Merge branch 'main' of github.com:letsencrypt/boulder into pb-identif…

…iers

cmd/boulder-ra/main.go

@@ -105,6 +105,13 @@ type Config struct {
 			AllowList string `validate:"omitempty"`
 		}
 
+		// MustStapleAllowList specifies the path to a YAML file containing a
+		// list of account IDs permitted to request certificates with the OCSP
+		// Must-Staple extension. If no path is specified, the extension is
+		// permitted for all accounts. If the file exists but is empty, the
+		// extension is disabled for all accounts.
+		MustStapleAllowList string `validate:"omitempty"`
+
 		// GoodKey is an embedded config stanza for the goodkey library.
 		GoodKey goodkey.Config
 
@@ -281,6 +288,14 @@ func main() {
 		}
 	}
 
+	var mustStapleAllowList *allowlist.List[int64]
+	if c.RA.MustStapleAllowList != "" {
+		data, err := os.ReadFile(c.RA.MustStapleAllowList)
+		cmd.FailOnError(err, "Failed to read allow list for Must-Staple extension")
+		mustStapleAllowList, err = allowlist.NewFromYAML[int64](data)
+		cmd.FailOnError(err, "Failed to parse allow list for Must-Staple extension")
+	}
+
 	if features.Get().AsyncFinalize && c.RA.FinalizeTimeout.Duration == 0 {
 		cmd.Fail("finalizeTimeout must be supplied when AsyncFinalize feature is enabled")
 	}
@@ -319,6 +334,7 @@ func main() {
 		authorizationLifetime,
 		pendingAuthorizationLifetime,
 		validationProfiles,
+		mustStapleAllowList,
 		pubc,
 		c.RA.OrderLifetime.Duration,
 		c.RA.FinalizeTimeout.Duration,

core/objects.go

@@ -317,6 +317,11 @@ type Authorization struct {
 	// as part of the authorization, the identifier we store in the database
 	// can contain an asterisk.
 	Wildcard bool `json:"wildcard,omitempty" db:"-"`
+
+	// CertificateProfileName is the name of the profile associated with the
+	// order that first resulted in the creation of this authorization. Omitted
+	// from API responses.
+	CertificateProfileName string `json:"-"`
 }
 
 // FindChallengeByStringID will look for a challenge matching the given ID inside

core/proto/core.proto

@@ -93,7 +93,7 @@ message Registration {
 }
 
 message Authorization {
-  // Next unused field number: 11
+  // Next unused field number: 12
   reserved 5, 7, 8;
   string id = 1;
   int64 registrationID = 3;
@@ -103,7 +103,8 @@ message Authorization {
   string status = 4;
   google.protobuf.Timestamp expires = 9;
   repeated core.Challenge challenges = 6;
-  core.Identifier identifier = 10;
+  string certificateProfileName = 10;
+  core.Identifier identifier = 11;
   // We do not directly represent the "wildcard" field, instead inferring it
   // from the identifier value.
 }

go.mod

@@ -36,11 +36,11 @@ require (
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0
 	go.opentelemetry.io/otel/sdk v1.30.0
 	go.opentelemetry.io/otel/trace v1.30.0
-	golang.org/x/crypto v0.27.0
+	golang.org/x/crypto v0.32.0
 	golang.org/x/net v0.29.0
-	golang.org/x/sync v0.8.0
-	golang.org/x/term v0.24.0
-	golang.org/x/text v0.18.0
+	golang.org/x/sync v0.10.0
+	golang.org/x/term v0.28.0
+	golang.org/x/text v0.21.0
 	google.golang.org/grpc v1.66.1
 	google.golang.org/protobuf v1.34.2
 	gopkg.in/yaml.v3 v3.0.1
@@ -84,7 +84,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.30.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	golang.org/x/mod v0.18.0 // indirect
-	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/tools v0.22.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect