From be32e64730add8ac5f6d6a2d7cc161791489f838 Mon Sep 17 00:00:00 2001 From: Samantha Date: Thu, 11 Jan 2024 13:50:50 -0500 Subject: [PATCH 1/4] RA/CA: Make MaxNames field consistent and supply default --- cmd/boulder-ca/main.go | 15 ++++++++++----- cmd/boulder-ra/main.go | 15 +++++++++++---- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/cmd/boulder-ca/main.go b/cmd/boulder-ca/main.go index a455da0ee0d..ab8902b2586 100644 --- a/cmd/boulder-ca/main.go +++ b/cmd/boulder-ca/main.go @@ -48,8 +48,11 @@ type Config struct { // What digits we should prepend to serials after randomly generating them. SerialPrefix int `validate:"required,min=1,max=127"` - - // The maximum number of subjectAltNames in a single certificate + // MaxNames is the maximum number of subjectAltNames in a single cert. + // The value supplied MUST be greater than 0 and no more than 100, + // defaults to 100. These limits are per section 7.1 of our combined + // CP/CPS, under "DV-SSL Subscriber Certificate". The value must match + // the RA and WFE configurations. MaxNames int `validate:"required,min=1,max=100"` // LifespanOCSP is how long OCSP responses are valid for. Per the BRs, @@ -162,8 +165,10 @@ func main() { c.CA.DebugAddr = *debugAddr } - if c.CA.MaxNames == 0 { - cmd.Fail("Error in CA config: MaxNames must not be 0") + maxNames := c.CA.MaxNames + if maxNames == 0 { + // Use default. + maxNames = 100 } if c.CA.LifespanOCSP.Duration == 0 { @@ -276,7 +281,7 @@ func main() { c.CA.Expiry.Duration, c.CA.Backdate.Duration, c.CA.SerialPrefix, - c.CA.MaxNames, + maxNames, kp, logger, scope, diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go index 8dcb0743326..b1f1574961b 100644 --- a/cmd/boulder-ra/main.go +++ b/cmd/boulder-ra/main.go @@ -42,7 +42,12 @@ type Config struct { PublisherService *cmd.GRPCClientConfig AkamaiPurgerService *cmd.GRPCClientConfig - MaxNames int `validate:"required,min=1"` + // MaxNames is the maximum number of subjectAltNames in a single cert. + // The value supplied MUST be greater than 0 and no more than 100, + // defaults to 100. These limits are per section 7.1 of our combined + // CP/CPS, under "DV-SSL Subscriber Certificate". The value must match + // the CA and WFE configurations. + MaxNames int `validate:"required,min=1,max=100"` // AuthorizationLifetimeDays defines how long authorizations will be // considered valid for. Given a value of 300 days when used with a 90-day @@ -223,8 +228,10 @@ func main() { kp, err := sagoodkey.NewKeyPolicy(&c.RA.GoodKey, sac.KeyBlocked) cmd.FailOnError(err, "Unable to create key policy") - if c.RA.MaxNames == 0 { - cmd.Fail("Error in RA config: MaxNames must not be 0") + maxNames := c.RA.MaxNames + if maxNames == 0 { + // Use default. + maxNames = 100 } rai := ra.NewRegistrationAuthorityImpl( @@ -233,7 +240,7 @@ func main() { scope, c.RA.MaxContactsPerRegistration, kp, - c.RA.MaxNames, + maxNames, authorizationLifetime, pendingAuthorizationLifetime, pubc, From 2e14cbc57af129462f267fa3ef607a13cab5653f Mon Sep 17 00:00:00 2001 From: Samantha Date: Thu, 11 Jan 2024 16:16:44 -0500 Subject: [PATCH 2/4] Allow default to be used. --- cmd/boulder-ca/main.go | 5 +++-- cmd/boulder-ra/main.go | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/cmd/boulder-ca/main.go b/cmd/boulder-ca/main.go index ab8902b2586..bf9091cb5ab 100644 --- a/cmd/boulder-ca/main.go +++ b/cmd/boulder-ca/main.go @@ -48,12 +48,13 @@ type Config struct { // What digits we should prepend to serials after randomly generating them. SerialPrefix int `validate:"required,min=1,max=127"` + // MaxNames is the maximum number of subjectAltNames in a single cert. - // The value supplied MUST be greater than 0 and no more than 100, + // The value supplied SHOULD be greater than 0 and no more than 100, // defaults to 100. These limits are per section 7.1 of our combined // CP/CPS, under "DV-SSL Subscriber Certificate". The value must match // the RA and WFE configurations. - MaxNames int `validate:"required,min=1,max=100"` + MaxNames int `validate:"min=0,max=100"` // LifespanOCSP is how long OCSP responses are valid for. Per the BRs, // Section 4.9.10, it MUST NOT be more than 10 days. Default 96h. diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go index b1f1574961b..fac26f0f9a7 100644 --- a/cmd/boulder-ra/main.go +++ b/cmd/boulder-ra/main.go @@ -43,11 +43,11 @@ type Config struct { AkamaiPurgerService *cmd.GRPCClientConfig // MaxNames is the maximum number of subjectAltNames in a single cert. - // The value supplied MUST be greater than 0 and no more than 100, + // The value supplied SHOULD be greater than 0 and no more than 100, // defaults to 100. These limits are per section 7.1 of our combined // CP/CPS, under "DV-SSL Subscriber Certificate". The value must match // the CA and WFE configurations. - MaxNames int `validate:"required,min=1,max=100"` + MaxNames int `validate:"min=0,max=100"` // AuthorizationLifetimeDays defines how long authorizations will be // considered valid for. Given a value of 300 days when used with a 90-day From 