses should be looked for
@@ -64,7 +64,7 @@ func newUpdater(
 	stats metrics.Scope,
 	clk clock.Clock,
 	dbMap ocspDB,
-	ca core.CertificateAuthority,
+	ogc capb.OCSPGeneratorClient,
 	sac core.StorageAuthority,
 	apc akamaipb.AkamaiPurgerClient,
 	config OCSPUpdaterConfig,
@@ -90,7 +90,7 @@ func newUpdater(
 		stats:                        stats,
 		clk:                          clk,
 		dbMap:                        dbMap,
-		cac:                          ca,
+		ogc:                          ogc,
 		log:                          log,
 		sac:                          sac,
 		ocspMinTimeToExpiry:          config.OCSPMinTimeToExpiry.Duration,
@@ -177,20 +177,21 @@ func (updater *OCSPUpdater) generateResponse(ctx context.Context, status core.Ce
 		}
 	}
 
-	signRequest := core.OCSPSigningRequest{
+	reason := int32(status.RevokedReason)
+	statusStr := string(status.Status)
+	revokedAt := status.RevokedDate.UnixNano()
+	ocspResponse, err := updater.ogc.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{
 		CertDER:   cert.DER,
-		Reason:    status.RevokedReason,
-		Status:    string(status.Status),
-		RevokedAt: status.RevokedDate,
-	}
-
-	ocspResponse, err := updater.cac.GenerateOCSP(ctx, signRequest)
+		Reason:    &reason,
+		Status:    &statusStr,
+		RevokedAt: &revokedAt,
+	})
 	if err != nil {
 		return nil, err
 	}
 
 	status.OCSPLastUpdated = updater.clk.Now()
-	status.OCSPResponse = ocspResponse
+	status.OCSPResponse = ocspResponse.Response
 
 	return &status, nil
 }
@@ -388,7 +389,7 @@ type OCSPUpdaterConfig struct {
 }
 
 func setupClients(c OCSPUpdaterConfig, stats metrics.Scope, clk clock.Clock) (
-	core.CertificateAuthority,
+	capb.OCSPGeneratorClient,
 	core.StorageAuthority,
 	akamaipb.AkamaiPurgerClient,
 ) {
@@ -404,7 +405,7 @@ func setupClients(c OCSPUpdaterConfig, stats metrics.Scope, clk clock.Clock) (
 	// Make a CA client that is only capable of signing OCSP.
 	// TODO(jsha): Once we've fully moved to gRPC, replace this
 	// with a plain caPB.NewOCSPGeneratorClient.
-	cac := bgrpc.NewCertificateAuthorityClient(nil, capb.NewOCSPGeneratorClient(caConn))
+	ogc := capb.NewOCSPGeneratorClient(caConn)
 
 	saConn, err := bgrpc.ClientSetup(c.SAService, tls, clientMetrics, clk)
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
@@ -417,7 +418,7 @@ func setupClients(c OCSPUpdaterConfig, stats metrics.Scope, clk clock.Clock) (
 		apc = akamaipb.NewAkamaiPurgerClient(apcConn)
 	}
 
-	return cac, sac, apc
+	return ogc, sac, apc
 }
 
 func main() {
@@ -450,13 +451,13 @@ func main() {
 	sa.InitDBMetrics(dbMap, scope)
 
 	clk := cmd.Clock()
-	cac, sac, apc := setupClients(conf, scope, clk)
+	ogc, sac, apc := setupClients(conf, scope, clk)
 
 	updater, err := newUpdater(
 		scope,
 		clk,
 		dbMap,
-		cac,
+		ogc,
 		sac,
 		apc,
 		// Necessary evil for now
diff --git a/cmd/ocsp-updater/main_test.go b/cmd/ocsp-updater/main_test.go
@@ -23,31 +23,19 @@ import (
 	"github.com/letsencrypt/boulder/sa/satest"
 	"github.com/letsencrypt/boulder/test"
 	"github.com/letsencrypt/boulder/test/vars"
+	"google.golang.org/grpc"
 	"gopkg.in/go-gorp/gorp.v2"
 )
 
 var ctx = context.Background()
 
