ra: revoke with explicit CRL shard #7944
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jsha
force-pushed
the
revoke-with-explicit-shard
branch
from
24ec095 to
ae2e387
Compare
aarongable
reviewed
Jan 14, 2025
aarongable
approved these changes
Jan 17, 2025
| @@ -4081,3 +4069,60 @@ func TestUpdateRegistrationKey(t *testing.T) { | |||
| test.AssertContains(t, err.Error(), "failed to update registration key") | |||
| test.AssertContains(t, err.Error(), "mocked to always error") | |||
| } | |||
|
|
|||
| func TestCRLShard(t *testing.T) { | |||
There was a problem hiding this comment.
optional: This does seem like a reasonable candidate for a table driven test with
type testCase struct {
cdp []string
wantShard int64
wantErr error
}
There was a problem hiding this comment.
This is a good suggestion, but I'm going to take the easy path and merge as written.
aarongable
requested review from
a team and
jprenken
and removed request for
a team
jprenken
approved these changes
Jan 20, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In RA.RevokedCertificate, if the certificate being revoked has a crlDistributionPoints extension, parse the URL and pass the appropriate shard to the SA.
This required some changes to the
admintool. When a malformed certificate is revoked, we don't have a parsed copy of the certificate to extract a CRL URL from. So, specifically when a malformed certificate is being revoked, allow specifying a CRL shard. Because different certificates will have different shards, require one-at-a-time revocation for malformed certificates.To support that refactoring, move the serial-cleaning functionality earlier in the
admintool's flow.Also, split out one of the cases handled by the
revokeCertificatehelper in the RA. For admin revocations, we need to accept a human-specified ShardIdx, so call the SA directly in that case (and skip stat increment since admin revocations aren't useful for metrics). This allowsrevokeCertificateto be a more helpful helper, by extracting serial, issuer ID, and CRL shard automatically from an*x509.Certificate.Note: we don't yet issue certificates with the crlDistributionPoints extension, so this code will not be active until we start doing so.
Part of #7094.