665807987ac4144421ad06fea8a13bb792ebee3a Mon Sep 17 00:00:00 2001 From: Samantha Date: Tue, 16 Jan 2024 16:58:09 -0500 Subject: [PATCH 3/4] Addressing comments. --- cmd/boulder-ca/main.go | 12 +++++------- cmd/boulder-ra/main.go | 12 +++++------- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/cmd/boulder-ca/main.go b/cmd/boulder-ca/main.go index bf9091cb5ab..5691e7aa487 100644 --- a/cmd/boulder-ca/main.go +++ b/cmd/boulder-ca/main.go @@ -50,11 +50,11 @@ type Config struct { SerialPrefix int `validate:"required,min=1,max=127"` // MaxNames is the maximum number of subjectAltNames in a single cert. - // The value supplied SHOULD be greater than 0 and no more than 100, + // The value supplied MUST be greater than 0 and no more than 100, // defaults to 100. These limits are per section 7.1 of our combined // CP/CPS, under "DV-SSL Subscriber Certificate". The value must match // the RA and WFE configurations. - MaxNames int `validate:"min=0,max=100"` + MaxNames int `validate:"required,min=1,max=100"` // LifespanOCSP is how long OCSP responses are valid for. Per the BRs, // Section 4.9.10, it MUST NOT be more than 10 days. Default 96h. @@ -166,10 +166,8 @@ func main() { c.CA.DebugAddr = *debugAddr } - maxNames := c.CA.MaxNames - if maxNames == 0 { - // Use default. - maxNames = 100 + if c.CA.MaxNames == 0 { + cmd.Fail("Error in CA config: MaxNames must not be 0") } if c.CA.LifespanOCSP.Duration == 0 { @@ -282,7 +280,7 @@ func main() { c.CA.Expiry.Duration, c.CA.Backdate.Duration, c.CA.SerialPrefix, - maxNames, + c.CA.MaxNames, kp, logger, scope, diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go index fac26f0f9a7..d2f37c1e8bb 100644 --- a/cmd/boulder-ra/main.go +++ b/cmd/boulder-ra/main.go @@ -43,11 +43,11 @@ type Config struct { AkamaiPurgerService *cmd.GRPCClientConfig // MaxNames is the maximum number of subjectAltNames in a single cert. - // The value supplied SHOULD be greater than 0 and no more than 100, + // The value supplied MUST be greater than 0 and no more than 100, // defaults to 100. These limits are per section 7.1 of our combined // CP/CPS, under "DV-SSL Subscriber Certificate". The value must match // the CA and WFE configurations. - MaxNames int `validate:"min=0,max=100"` + MaxNames int `validate:"required,min=1,max=100"` // AuthorizationLifetimeDays defines how long authorizations will be // considered valid for. Given a value of 300 days when used with a 90-day @@ -228,10 +228,8 @@ func main() { kp, err := sagoodkey.NewKeyPolicy(&c.RA.GoodKey, sac.KeyBlocked) cmd.FailOnError(err, "Unable to create key policy") - maxNames := c.RA.MaxNames - if maxNames == 0 { - // Use default. - maxNames = 100 + if c.RA.MaxNames == 0 { + cmd.Fail("Error in RA config: MaxNames must not be 0") } rai := ra.NewRegistrationAuthorityImpl( @@ -240,7 +238,7 @@ func main() { scope, c.RA.MaxContactsPerRegistration, kp, - maxNames, + c.RA.MaxNames, authorizationLifetime, pendingAuthorizationLifetime, pubc, From 1fc48fb98764d3a0371a69a8acb55c1a019dca35 Mon Sep 17 00:00:00 2001 From: Samantha Date: Tue, 16 Jan 2024 17:06:19 -0500 Subject: [PATCH 4/4] Addressing comments. --- cmd/boulder-ca/main.go | 8 ++++---- cmd/boulder-ra/main.go | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/boulder-ca/main.go b/cmd/boulder-ca/main.go index 5691e7aa487..f9deb2f4169 100644 --- a/cmd/boulder-ca/main.go +++ b/cmd/boulder-ca/main.go @@ -50,10 +50,10 @@ type Config struct { SerialPrefix int `validate:"required,min=1,max=127"` // MaxNames is the maximum number of subjectAltNames in a single cert. - // The value supplied MUST be greater than 0 and no more than 100, - // defaults to 100. These limits are per section 7.1 of our combined - // CP/CPS, under "DV-SSL Subscriber Certificate". The value must match - // the RA and WFE configurations. + // The value supplied MUST be greater than 0 and no more than 100. These + // limits are per section 7.1 of our combined CP/CPS, under "DV-SSL + // Subscriber Certificate". The value must match the RA and WFE + // configurations. MaxNames int `validate:"required,min=1,max=100"` // LifespanOCSP is how long OCSP responses are valid for. Per the BRs, diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go index d2f37c1e8bb..c63d7a3a095 100644 --- a/cmd/boulder-ra/main.go +++ b/cmd/boulder-ra/main.go @@ -43,10 +43,10 @@ type Config struct { AkamaiPurgerService *cmd.GRPCClientConfig // MaxNames is the maximum number of subjectAltNames in a single cert. - // The value supplied MUST be greater than 0 and no more than 100, - // defaults to 100. These limits are per section 7.1 of our combined - // CP/CPS, under "DV-SSL Subscriber Certificate". The value must match - // the CA and WFE configurations. + // The value supplied MUST be greater than 0 and no more than 100. These + // limits are per section 7.1 of our combined CP/CPS, under "DV-SSL + // Subscriber Certificate". The value must match the CA and WFE + // configurations. MaxNames int `validate:"required,min=1,max=100"` // AuthorizationLifetimeDays defines how long authorizations will be