Adding support for multiple issuers to publisher #5272
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Publisher currently loads a PEM formatted certificate bundle from file using LoadCertBundle a utility function in the core package. LoadCertBundle parses the PEM file to a slice of x509.Certificates and returns them to boulder-publisher (without checking validity). Using these x509 Certificates, boulder-publisher to construct an ANSN1Cert bundle. This bundle is passed to each new publisher instance. publisher then unconditionally appends this bundle to each end-entity precertificate for submission to CT logs. This change augments this process to add support for multiple issuers using the IssuerNameID in the Issuance package. config field Common.CT.CertificateBundleFilname has been replaced with the Chains field. LoadChain a utility function added in PR #5271. LoadChain validates the chain (which nets us some added deploy-time safety) before returning it to boulder-publisher. Using these x509 Certificates, boulder-publisher constructs a mapping of IssuerNameID to ASN1Cert bundle and passes this to each new publisher instance. When publisher receives a request it determines the IssuerNameID of the precertificate to select and append the correct ASN1Cert bundle for a given Issuer. A followup issue #5269 has been created to address removal of the Common field from the publisher configuration and code has been commented with TODOs where code will need to be removed or refactored. Fixes #1669
aarongable
requested changes
Feb 4, 2021
Publisher currently loads a PEM formatted certificate bundle from file using LoadCertBundle a utility function in the core package. LoadCertBundle parses the PEM file to a slice of x509.Certificates and returns them to boulder-publisher (without checking validity). Using these x509 Certificates, boulder-publisher to construct an ANSN1Cert bundle. This bundle is passed to each new publisher instance. publisher then unconditionally appends this bundle to each end-entity precertificate for submission to CT logs. This change augments this process to add support for multiple issuers using the IssuerNameID in the Issuance package. config field Common.CT.CertificateBundleFilname has been replaced with the Chains field. LoadChain a utility function added in PR #5271. LoadChain validates the chain (which nets us some added deploy-time safety) before returning it to boulder-publisher. Using these x509 Certificates, boulder-publisher constructs a mapping of IssuerNameID to ASN1Cert bundle and passes this to each new publisher instance. When publisher receives a request it determines the IssuerNameID of the precertificate to select and append the correct ASN1Cert bundle for a given Issuer. A followup issue #5269 has been created to address removal of the Common field from the publisher configuration and code has been commented with TODOs where code will need to be removed or refactored. Fixes #1669
…tsencrypt/boulder into publisher-multi-issuer-update
beautifulentropy
force-pushed
the
publisher-multi-issuer-update
branch
from
27880d4
to
c4ce28d
Compare
aarongable
approved these changes
Feb 8, 2021
jsha
approved these changes
Feb 8, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Publisher currently loads a PEM formatted certificate bundle from file
using LoadCertBundle a utility function in the core package.
LoadCertBundle parses the PEM file to a slice of x509.Certificates and
returns them to boulder-publisher (without checking validity). Using
these x509 Certificates, boulder-publisher to construct an ASN1Cert
bundle. This bundle is passed to each new publisher instance. When
publisher receives a request it unconditionally appends this bundle to
each end-entity precertificate for submission to CT logs.
This change augments this process to add support for multiple issuers
using the IssuerNameID concept in the Issuance package. Config field
Common.CT.CertificateBundleFilename has been replaced with the Chains
field. LoadChain, a utility function added in PR #5271, loads and
validates the chain (which nets us some added deploy-time safety) before
returning it to boulder-publisher. Using these x509 Certificates,
boulder-publisher constructs a mapping of IssuerNameID to ASN1Cert
bundle and passes this to each new publisher instance. When publisher
receives a request it determines the IssuerNameID of the precertificate
to select and append the correct ASN1Cert bundle for a given Issuer.
A followup issue #5269 has been created to address removal of the Common
field from the publisher configuration and code has been commented with
TODOs where code will need to be removed or refactored.
Fixes #1669