ACME v2 Finalize order support

ca/ca.go

@@ -413,6 +413,14 @@ func (ca *CertificateAuthorityImpl) IssueCertificate(ctx context.Context, issueR
 		return emptyCert, berrors.InternalServerError("RegistrationID is nil")
 	}
 
+	// OrderID is an optional field only used by the "ACME v2" issuance flow. If
+	// it isn't nil, then populate the `orderID` var with the request's OrderID.
+	// If it is nil, use the default int64 value of 0.
+	var orderID int64
+	if issueReq.OrderID != nil {
+		orderID = *issueReq.OrderID
+	}
+
 	serialBigInt, validity, err := ca.generateSerialNumberAndValidity()
 	if err != nil {
 		return emptyCert, err
@@ -423,7 +431,7 @@ func (ca *CertificateAuthorityImpl) IssueCertificate(ctx context.Context, issueR
 		return emptyCert, err
 	}
 
-	return ca.generateOCSPAndStoreCertificate(ctx, *issueReq.RegistrationID, serialBigInt, certDER)
+	return ca.generateOCSPAndStoreCertificate(ctx, *issueReq.RegistrationID, orderID, serialBigInt, certDER)
 }
 
 func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, issueReq *caPB.IssueCertificateRequest) (*caPB.IssuePrecertificateResponse, error) {
@@ -591,7 +599,12 @@ func (ca *CertificateAuthorityImpl) issueCertificateOrPrecertificate(ctx context
 	return certDER, nil
 }
 
-func (ca *CertificateAuthorityImpl) generateOCSPAndStoreCertificate(ctx context.Context, regID int64, serialBigInt *big.Int, certDER []byte) (core.Certificate, error) {
+func (ca *CertificateAuthorityImpl) generateOCSPAndStoreCertificate(
+	ctx context.Context,
+	regID int64,
+	orderID int64,
+	serialBigInt *big.Int,
+	certDER []byte) (core.Certificate, error) {
 	ocspResp, err := ca.GenerateOCSP(ctx, core.OCSPSigningRequest{
 		CertDER: certDER,
 		Status:  "good",
@@ -610,11 +623,12 @@ func (ca *CertificateAuthorityImpl) generateOCSPAndStoreCertificate(ctx context.
 		// Note: This log line is parsed by cmd/orphan-finder. If you make any
 		// changes here, you should make sure they are reflected in orphan-finder.
 		ca.log.AuditErr(fmt.Sprintf(
-			"Failed RPC to store at SA, orphaning certificate: serial=[%s] cert=[%s] err=[%v], regID=[%d]",
+			"Failed RPC to store at SA, orphaning certificate: serial=[%s] cert=[%s] err=[%v], regID=[%d], orderID=[%d]",
 			core.SerialToString(serialBigInt),
 			hex.EncodeToString(certDER),
 			err,
 			regID,
+			orderID,
 		))
 		return core.Certificate{}, err
 	}

ca/proto/ca.proto

@@ -23,6 +23,7 @@ service OCSPGenerator {
 message IssueCertificateRequest {
   optional bytes csr = 1;
   optional int64 registrationID = 2;
+  optional int64 orderID = 3;
 }
 
 message IssuePrecertificateResponse {

core/interfaces.go

@@ -82,6 +82,9 @@ type RegistrationAuthority interface {
 	// [WebFrontEnd]
 	NewOrder(ctx context.Context, req *rapb.NewOrderRequest) (*corepb.Order, error)
 
+	// [WebFrontEnd]
+	FinalizeOrder(ctx context.Context, req *rapb.FinalizeOrderRequest) (*corepb.Order, error)
+
 	// [AdminRevoker]
 	AdministrativelyRevokeCertificate(ctx context.Context, cert x509.Certificate, code revocation.Reason, adminName string) error
 }
@@ -125,6 +128,7 @@ type StorageGetter interface {
 	CountFQDNSets(ctx context.Context, window time.Duration, domains []string) (count int64, err error)
 	FQDNSetExists(ctx context.Context, domains []string) (exists bool, err error)
 	GetOrder(ctx context.Context, req *sapb.OrderRequest) (*corepb.Order, error)
+	GetOrderAuthorizations(ctx context.Context, req *sapb.GetOrderAuthorizationsRequest) (map[string]*Authorization, error)
 	CountInvalidAuthorizations(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest) (count *sapb.Count, err error)
 	GetAuthorizations(ctx context.Context, req *sapb.GetAuthorizationsRequest) (*sapb.Authorizations, error)
 }
@@ -143,6 +147,8 @@ type StorageAdder interface {
 	DeactivateRegistration(ctx context.Context, id int64) error
 	DeactivateAuthorization(ctx context.Context, id string) error
 	NewOrder(ctx context.Context, order *corepb.Order) (*corepb.Order, error)
+	SetOrderProcessing(ctx context.Context, order *corepb.Order) error
+	FinalizeOrder(ctx context.Context, order *corepb.Order) error
 	AddPendingAuthorizations(ctx context.Context, req *sapb.AddPendingAuthorizationsRequest) (*sapb.AuthorizationIDs, error)
 }
 

core/objects.go

@@ -576,7 +576,6 @@ type Order struct {
 	ID                int64
 	RegistrationID    int64
 	Expires           time.Time
-	CSR               []byte
 	Error             error
 	CertificateSerial string
 	Authorizations    []Authorization