Unify usage of 'issuer' and 'signer' as nouns (letsencrypt#5085)

aarongable · web-flow · commit d8a786ea081c · 2020-09-10T17:18:42.000-07:00
We define a "signer" to be a private key, or something that satisfies the
crypto.Signer interface. We define an "issuer" to be an object which has
both a signer (so it can sign things) and a certificate (so that the things
it signs can have appropriate issuer fields set).

As a result, this change:
- moves the new "signer" library to be called "issuance" instead
- renames several "signers" to instead be "issuers", as defined above
- renames several "issuers" to instead be "certs", to reduce confusion more

There are some further cleanups which could be made, but most of them
will be made irrelevant by the removal of the CFSSL code, so I'm leaving
them be for now.
diff --git a/ca/ca.go b/ca/ca.go
@@ -39,9 +39,9 @@ import (
 	berrors "github.com/letsencrypt/boulder/errors"
 	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
+	"github.com/letsencrypt/boulder/issuance"
 	blog "github.com/letsencrypt/boulder/log"
 	sapb "github.com/letsencrypt/boulder/sa/proto"
-	bsigner "github.com/letsencrypt/boulder/signer"
 )
 
 // Miscellaneous PKIX OIDs that we need to refer to
@@ -167,42 +167,42 @@ type internalIssuer struct {
 	cert       *x509.Certificate
 	ocspSigner crypto.Signer
 
-	// Only one of cfsslSigner and boulderSigner will be non-nill
+	// Only one of cfsslSigner and boulderIssuer will be non-nill
 	cfsslSigner   localSigner
-	boulderSigner *bsigner.Signer
+	boulderIssuer *issuance.Issuer
 }
 
-func makeInternalIssuers(issuers []bsigner.Config, lifespanOCSP time.Duration) (issuerMaps, error) {
+func makeInternalIssuers(configs []issuance.IssuerConfig, lifespanOCSP time.Duration) (issuerMaps, error) {
 	issuersByAlg := make(map[x509.PublicKeyAlgorithm]*internalIssuer, 2)
-	issuersByName := make(map[string]*internalIssuer, len(issuers))
-	issuersByID := make(map[int64]*internalIssuer, len(issuers))
-	for _, issuer := range issuers {
-		signer, err := bsigner.NewSigner(issuer)
+	issuersByName := make(map[string]*internalIssuer, len(configs))
+	issuersByID := make(map[int64]*internalIssuer, len(configs))
+	for _, config := range configs {
+		issuer, err := issuance.New(config)
 		if err != nil {
 			return issuerMaps{}, err
 		}
 		ii := &internalIssuer{
-			cert:          issuer.Issuer,
-			ocspSigner:    issuer.Signer,
-			boulderSigner: signer,
+			cert:          config.Cert,
+			ocspSigner:    config.Signer,
+			boulderIssuer: issuer,
 		}
-		if issuer.Profile.UseForRSALeaves {
+		if config.Profile.UseForRSALeaves {
 			if issuersByAlg[x509.RSA] != nil {
 				return issuerMaps{}, errors.New("Multiple issuer certs for RSA are not allowed")
 			}
 			issuersByAlg[x509.RSA] = ii
 		}
-		if issuer.Profile.UseForECDSALeaves {
+		if config.Profile.UseForECDSALeaves {
 			if issuersByAlg[x509.ECDSA] != nil {
 				return issuerMaps{}, errors.New("Multiple issuer certs for ECDSA are not allowed")
 			}
 			issuersByAlg[x509.ECDSA] = ii
 		}
-		if issuersByName[issuer.Issuer.Subject.CommonName] != nil {
+		if issuersByName[config.Cert.Subject.CommonName] != nil {
 			return issuerMaps{}, errors.New("Multiple issuer certs with the same CommonName are not supported")
 		}
-		issuersByName[issuer.Issuer.Subject.CommonName] = ii
-		issuersByID[idForIssuer(issuer.Issuer)] = ii
+		issuersByName[config.Cert.Subject.CommonName] = ii
+		issuersByID[idForCert(config.Cert)] = ii
 	}
 	return issuerMaps{issuersByAlg, issuersByName, issuersByID}, nil
 }
@@ -245,15 +245,15 @@ func makeCFSSLInternalIssuers(issuers []Issuer, policy *cfsslConfig.Signing, lif
 			issuersByAlg[x509.ECDSA] = ii
 		}
 		issuersByName[cn] = ii
-		issuersByID[idForIssuer(iss.Cert)] = ii
+		issuersByID[idForCert(iss.Cert)] = ii
 	}
 	return issuerMaps{issuersByAlg, issuersByName, issuersByID}, nil
 }
 
-// idForIssuer generates a stable ID for an issuer certificate. This
+// idForCert generates a stable ID for an issuer certificate. This
 // is used for identifying which issuer issued a certificate in the
 // certificateStatus table.
-func idForIssuer(cert *x509.Certificate) int64 {
+func idForCert(cert *x509.Certificate) int64 {
 	h := sha256.Sum256(cert.Raw)
 	return big.NewInt(0).SetBytes(h[:4]).Int64()
 }
@@ -268,7 +268,7 @@ func NewCertificateAuthorityImpl(
 	clk clock.Clock,
 	stats prometheus.Registerer,
 	cfsslIssuers []Issuer,
-	boulderIssuers []bsigner.Config,
+	boulderIssuers []issuance.IssuerConfig,
 	keyPolicy goodkey.KeyPolicy,
 	logger blog.Logger,
 	orphanQueue *goque.Queue,
@@ -600,7 +600,7 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 		RegID:    regID,
 		Ocsp:     ocspResp.Response,
 		Issued:   nowNanos,
-		IssuerID: idForIssuer(issuer.cert),
+		IssuerID: idForCert(issuer.cert),
 	}
 
 	_, err = ca.sa.AddPrecertificate(ctx, req)
@@ -617,7 +617,7 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 				RegID:    regID,
 				OCSPResp: ocspResp.Response,
 				Precert:  true,
-				IssuerID: idForIssuer(issuer.cert),
+				IssuerID: idForCert(issuer.cert),
 			})
 		}
 		return nil, err
@@ -686,11 +686,11 @@ func (ca *CertificateAuthorityImpl) IssueCertificateForPrecertificate(ctx contex
 
 	var certDER []byte
 	if features.Enabled(features.NonCFSSLSigner) {
-		issuanceReq, err := bsigner.RequestFromPrecert(precert, scts)
+		issuanceReq, err := issuance.RequestFromPrecert(precert, scts)
 		if err != nil {
 			return nil, err
 		}
-		certDER, err = issuer.boulderSigner.Issue(issuanceReq)
+		certDER, err = issuer.boulderIssuer.Issue(issuanceReq)
 		if err != nil {
 			return nil, err
 		}
@@ -711,7 +711,7 @@ func (ca *CertificateAuthorityImpl) IssueCertificateForPrecertificate(ctx contex
 	ca.log.AuditInfof("Signing success: serial=[%s] names=[%s] csr=[%s] certificate=[%s]",
 		serialHex, strings.Join(precert.DNSNames, ", "), hex.EncodeToString(req.DER),
 		hex.EncodeToString(certDER))
-	err = ca.storeCertificate(ctx, req.RegistrationID, req.OrderID, precert.SerialNumber, certDER, idForIssuer(issuer.cert))
+	err = ca.storeCertificate(ctx, req.RegistrationID, req.OrderID, precert.SerialNumber, certDER, idForCert(issuer.cert))
 	if err != nil {
 		return nil, err
 	}
@@ -795,13 +795,13 @@ func (ca *CertificateAuthorityImpl) issuePrecertificateInner(ctx context.Context
 	if features.Enabled(features.NonCFSSLSigner) {
 		ca.log.AuditInfof("Signing: serial=[%s] names=[%s] csr=[%s]",
 			serialHex, strings.Join(csr.DNSNames, ", "), hex.EncodeToString(csr.Raw))
-		certDER, err = issuer.boulderSigner.Issue(&bsigner.IssuanceRequest{
+		certDER, err = issuer.boulderIssuer.Issue(&issuance.IssuanceRequest{
 			PublicKey:         csr.PublicKey,
 			Serial:            serialBigInt.Bytes(),
 			CommonName:        csr.Subject.CommonName,
 			DNSNames:          csr.DNSNames,
 			IncludeCTPoison:   true,
-			IncludeMustStaple: bsigner.ContainsMustStaple(csr.Extensions),
+			IncludeMustStaple: issuance.ContainsMustStaple(csr.Extensions),
 			NotBefore:         validity.NotBefore,
 			NotAfter:          validity.NotAfter,
 		})
diff --git a/ca/ca_test.go b/ca/ca_test.go
@@ -38,11 +38,11 @@ import (
 	berrors "github.com/letsencrypt/boulder/errors"
 	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
+	"github.com/letsencrypt/boulder/issuance"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
 	"github.com/letsencrypt/boulder/policy"
 	sapb "github.com/letsencrypt/boulder/sa/proto"
-	bsigner "github.com/letsencrypt/boulder/signer"
 	"github.com/letsencrypt/boulder/test"
 )
 
