Add CRL capabilities to issuance package #7300
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@aarongable, this PR appears to contain configuration changes. Please ensure that a corresponding deployment ticket has been filed with the new configuration values. |
jsha
requested changes
Feb 6, 2024
| boulderProfile.Lints, | ||
| time.Hour, | ||
| issuance.CRLProfileConfig{ | ||
| ValidityInterval: config.Duration{Duration: 216 * time.Hour}, |
There was a problem hiding this comment.
I think it was @beautifulentropy who provided a nice distinction:
- period: a span of time, unanchored from any particular instance (i.e. a duration)
- interval: a span of time anchored to a specific beginning and end time
So ValidityPeriod would be nice here.
There was a problem hiding this comment.
I agree, except that "Validity Period" is defined by RFC 5280 as being a thing that applies to certificates only (i.e. between NotBefore and NotAfter), while "Validity Interval" is the term used by the BRs to speak about CRL and OCSP responses (i.e. between ThisUpdate and NextUpdate): https://github.com/cabforum/servercert/blob/main/docs/BR.md#4910-on-line-revocation-checking-requirements
jsha
previously approved these changes
Feb 8, 2024
beautifulentropy
previously approved these changes
Feb 9, 2024
aarongable
dismissed stale reviews from beautifulentropy and jsha
via
89861bd
beautifulentropy
previously approved these changes
Feb 9, 2024
pgporada
reviewed
Feb 12, 2024
Co-authored-by: Phil Porada <[email protected]>
pgporada
approved these changes
Feb 12, 2024
beautifulentropy
approved these changes
Feb 13, 2024
maksimsavrilov
pushed a commit
to plesk/boulder
that referenced
this pull request
Feb 14, 2024
Move the CRL issuance logic -- building an x509.RevocationList template, populating it with correctly-built extensions, linting it, and actually signing it -- out of the //ca package and into the //issuance package. This means that the CA's CRL code no longer needs to be able to reach inside the issuance package to access its issuers and certificates (and those fields will be able to be made private after the same is done for OCSP issuance). Additionally, improve the configuration of CRL issuance, create additional checks on CRL's ThisUpdate and NextUpdate fields, and make it possible for a CRL to contain two IssuingDistributionPoint URIs so that we can migrate to shorter addresses. IN-10045 tracks the corresponding production changes. Fixes letsencrypt#7159 Part of letsencrypt#7296 Part of letsencrypt#7294 Part of letsencrypt#7094 Part of letsencrypt#7100
aarongable
added a commit
that referenced
this pull request
Apr 12, 2024
vbaranovskiy-plesk
pushed a commit
to plesk/boulder
that referenced
this pull request
May 30, 2024
This was missed in letsencrypt#7300 Part of letsencrypt#7296
vbaranovskiy-plesk
pushed a commit
to plesk/boulder
that referenced
this pull request
May 30, 2024
This was missed in letsencrypt#7300 Part of letsencrypt#7296
AlinaADmi
pushed a commit
to plesk/boulder
that referenced
this pull request
Jul 29, 2024
This was missed in letsencrypt#7300 Part of letsencrypt#7296
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Move the CRL issuance logic -- building an x509.RevocationList template, populating it with correctly-built extensions, linting it, and actually signing it -- out of the //ca package and into the //issuance package. This means that the CA's CRL code no longer needs to be able to reach inside the issuance package to access its issuers and certificates (and those fields will be able to be made private after the same is done for OCSP issuance).
Additionally, improve the configuration of CRL issuance, create additional checks on CRL's ThisUpdate and NextUpdate fields, and make it possible for a CRL to contain two IssuingDistributionPoint URIs so that we can migrate to shorter addresses.
Fixes #7159
Part of #7296
Part of #7294
Part of #7094
Part of #7100
IN-10045 tracks the corresponding production changes.
DO NOT MERGE before #7285DO NOT MERGE before #7299