-type mockCA struct {
+type mockOCSP struct {
 	sleepTime time.Duration
 }
 
-func (ca *mockCA) IssueCertificate(_ context.Context, _ *caPB.IssueCertificateRequest) (core.Certificate, error) {
-	return core.Certificate{}, nil
-}
-
-func (ca *mockCA) IssuePrecertificate(_ context.Context, _ *caPB.IssueCertificateRequest) (*caPB.IssuePrecertificateResponse, error) {
-	return nil, errors.New("IssuePrecertificate is not implemented by mockCA")
-}
-
-func (ca *mockCA) IssueCertificateForPrecertificate(_ context.Context, _ *caPB.IssueCertificateForPrecertificateRequest) (core.Certificate, error) {
-	return core.Certificate{}, errors.New("IssueCertificateForPrecertificate is not implemented by mockCA")
-}
-
-func (ca *mockCA) GenerateOCSP(_ context.Context, xferObj core.OCSPSigningRequest) (ocsp []byte, err error) {
-	ocsp = []byte{1, 2, 3}
+func (ca *mockOCSP) GenerateOCSP(_ context.Context, req *caPB.GenerateOCSPRequest, _ ...grpc.CallOption) (*caPB.OCSPResponse, error) {
 	time.Sleep(ca.sleepTime)
-	return
+	return &caPB.OCSPResponse{Response: []byte{1, 2, 3}}, nil
 }
 
 var log = blog.UseMock()
@@ -80,7 +68,7 @@ func setup(t *testing.T) (*OCSPUpdater, core.StorageAuthority, *gorp.DbMap, cloc
 		metrics.NewNoopScope(),
 		fc,
 		dbMap,
-		&mockCA{},
+		&mockOCSP{},
 		sa,
 		nil,
 		OCSPUpdaterConfig{
@@ -155,7 +143,7 @@ func TestGenerateOCSPResponses(t *testing.T) {
 	// Note that this test also tests the basic functionality of
 	// generateOCSPResponses.
 	start := time.Now()
-	updater.cac = &mockCA{time.Second}
+	updater.ogc = &mockOCSP{time.Second}
 	updater.parallelGenerateOCSPRequests = 10
 	err = updater.generateOCSPResponses(ctx, certs, metrics.NewNoopScope())
 	test.AssertNotError(t, err, "Couldn't generate OCSP responses")
@@ -458,7 +446,7 @@ func TestGenerateOCSPResponsePrecert(t *testing.T) {
 	// Directly call generateResponse with the result, when the PrecertificateOCSP
 	// feature flag is disabled we expect this to error because no matching
 	// certificates row will be found.
-	updater.cac = &mockCA{time.Second}
+	updater.ogc = &mockOCSP{time.Second}
 	_, err = updater.generateResponse(ctx, certs[0])
 	test.AssertError(t, err, "generateResponse for precert without PrecertificateOCSP did not error")
 
diff --git a/core/interfaces.go b/core/interfaces.go
@@ -99,7 +99,7 @@ type CertificateAuthority interface {
 	// [RegistrationAuthority]
 	IssueCertificateForPrecertificate(ctx context.Context, req *caPB.IssueCertificateForPrecertificateRequest) (Certificate, error)
 
-	GenerateOCSP(ctx context.Context, ocspReq OCSPSigningRequest) ([]byte, error)
+	GenerateOCSP(ctx context.Context, ocspReq *caPB.GenerateOCSPRequest) (*caPB.OCSPResponse, error)
 }
 
 // PolicyAuthority defines the public interface for the Boulder PA
diff --git a/grpc/ca-wrappers.go b/grpc/ca-wrappers.go
diff --git a/mocks/ca.go b/mocks/ca.go
diff --git a/ra/ra.go b/ra/ra.go

Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ type CertificateAuthority interface {`
`99`	`99`	`// [RegistrationAuthority]`
`100`	`100`	`IssueCertificateForPrecertificate(ctx context.Context, req *caPB.IssueCertificateForPrecertificateRequest) (Certificate, error)`
`101`	`101`
`102`		`- GenerateOCSP(ctx context.Context, ocspReq OCSPSigningRequest) ([]byte, error)`
	`102`	`+ GenerateOCSP(ctx context.Context, ocspReq caPB.GenerateOCSPRequest) (caPB.OCSPResponse, error)`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`// PolicyAuthority defines the public interface for the Boulder PA`