@@ -135,7 +135,7 @@ type testCtx struct {
 	caConfig      ca_config.CAConfig
 	pa            core.PolicyAuthority
 	issuers       []Issuer
-	signerConfigs []bsigner.Config
+	issuerConfigs []issuance.IssuerConfig
 	keyPolicy     goodkey.KeyPolicy
 	fc            clock.FakeClock
 	stats         prometheus.Registerer
@@ -261,12 +261,12 @@ func setup(t *testing.T) *testCtx {
 
 	issuers := []Issuer{{caKey, caCert}}
 
-	signerConfigs := []bsigner.Config{
+	issuerConfigs := []issuance.IssuerConfig{
 		{
-			Issuer: caCert,
+			Cert:   caCert,
 			Signer: caKey,
 			Clk:    fc,
-			Profile: bsigner.ProfileConfig{
+			Profile: issuance.ProfileConfig{
 				UseForECDSALeaves: true,
 				UseForRSALeaves:   true,
 				AllowMustStaple:   true,
@@ -276,7 +276,7 @@ func setup(t *testing.T) *testCtx {
 				IssuerURL:         "http://not-example.com/issuer-url",
 				OCSPURL:           "http://not-example.com/ocsp",
 				CRLURL:            "http://not-example.com/crl",
-				Policies: []bsigner.PolicyInformation{
+				Policies: []issuance.PolicyInformation{
 					{OID: "2.23.140.1.2.1"},
 				},
 				MaxValidityPeriod:   cmd.ConfigDuration{Duration: time.Hour * 8760},
@@ -297,7 +297,7 @@ func setup(t *testing.T) *testCtx {
 		caConfig,
 		pa,
 		issuers,
-		signerConfigs,
+		issuerConfigs,
 		keyPolicy,
 		fc,
 		metrics.NoopRegisterer,
@@ -401,13 +401,13 @@ func TestIssuePrecertificate(t *testing.T) {
 	}
 }
 
-func issueCertificateSubTestSetup(t *testing.T, boulderSigner bool) (*CertificateAuthorityImpl, *mockSA) {
+func issueCertificateSubTestSetup(t *testing.T, boulderIssuer bool) (*CertificateAuthorityImpl, *mockSA) {
 	testCtx := setup(t)
 	sa := &mockSA{}
 	var issuers []Issuer
-	var signerConfigs []bsigner.Config
-	if boulderSigner {
-		signerConfigs = testCtx.signerConfigs
+	var issuerConfigs []issuance.IssuerConfig
+	if boulderIssuer {
+		issuerConfigs = testCtx.issuerConfigs
 		_ = features.Set(map[string]bool{"NonCFSSLSigner": true})
 	} else {
 		issuers = testCtx.issuers
@@ -419,7 +419,7 @@ func issueCertificateSubTestSetup(t *testing.T, boulderSigner bool) (*Certificat
 		testCtx.fc,
 		testCtx.stats,
 		issuers,
-		signerConfigs,
+		issuerConfigs,
 		testCtx.keyPolicy,
 		testCtx.logger,
 		nil)
@@ -847,7 +847,7 @@ func TestIssueCertificateForPrecertificate(t *testing.T) {
 			testCtx.fc,
 			testCtx.stats,
 			testCtx.issuers,
-			testCtx.signerConfigs,
+			testCtx.issuerConfigs,
 			testCtx.keyPolicy,
 			testCtx.logger,
 			nil)
@@ -1291,7 +1291,7 @@ func TestGenerateOCSPWithIssuerID(t *testing.T) {
 	// GenerateOCSP with feature enabled + req contains good IssuerID
 	rsaIssuer := ca.issuers.byAlg[x509.RSA]
 	_, err = ca.GenerateOCSP(context.Background(), &capb.GenerateOCSPRequest{
-		IssuerID: idForIssuer(rsaIssuer.cert),
+		IssuerID: idForCert(rsaIssuer.cert),
 		Serial:   "DEADDEADDEADDEADDEADDEADDEADDEADDEAD",
 		Status:   string(core.OCSPStatusGood),
 	})
diff --git a/ca/config/config.go b/ca/config/config.go
@@ -5,7 +5,7 @@ import (
 	"github.com/letsencrypt/pkcs11key/v4"
 
