Merge remote-tracking branch 'origin/main' into must-staple-allowlist

allowlist/main_test.go

@@ -5,6 +5,8 @@ import (
 )
 
 func TestNewFromYAML(t *testing.T) {
+	t.Parallel()
+
 	tests := []struct {
 		name          string
 		yamlData      string
@@ -37,6 +39,8 @@ func TestNewFromYAML(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
 			list, err := NewFromYAML[string]([]byte(tt.yamlData))
 			if (err != nil) != tt.expectErr {
 				t.Fatalf("NewFromYAML() error = %v, expectErr = %v", err, tt.expectErr)
@@ -55,6 +59,8 @@ func TestNewFromYAML(t *testing.T) {
 }
 
 func TestNewList(t *testing.T) {
+	t.Parallel()
+
 	tests := []struct {
 		name          string
 		members       []string
@@ -89,6 +95,8 @@ func TestNewList(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
 			list := NewList[string](tt.members)
 			for i, item := range tt.check {
 				got := list.Contains(item)

cmd/boulder-ra/main.go

@@ -277,17 +277,14 @@ func main() {
 	if c.RA.ValidationProfiles != nil {
 		validationProfiles = make(map[string]*ra.ValidationProfile)
 		for profileName, v := range c.RA.ValidationProfiles {
-			if v.AllowList == "" {
-				// No allow list file is specified, this profile is open to all accounts.
-				validationProfiles[profileName] = ra.NewValidationProfile(nil)
-			} else {
+			var allowList *allowlist.List[int64]
+			if v.AllowList != "" {
 				data, err := os.ReadFile(v.AllowList)
 				cmd.FailOnError(err, fmt.Sprintf("Failed to read allow list for profile %q", profileName))
-				allowList, err := allowlist.NewFromYAML[int64](data)
+				allowList, err = allowlist.NewFromYAML[int64](data)
 				cmd.FailOnError(err, fmt.Sprintf("Failed to parse allow list for profile %q", profileName))
-				// Use of this profile is restricted to the accounts listed in the allow list.
-				validationProfiles[profileName] = ra.NewValidationProfile(allowList)
 			}
+			validationProfiles[profileName] = ra.NewValidationProfile(allowList)
 		}
 	}
 

docs/acme-divergences.md

@@ -18,7 +18,7 @@ support this non-essential feature in the future. Please follow Boulder Issue
 ## [Section 7.4](https://tools.ietf.org/html/rfc8555#section-7.4)
 
 Boulder does not accept the optional `notBefore` and `notAfter` fields of a
-`newOrder` request paylod.
+`newOrder` request payload.
 
 ## [Section 7.4.1](https://tools.ietf.org/html/rfc8555#section-7.4.1)
 

errors/errors.go

@@ -49,7 +49,7 @@ const (
 	AlreadyRevoked
 	BadRevocationReason
 	UnsupportedContact
-	// The requesteed serial number does not exist in the `serials` table.
+	// The requested serial number does not exist in the `serials` table.
 	UnknownSerial
 	// The certificate being indicated for replacement already has a replacement
 	// order.

ra/ra.go

@@ -2170,7 +2170,7 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
 				req.CertificateProfileName,
 			)
 		}
-		if ok && vp.allowList != nil && !vp.allowList.Contains(req.RegistrationID) {
+		if vp.allowList != nil && !vp.allowList.Contains(req.RegistrationID) {
 			return nil, berrors.UnauthorizedError("account ID %d is not permitted to use certificate profile %q",
 				req.RegistrationID,
 				req.CertificateProfileName,

test/config-next/ca.json

@@ -77,7 +77,7 @@
 					"active": true,
 					"issuerURL": "http://ca.example.org:4502/int-ecdsa-a",
 					"ocspURL": "http://ca.example.org:4002/",
-					"crlURLBase": "http://ca.example.org:4501/ecdsa-a/",
+					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/43104258997432926/",
 					"location": {
 						"configFile": "test/certs/webpki/int-ecdsa-a.pkcs11.json",
 						"certFile": "test/certs/webpki/int-ecdsa-a.cert.pem",
@@ -88,7 +88,7 @@
 					"active": true,
 					"issuerURL": "http://ca.example.org:4502/int-ecdsa-b",
 					"ocspURL": "http://ca.example.org:4002/",
-					"crlURLBase": "http://ca.example.org:4501/ecdsa-b/",
+					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/17302365692836921/",
 					"location": {
 						"configFile": "test/certs/webpki/int-ecdsa-b.pkcs11.json",
 						"certFile": "test/certs/webpki/int-ecdsa-b.cert.pem",
@@ -99,7 +99,7 @@
 					"active": false,
 					"issuerURL": "http://ca.example.org:4502/int-ecdsa-c",
 					"ocspURL": "http://ca.example.org:4002/",
-					"crlURLBase": "http://ca.example.org:4501/ecdsa-c/",
+					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/56560759852043581/",
 					"location": {
 						"configFile": "test/certs/webpki/int-ecdsa-c.pkcs11.json",
 						"certFile": "test/certs/webpki/int-ecdsa-c.cert.pem",
@@ -110,7 +110,7 @@
 					"active": true,
 					"issuerURL": "http://ca.example.org:4502/int-rsa-a",
 					"ocspURL": "http://ca.example.org:4002/",
-					"crlURLBase": "http://ca.example.org:4501/rsa-a/",
+					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/29947985078257530/",
 					"location": {
 						"configFile": "test/certs/webpki/int-rsa-a.pkcs11.json",
 						"certFile": "test/certs/webpki/int-rsa-a.cert.pem",
@@ -121,7 +121,7 @@
 					"active": true,
 					"issuerURL": "http://ca.example.org:4502/int-rsa-b",
 					"ocspURL": "http://ca.example.org:4002/",
-					"crlURLBase": "http://ca.example.org:4501/rsa-b/",
+					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/6762885421992935/",
 					"location": {
 						"configFile": "test/certs/webpki/int-rsa-b.pkcs11.json",
 						"certFile": "test/certs/webpki/int-rsa-b.cert.pem",
@@ -132,7 +132,7 @@
 					"active": false,
 					"issuerURL": "http://ca.example.org:4502/int-rsa-c",
 					"ocspURL": "http://ca.example.org:4002/",
-					"crlURLBase": "http://ca.example.org:4501/rsa-c/",
+					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/56183656833365902/",
 					"location": {
 						"configFile": "test/certs/webpki/int-rsa-c.pkcs11.json",
 						"certFile": "test/certs/webpki/int-rsa-c.cert.pem",

test/config-next/crl-updater.json

@@ -53,7 +53,7 @@
 		"features": {}
 	},
 	"syslog": {
-		"stdoutlevel": 6,
+		"stdoutlevel": 4,
 		"sysloglevel": -1
 	},
 	"openTelemetry": {

test/config-next/ocsp-responder.json

@@ -53,9 +53,9 @@
 		],
 		"liveSigningPeriod": "60h",
 		"timeout": "4.9s",
-		"maxInflightSignings": 2,
-		"maxSigningWaiters": 1,
 		"shutdownStopTimeout": "10s",
+		"maxInflightSignings": 20,
+		"maxSigningWaiters": 100,
 		"requiredSerialPrefixes": [
 			"7f"
 		],

test/config/ca.json

@@ -79,7 +79,7 @@
 					"active": true,
 					"issuerURL": "http://ca.example.org:4502/int-ecdsa-a",
 					"ocspURL": "http://ca.example.org:4002/",
-					"crlURLBase": "http://ca.example.org:4501/ecdsa-a/",
+					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/43104258997432926/",
 					"location": {
 						"configFile": "test/certs/webpki/int-ecdsa-a.pkcs11.json",
 						"certFile": "test/certs/webpki/int-ecdsa-a.cert.pem",
@@ -90,7 +90,7 @@
 					"active": true,
 					"issuerURL": "http://ca.example.org:4502/int-ecdsa-b",
 					"ocspURL": "http://ca.example.org:4002/",
-					"crlURLBase": "http://ca.example.org:4501/ecdsa-b/",
+					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/17302365692836921/",
 					"location": {
 						"configFile": "test/certs/webpki/int-ecdsa-b.pkcs11.json",
 						"certFile": "test/certs/webpki/int-ecdsa-b.cert.pem",
@@ -101,7 +101,7 @@
 					"active": false,
 					"issuerURL": "http://ca.example.org:4502/int-ecdsa-c",
 					"ocspURL": "http://ca.example.org:4002/",
-					"crlURLBase": "http://ca.example.org:4501/ecdsa-c/",
+					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/56560759852043581/",
 					"location": {
 						"configFile": "test/certs/webpki/int-ecdsa-c.pkcs11.json",
 						"certFile": "test/certs/webpki/int-ecdsa-c.cert.pem",
@@ -112,7 +112,7 @@
 					"active": true,
 					"issuerURL": "http://ca.example.org:4502/int-rsa-a",
 					"ocspURL": "http://ca.example.org:4002/",
-					"crlURLBase": "http://ca.example.org:4501/rsa-a/",
+					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/29947985078257530/",
 					"location": {
 						"configFile": "test/certs/webpki/int-rsa-a.pkcs11.json",
 						"certFile": "test/certs/webpki/int-rsa-a.cert.pem",
@@ -123,7 +123,7 @@
 					"active": true,
 					"issuerURL": "http://ca.example.org:4502/int-rsa-b",
 					"ocspURL": "http://ca.example.org:4002/",
-					"crlURLBase": "http://ca.example.org:4501/rsa-b/",
+					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/6762885421992935/",
 					"location": {
 						"configFile": "test/certs/webpki/int-rsa-b.pkcs11.json",
 						"certFile": "test/certs/webpki/int-rsa-b.cert.pem",
@@ -134,7 +134,7 @@
 					"active": false,
 					"issuerURL": "http://ca.example.org:4502/int-rsa-c",
 					"ocspURL": "http://ca.example.org:4002/",
-					"crlURLBase": "http://ca.example.org:4501/rsa-c/",
+					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/56183656833365902/",
 					"location": {
 						"configFile": "test/certs/webpki/int-rsa-c.pkcs11.json",
 						"certFile": "test/certs/webpki/int-rsa-c.cert.pem",

test/config/crl-updater.json

@@ -53,7 +53,7 @@
 		"features": {}
 	},
 	"syslog": {
-		"stdoutlevel": 6,
-		"sysloglevel": 6
+		"stdoutlevel": 4,
+		"sysloglevel": 4
 	}
 }

test/config/ocsp-responder.json

@@ -59,6 +59,7 @@
 		"liveSigningPeriod": "60h",
 		"timeout": "4.9s",
 		"shutdownStopTimeout": "10s",
+		"maxInflightSignings": 20,
 		"debugAddr": ":8005",
 		"requiredSerialPrefixes": [
 			"7f"

test/integration/crl_test.go

@@ -11,6 +11,7 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
+	"sync"
 	"testing"
 	"time"
 
@@ -21,10 +22,16 @@ import (
 	"github.com/letsencrypt/boulder/test/vars"
 )
 
+// crlUpdaterMu controls access to `runUpdater`, because two crl-updaters running
+// at once will result in errors trying to lease shards that are already leased.
+var crlUpdaterMu sync.Mutex
+
 // runUpdater executes the crl-updater binary with the -runOnce flag, and
 // returns when it completes.
 func runUpdater(t *testing.T, configFile string) {
 	t.Helper()
+	crlUpdaterMu.Lock()
+	defer crlUpdaterMu.Unlock()
 
 	binPath, err := filepath.Abs("bin/boulder")
 	test.AssertNotError(t, err, "computing boulder binary path")