Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RA/CA: Make MaxNames field consistent and supply default #7256

Merged
merged 6 commits into from
Jan 17, 2024
Merged

RA/CA: Make MaxNames field consistent and supply default #7256

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
be32e64
RA/CA: Make MaxNames field consistent and supply default
beautifulentropy Jan 11, 2024
2e14cbc
Allow default to be used.
beautifulentropy Jan 11, 2024
ccb6253
Merge branch 'main' into make-maxnames-field-consistent
beautifulentropy Jan 11, 2024
6658079
Addressing comments.
beautifulentropy Jan 16, 2024
370a44c
Merge branch 'main' into make-maxnames-field-consistent
beautifulentropy Jan 16, 2024
1fc48fb
Addressing comments.
beautifulentropy Jan 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions cmd/boulder-ca/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,12 @@ type Config struct {
// What digits we should prepend to serials after randomly generating them.
SerialPrefix int `validate:"required,min=1,max=127"`

// The maximum number of subjectAltNames in a single certificate
MaxNames int `validate:"required,min=1,max=100"`
// MaxNames is the maximum number of subjectAltNames in a single cert.
// The value supplied SHOULD be greater than 0 and no more than 100,
// defaults to 100. These limits are per section 7.1 of our combined
// CP/CPS, under "DV-SSL Subscriber Certificate". The value must match
// the RA and WFE configurations.
MaxNames int `validate:"min=0,max=100"`

// LifespanOCSP is how long OCSP responses are valid for. Per the BRs,
// Section 4.9.10, it MUST NOT be more than 10 days. Default 96h.
Expand Down Expand Up @@ -162,8 +166,10 @@ func main() {
c.CA.DebugAddr = *debugAddr
}

if c.CA.MaxNames == 0 {
cmd.Fail("Error in CA config: MaxNames must not be 0")
maxNames := c.CA.MaxNames
if maxNames == 0 {
// Use default.
maxNames = 100
}

if c.CA.LifespanOCSP.Duration == 0 {
Expand Down Expand Up @@ -276,7 +282,7 @@ func main() {
c.CA.Expiry.Duration,
c.CA.Backdate.Duration,
c.CA.SerialPrefix,
c.CA.MaxNames,
maxNames,
kp,
logger,
scope,
Expand Down
15 changes: 11 additions & 4 deletions cmd/boulder-ra/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,12 @@ type Config struct {
PublisherService *cmd.GRPCClientConfig
AkamaiPurgerService *cmd.GRPCClientConfig

MaxNames int `validate:"required,min=1"`
// MaxNames is the maximum number of subjectAltNames in a single cert.
// The value supplied SHOULD be greater than 0 and no more than 100,
// defaults to 100. These limits are per section 7.1 of our combined
// CP/CPS, under "DV-SSL Subscriber Certificate". The value must match
// the CA and WFE configurations.
MaxNames int `validate:"min=0,max=100"`

// AuthorizationLifetimeDays defines how long authorizations will be
// considered valid for. Given a value of 300 days when used with a 90-day
Expand Down Expand Up @@ -223,8 +228,10 @@ func main() {
kp, err := sagoodkey.NewKeyPolicy(&c.RA.GoodKey, sac.KeyBlocked)
cmd.FailOnError(err, "Unable to create key policy")

if c.RA.MaxNames == 0 {
cmd.Fail("Error in RA config: MaxNames must not be 0")
maxNames := c.RA.MaxNames
if maxNames == 0 {
// Use default.
maxNames = 100
}

rai := ra.NewRegistrationAuthorityImpl(
Expand All @@ -233,7 +240,7 @@ func main() {
scope,
c.RA.MaxContactsPerRegistration,
kp,
c.RA.MaxNames,
maxNames,
authorizationLifetime,
pendingAuthorizationLifetime,
pubc,
Expand Down
Loading