 	"github.com/letsencrypt/boulder/cmd"
-	"github.com/letsencrypt/boulder/signer"
+	"github.com/letsencrypt/boulder/issuance"
 )
 
 // CAConfig structs have configuration information for the certificate
@@ -27,7 +27,7 @@ type CAConfig struct {
 	Issuers []IssuerConfig
 	// SignerProfile contains the signer issuance profile, if using the boulder
 	// signer rather than the CFSSL signer.
-	SignerProfile signer.ProfileConfig
+	SignerProfile issuance.ProfileConfig
 	// LifespanOCSP is how long OCSP responses are valid for; It should be longer
 	// than the minTimeToExpiry field for the OCSP Updater.
 	LifespanOCSP cmd.ConfigDuration
diff --git a/cmd/boulder-ca/main.go b/cmd/boulder-ca/main.go
@@ -22,9 +22,9 @@ import (
 	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
 	bgrpc "github.com/letsencrypt/boulder/grpc"
+	"github.com/letsencrypt/boulder/issuance"
 	"github.com/letsencrypt/boulder/policy"
 	sapb "github.com/letsencrypt/boulder/sa/proto"
-	bsigner "github.com/letsencrypt/boulder/signer"
 )
 
 type config struct {
@@ -48,15 +48,15 @@ func loadCFSSLIssuers(configs []ca_config.IssuerConfig) ([]ca.Issuer, error) {
 	return issuers, nil
 }
 
-func loadBoulderIssuers(configs []ca_config.IssuerConfig, profile bsigner.ProfileConfig, ignoredLints []string) ([]bsigner.Config, error) {
-	boulderIssuerConfigs := make([]bsigner.Config, 0, len(configs))
+func loadBoulderIssuers(configs []ca_config.IssuerConfig, profile issuance.ProfileConfig, ignoredLints []string) ([]issuance.IssuerConfig, error) {
+	boulderIssuerConfigs := make([]issuance.IssuerConfig, 0, len(configs))
 	for _, issuerConfig := range configs {
 		signer, issuer, err := loadIssuer(issuerConfig)
 		if err != nil {
 			return nil, err
 		}
-		boulderIssuerConfigs = append(boulderIssuerConfigs, bsigner.Config{
-			Issuer:       issuer,
+		boulderIssuerConfigs = append(boulderIssuerConfigs, issuance.IssuerConfig{
+			Cert:         issuer,
 			Signer:       signer,
 			IgnoredLints: ignoredLints,
 			Clk:          cmd.Clock(),
@@ -172,7 +172,7 @@ func main() {
 	cmd.FailOnError(err, "Couldn't load hostname policy file")
 
 	var cfsslIssuers []ca.Issuer
-	var boulderIssuerConfigs []bsigner.Config
+	var boulderIssuerConfigs []issuance.IssuerConfig
 	if features.Enabled(features.NonCFSSLSigner) {
 		boulderIssuerConfigs, err = loadBoulderIssuers(c.CA.Issuers, c.CA.SignerProfile, c.CA.IgnoredLints)
 		cmd.FailOnError(err, "Couldn't load issuers")
diff --git a/issuance/issuance.go b/issuance/issuance.go
diff --git a/issuance/issuance_test.go b/issuance/issuance_test.go
