https-github-com-bit
diff --git a/‎ca/ca.go‎
Lines changed: 72 additions & 49 deletions b/‎ca/ca.go‎
Lines changed: 72 additions & 49 deletions
diff --git a/‎ca/ca_test.go‎
Lines changed: 21 additions & 24 deletions b/‎ca/ca_test.go‎
Lines changed: 21 additions & 24 deletions
@@ -7,6 +7,7 @@ import (
 	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/x509"
 	"encoding/asn1"
 	"encoding/hex"
@@ -36,8 +37,8 @@ import (
 	corepb "github.com/letsencrypt/boulder/core/proto"
 	csrlib "github.com/letsencrypt/boulder/csr"
 	berrors "github.com/letsencrypt/boulder/errors"
+	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
-	"github.com/letsencrypt/boulder/issuercerts"
 	blog "github.com/letsencrypt/boulder/log"
 	sapb "github.com/letsencrypt/boulder/sa/proto"
 )
@@ -115,9 +116,11 @@ const (
 type CertificateAuthorityImpl struct {
 	rsaProfile   string
 	ecdsaProfile string
+	// A map from issuer cert common name to an internalIssuer struct
+	issuers map[string]*internalIssuer
 	// A map from issuer ID to internalIssuer
-	idToIssuer map[issuercerts.ID]*internalIssuer
-	// The issuer that will be used for issuance (as opposed to OCSP signing)
+	idToIssuer map[int64]*internalIssuer
+	// The common name of the default issuer cert
 	defaultIssuer      *internalIssuer
 	sa                 certificateStorage
 	pa                 core.PolicyAuthority
@@ -163,12 +166,11 @@ func makeInternalIssuers(
 	issuers []Issuer,
 	policy *cfsslConfig.Signing,
 	lifespanOCSP time.Duration,
-) (map[issuercerts.ID]*internalIssuer, error) {
+) (map[string]*internalIssuer, error) {
 	if len(issuers) == 0 {
 		return nil, errors.New("No issuers specified.")
 	}
-	internalIssuers := make(map[issuercerts.ID]*internalIssuer)
-	cns := make(map[string]bool)
+	internalIssuers := make(map[string]*internalIssuer)
 	for _, iss := range issuers {
 		if iss.Cert == nil || iss.Signer == nil {
 			return nil, errors.New("Issuer with nil cert or signer specified.")
@@ -179,11 +181,10 @@ func makeInternalIssuers(
 		}
 
 		cn := iss.Cert.Subject.CommonName
-		if cns[cn] {
+		if internalIssuers[cn] != nil {
 			return nil, errors.New("Multiple issuer certs with the same CommonName are not supported")
 		}
-		id := issuercerts.FromCert(iss.Cert).ID()
-		internalIssuers[id] = &internalIssuer{
+		internalIssuers[cn] = &internalIssuer{
 			cert:       iss.Cert,
 			eeSigner:   eeSigner,
 			ocspSigner: iss.Signer,
@@ -192,8 +193,16 @@ func makeInternalIssuers(
 	return internalIssuers, nil
 }
 
+// idForIssuer generates a stable ID for an issuer certificate. This
+// is used for identifying which issuer issued a certificate in the
+// certificateStatus table.
+func idForIssuer(cert *x509.Certificate) int64 {
+	h := sha256.Sum256(cert.Raw)
+	return big.NewInt(0).SetBytes(h[:4]).Int64()
+}
+
 // NewCertificateAuthorityImpl creates a CA instance that can sign certificates
-// from a single issuer (the first in the issuers slice), and can sign OCSP
+// from a single issuer (the first first in the issuers slice), and can sign OCSP
 // for any of the issuer certificates provided.
 func NewCertificateAuthorityImpl(
 	config ca_config.CAConfig,
@@ -242,7 +251,7 @@ func NewCertificateAuthorityImpl(
 	if err != nil {
 		return nil, err
 	}
-	defaultIssuer := internalIssuers[issuercerts.FromCert(issuers[0].Cert).ID()]
+	defaultIssuer := internalIssuers[issuers[0].Cert.Subject.CommonName]
 
 	rsaProfile := config.RSAProfile
 	ecdsaProfile := config.ECDSAProfile
@@ -292,6 +301,7 @@ func NewCertificateAuthorityImpl(
 	ca = &CertificateAuthorityImpl{
 		sa:                 sa,
 		pa:                 pa,
+		issuers:            internalIssuers,
 		defaultIssuer:      defaultIssuer,
 		rsaProfile:         rsaProfile,
 		ecdsaProfile:       ecdsaProfile,
@@ -309,9 +319,9 @@ func NewCertificateAuthorityImpl(
 		signErrorCounter:   signErrorCounter,
 	}
 
-	ca.idToIssuer = make(map[issuercerts.ID]*internalIssuer)
-	for _, ii := range internalIssuers {
-		id := issuercerts.FromCert(ii.cert).ID()
+	ca.idToIssuer = make(map[int64]*internalIssuer)
+	for _, ii := range ca.issuers {
+		id := idForIssuer(ii.cert)
 		ca.idToIssuer[id] = ii
 	}
 
