Merge branch 'main' into refund-after-check-completion

ca/ca_test.go

@@ -168,8 +168,8 @@ func init() {
 	if err != nil {
 		panic(fmt.Sprintf("Unable to parse %q: %s", caCertFile2, err))
 	}
-	caLinter, _ = linter.New(caCert.Certificate, caKey, []string{"n_subject_common_name_included"})
-	caLinter2, _ = linter.New(caCert2.Certificate, caKey, []string{"n_subject_common_name_included"})
+	caLinter, _ = linter.New(caCert.Certificate, caKey, []string{"w_subject_common_name_included"})
+	caLinter2, _ = linter.New(caCert2.Certificate, caKey, []string{"w_subject_common_name_included"})
 }
 
 func setup(t *testing.T) *testCtx {

ca/ocsp.go

@@ -20,16 +20,10 @@ import (
 	blog "github.com/letsencrypt/boulder/log"
 )
 
-// TODO(#5152): Simplify this when we've fully deprecated old-style IssuerIDs.
-type ocspIssuerMaps struct {
-	byID     map[issuance.IssuerID]*issuance.Issuer
-	byNameID map[issuance.IssuerNameID]*issuance.Issuer
-}
-
 // ocspImpl provides a backing implementation for the OCSP gRPC service.
 type ocspImpl struct {
 	capb.UnimplementedOCSPGeneratorServer
-	issuers        ocspIssuerMaps
+	issuers        map[issuance.IssuerNameID]*issuance.Issuer
 	ocspLifetime   time.Duration
 	ocspLogQueue   *ocspLogQueue
 	log            blog.Logger
@@ -38,20 +32,6 @@ type ocspImpl struct {
 	clk            clock.Clock
 }
 
-// makeOCSPIssuerMaps processes a list of issuers into a set of maps, mapping
-// nearly-unique identifiers of those issuers to the issuers themselves. Note
-// that, if two issuers have the same nearly-unique ID, the *latter* one in
-// the input list "wins".
-func makeOCSPIssuerMaps(issuers []*issuance.Issuer) ocspIssuerMaps {
-	issuersByID := make(map[issuance.IssuerID]*issuance.Issuer, len(issuers))
-	issuersByNameID := make(map[issuance.IssuerNameID]*issuance.Issuer, len(issuers))
-	for _, issuer := range issuers {
-		issuersByID[issuer.ID()] = issuer
-		issuersByNameID[issuer.Cert.NameID()] = issuer
-	}
-	return ocspIssuerMaps{issuersByID, issuersByNameID}
-}
-
 func NewOCSPImpl(
 	issuers []*issuance.Issuer,
 	ocspLifetime time.Duration,
@@ -63,9 +43,9 @@ func NewOCSPImpl(
 	signErrorCount *prometheus.CounterVec,
 	clk clock.Clock,
 ) (*ocspImpl, error) {
-	issuersByID := make(map[issuance.IssuerID]*issuance.Issuer, len(issuers))
+	issuersByNameID := make(map[issuance.IssuerNameID]*issuance.Issuer, len(issuers))
 	for _, issuer := range issuers {
-		issuersByID[issuer.ID()] = issuer
+		issuersByNameID[issuer.Cert.NameID()] = issuer
 	}
 
 	if ocspLifetime < 8*time.Hour || ocspLifetime > 7*24*time.Hour {
@@ -77,10 +57,8 @@ func NewOCSPImpl(
 		ocspLogQueue = newOCSPLogQueue(ocspLogMaxLength, ocspLogPeriod, stats, logger)
 	}
 
-	issuerMaps := makeOCSPIssuerMaps(issuers)
-
 	oi := &ocspImpl{
-		issuers:        issuerMaps,
+		issuers:        issuersByNameID,
 		ocspLifetime:   ocspLifetime,
 		ocspLogQueue:   ocspLogQueue,
 		log:            logger,
@@ -122,13 +100,9 @@ func (oi *ocspImpl) GenerateOCSP(ctx context.Context, req *capb.GenerateOCSPRequ
 	}
 	serial := serialInt
 
-	issuer, ok := oi.issuers.byNameID[issuance.IssuerNameID(req.IssuerID)]
+	issuer, ok := oi.issuers[issuance.IssuerNameID(req.IssuerID)]
 	if !ok {
-		// TODO(#5152): Remove this fallback to old-style IssuerIDs.
-		issuer, ok = oi.issuers.byID[issuance.IssuerID(req.IssuerID)]
-		if !ok {
-			return nil, fmt.Errorf("This CA doesn't have an issuer cert with ID %d", req.IssuerID)
-		}
+		return nil, fmt.Errorf("unrecognized issuer ID %d", req.IssuerID)
 	}
 
 	now := oi.clk.Now().Truncate(time.Minute)

ca/ocsp_test.go

@@ -49,7 +49,7 @@ func TestOCSP(t *testing.T) {
 	ocspi := testCtx.ocsp
 
 	// Issue a certificate from the RSA issuer caCert, then check OCSP comes from the same issuer.
-	rsaIssuerID := ca.issuers.byAlg[x509.RSA].ID()
+	rsaIssuerID := ca.issuers.byAlg[x509.RSA].Cert.NameID()
 	rsaCertPB, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID})
 	test.AssertNotError(t, err, "Failed to issue certificate")
 	rsaCert, err := x509.ParseCertificate(rsaCertPB.DER)
@@ -67,7 +67,7 @@ func TestOCSP(t *testing.T) {
 	test.AssertEquals(t, rsaOCSP.SerialNumber.Cmp(rsaCert.SerialNumber), 0)
 
 	// Issue a certificate from the ECDSA issuer caCert2, then check OCSP comes from the same issuer.
-	ecdsaIssuerID := ca.issuers.byAlg[x509.ECDSA].ID()
+	ecdsaIssuerID := ca.issuers.byAlg[x509.ECDSA].Cert.NameID()
 	ecdsaCertPB, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: ECDSACSR, RegistrationID: arbitraryRegID})
 	test.AssertNotError(t, err, "Failed to issue certificate")
 	ecdsaCert, err := x509.ParseCertificate(ecdsaCertPB.DER)

cmd/cert-checker/main_test.go

@@ -600,7 +600,7 @@ func TestIgnoredLint(t *testing.T) {
 		},
 		BasicConstraintsValid: true,
 		IsCA:                  true,
-		IssuingCertificateURL: []string{"http://ca.cpu"},
+		IssuingCertificateURL: []string{"http://aia.example.org"},
 		SubjectKeyId:          []byte("foobar"),
 	}
 
@@ -636,7 +636,7 @@ func TestIgnoredLint(t *testing.T) {
 	// missing OCSP url in the template.
 	expectedProblems := []string{
 		"zlint error: e_sub_cert_aia_does_not_contain_ocsp_url",
-		"zlint info: n_subject_common_name_included",
+		"zlint warn: w_subject_common_name_included",
 		"zlint info: w_ct_sct_policy_count_unsatisfied Certificate had 0 embedded SCTs. Browser policy may require 2 for this certificate.",
 		"zlint error: e_scts_from_same_operator Certificate had too few embedded SCTs; browser policy requires 2.",
 	}
@@ -652,7 +652,7 @@ func TestIgnoredLint(t *testing.T) {
 	// lints. This should return no problems.
 	_, problems = checker.checkCert(context.Background(), cert, map[string]bool{
 		"e_sub_cert_aia_does_not_contain_ocsp_url": true,
-		"n_subject_common_name_included":           true,
+		"w_subject_common_name_included":           true,
 		"w_ct_sct_policy_count_unsatisfied":        true,
 		"e_scts_from_same_operator":                true,
 	})

go.mod

@@ -25,19 +25,19 @@ require (
 	github.com/prometheus/client_model v0.4.0
 	github.com/redis/go-redis/v9 v9.3.0
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
-	github.com/weppos/publicsuffix-go v0.30.1-0.20230620154423-38c92ad2d5c6
-	github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300
-	github.com/zmap/zlint/v3 v3.5.0
+	github.com/weppos/publicsuffix-go v0.30.2-0.20230730094716-a20f9abcc222
+	github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c
+	github.com/zmap/zlint/v3 v3.6.0
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1
 	go.opentelemetry.io/otel v1.21.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0
 	go.opentelemetry.io/otel/sdk v1.21.0
 	go.opentelemetry.io/otel/trace v1.21.0
-	golang.org/x/crypto v0.17.0
-	golang.org/x/net v0.19.0
+	golang.org/x/crypto v0.18.0
+	golang.org/x/net v0.20.0
 	golang.org/x/sync v0.4.0
-	golang.org/x/term v0.15.0
+	golang.org/x/term v0.16.0
 	golang.org/x/text v0.14.0
 	google.golang.org/grpc v1.60.1
 	google.golang.org/protobuf v1.32.0
@@ -73,15 +73,15 @@ require (
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/pelletier/go-toml v1.9.3 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/poy/onpar v1.1.2 // indirect
 	github.com/prometheus/common v0.42.0 // indirect
 	github.com/prometheus/procfs v0.9.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect
 	go.opentelemetry.io/otel/metric v1.21.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	golang.org/x/mod v0.10.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
 	golang.org/x/tools v0.8.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0 // indirect