Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

issuance: add CRLDistributionPoints to certs #7974

Merged
merged 9 commits into from
Jan 30, 2025
Merged

issuance: add CRLDistributionPoints to certs #7974

merged 9 commits into from
Jan 30, 2025

Conversation

jsha
Copy link
Contributor

@jsha jsha commented Jan 24, 2025
edited
Loading

The CRLDP is included only when the profile's IncludeCRLDistributionPoints field is true.

Introduce a new config field for issuers, CRLShards. If IncludeCRLDistributionPoints is true and this is zero, issuance will error.

The CRL shard is assigned at issuance time based on the (random) low bits of the serial number.

Part of #7094.

Base automatically changed from crls-in-revocation-test to main January 24, 2025 02:49
@jsha jsha mentioned this pull request Jan 24, 2025
Open
@jsha jsha marked this pull request as ready for review January 27, 2025 19:37
@jsha jsha requested a review from a team as a code owner January 27, 2025 19:37
@jsha jsha requested a review from beautifulentropy January 27, 2025 19:37
@github-actions GitHub Actions
Copy link
Contributor

@jsha, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

@jsha jsha marked this pull request as draft January 28, 2025 18:31
@jsha jsha mentioned this pull request Jan 29, 2025
Merged
@jsha jsha changed the base branch from main to add-includecrldistributionpoints January 29, 2025 20:08
@jsha jsha changed the title ca: set CRLDP when CRLShards > 0 issuance: add CRLDistributionPoints to certs Jan 29, 2025
@jsha jsha marked this pull request as ready for review January 29, 2025 21:11
aarongable
aarongable reviewed Jan 30, 2025
View reviewed changes
issuance/issuer.go Outdated Show resolved Hide resolved
@jsha jsha requested a review from a team January 30, 2025 18:39
@jprenken jprenken requested a review from aarongable January 30, 2025 19:47
jprenken
jprenken previously approved these changes Jan 30, 2025
View reviewed changes
jsha added a commit that referenced this pull request Jan 30, 2025
@jsha
issuance: add new IncludeCRLDistributionPoints bool (#7985)
d93f0c3 
To achieve this without breaking hashes of deployed configs, create a
ProfileConfigNew containing the new field (and removing some deprecated
fields).

Move the CA's profile-hashing logic into the `issuance` package, and
gate it on the presence of IncludeCRLDistributionPoints. If that field
is false (the default), create an instance of the old `ProfileConfig`
with the appropriate values and encode/hash that instead.

Note: the IncludeCRLDistributionPoints field does not yet control any
behavior. That will be part of #7974.

Part of #7094
Base automatically changed from add-includecrldistributionpoints to main January 30, 2025 19:48
@jsha jsha dismissed jprenken’s stale review January 30, 2025 19:48

The base branch was changed.

jsha added 8 commits January 30, 2025 11:50
@jsha
Move hash calculation to profile config time
8777eed
@jsha
reuse hash variable
c3b747e
@jsha
Review comments
7d9b048
@jsha
issuance: add CRLDP to certs
5d75c78 
The CRLDP is included only when the profile's IncludeCRLDistributionPoints
field is true.

Introduce a new config field for issuers, CRLShards. If this is zero
and IncludeCRLDistributionPoints is true, issuance will error.

The CRL shard is assigned at issuance time based on the (random) low bits of the
serial number.
@jsha
test: check that certificates show up on right CRL
bc9522d
@jsha
test: update ca.json to include CRLDPs
54e8017
@jsha
ca: check for same CRL shards across issuers
4880b5f
@jsha
Review feedback
98f862a
@aarongable aarongable merged commit f11475c into main Jan 30, 2025
12 checks passed
@aarongable aarongable deleted the ca-sets-crldp branch January 30, 2025 22:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aarongable aarongable aarongable approved these changes

@jprenken jprenken jprenken approved these changes

@beautifulentropy beautifulentropy Awaiting requested review from beautifulentropy beautifulentropy is a code owner automatically assigned from letsencrypt/boulder-developers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jsha @aarongable @jprenken