@@ -423,33 +433,48 @@ var ocspStatusToCode = map[string]int{
 func (ca *CertificateAuthorityImpl) GenerateOCSP(ctx context.Context, req *caPB.GenerateOCSPRequest) (*caPB.OCSPResponse, error) {
 	var issuer *internalIssuer
 	var serial *big.Int
-	if req.IssuerID == nil {
-		return nil, fmt.Errorf("no issuerID provided")
-	}
-	if req.Serial == nil {
-		return nil, fmt.Errorf("no serial provided")
-	}
 	// Once the feature is enabled we need to support both RPCs that include
 	// IssuerID and those that don't as we still need to be able to update rows
 	// that didn't have an IssuerID set when they were created. Once this feature
 	// has been enabled for a full OCSP lifetime cycle we can remove this
 	// functionality.
-	serialInt, err := core.StringToSerial(*req.Serial)
-	if err != nil {
-		return nil, err
-	}
-	serial = serialInt
-	var ok bool
-	issuer, ok = ca.idToIssuer[issuercerts.ID(*req.IssuerID)]
-	if !ok {
-		return nil, fmt.Errorf("This CA doesn't have an issuer cert with ID %d", *req.IssuerID)
-	}
-	exists, err := ca.sa.SerialExists(ctx, &sapb.Serial{Serial: req.Serial})
-	if err != nil {
-		return nil, err
-	}
-	if !*exists.Exists {
-		return nil, fmt.Errorf("GenerateOCSP was asked to sign OCSP for certification with unknown serial %q", *req.Serial)
+	if features.Enabled(features.StoreIssuerInfo) && req.IssuerID != nil {
+		serialInt, err := core.StringToSerial(*req.Serial)
+		if err != nil {
+			return nil, err
+		}
+		serial = serialInt
+		var ok bool
+		issuer, ok = ca.idToIssuer[*req.IssuerID]
+		if !ok {
+			return nil, fmt.Errorf("This CA doesn't have an issuer cert with ID %d", *req.IssuerID)
+		}
+		exists, err := ca.sa.SerialExists(ctx, &sapb.Serial{Serial: req.Serial})
+		if err != nil {
+			return nil, err
+		}
+		if !*exists.Exists {
+			return nil, fmt.Errorf("GenerateOCSP was asked to sign OCSP for certification with unknown serial %q", *req.Serial)
+		}
+	} else {
+		cert, err := x509.ParseCertificate(req.CertDER)
+		if err != nil {
+			ca.log.AuditErr(err.Error())
+			return nil, err
+		}
+
+		serial = cert.SerialNumber
+		cn := cert.Issuer.CommonName
+		issuer = ca.issuers[cn]
+		if issuer == nil {
+			return nil, fmt.Errorf("This CA doesn't have an issuer cert with CommonName %q", cn)
+		}
+		err = cert.CheckSignatureFrom(issuer.cert)
+		if err != nil {
+			return nil, fmt.Errorf("GenerateOCSP was asked to sign OCSP for cert "+
+				"%s from %q, but the cert's signature was not valid: %s.",
+				core.SerialToString(cert.SerialNumber), cn, err)
+		}
 	}
 
 	now := ca.clk.Now().Truncate(time.Hour)
@@ -498,16 +523,10 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 		return nil, err
 	}
 
-	// we currently only use one issuer, in the future when we support multiple
-	// the issuer will need to be derived from issueReq
-	issuerID := int64(issuercerts.FromCert(ca.defaultIssuer.cert).ID())
-
 	status := string(core.OCSPStatusGood)
 	ocspResp, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
-		Serial:   &serialHex,
-		CertDER:  precertDER,
-		Status:   &status,
-		IssuerID: &issuerID,
+		CertDER: precertDER,
+		Status:  &status,
 	})
 	if err != nil {
 		err = berrors.InternalServerError(err.Error())
@@ -516,13 +535,17 @@ func (ca *CertificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 	}
 
 	req := &sapb.AddCertificateRequest{
-		Der:      precertDER,
-		RegID:    &regID,
-		Ocsp:     ocspResp.Response,
-		Issued:   &nowNanos,
-		IssuerID: &issuerID,
+		Der:    precertDER,
+		RegID:  &regID,
+		Ocsp:   ocspResp.Response,
+		Issued: &nowNanos,
 	}
 
+	// we currently only use one issuer, in the future when we support multiple
+	// the issuer will need to be derived from issueReq
+	issuerID := idForIssuer(ca.defaultIssuer.cert)
+	req.IssuerID = &issuerID
+
 	_, err = ca.sa.AddPrecertificate(ctx, req)
 	if err != nil {
 		ca.orphanCount.With(prometheus.Labels{"type": "precert"}).Inc()
 
@@ -39,7 +39,6 @@ import (
 	berrors "github.com/letsencrypt/boulder/errors"
 	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
-	"github.com/letsencrypt/boulder/issuercerts"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
 	"github.com/letsencrypt/boulder/policy"
@@ -493,16 +492,10 @@ func TestOCSP(t *testing.T) {
 	test.AssertNotError(t, err, "Failed to issue")
 	parsedCert, err := x509.ParseCertificate(cert.DER)
 	test.AssertNotError(t, err, "Failed to parse cert")
-
-	caCertIssuerID := int64(issuercerts.FromCert(caCert).ID())
-	serial := core.SerialToString(parsedCert.SerialNumber)
 	status := string(core.OCSPStatusGood)
-
 	ocspResp, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
-		IssuerID: &caCertIssuerID,
-		Serial:   &serial,
-		CertDER:  cert.DER,
-		Status:   &status,
+		CertDER: cert.DER,
+		Status:  &status,
 	})
 	test.AssertNotError(t, err, "Failed to generate OCSP")
 	parsed, err := ocsp.ParseResponse(ocspResp.Response, caCert)
@@ -511,6 +504,13 @@ func TestOCSP(t *testing.T) {
 	test.AssertEquals(t, parsed.RevocationReason, 0)
 	test.AssertEquals(t, parsed.SerialNumber.Cmp(parsedCert.SerialNumber), 0)
 
+	// Test that signatures are checked.
+	_, err = ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
+		CertDER: append(cert.DER, byte(0)),
+		Status:  &status,
+	})
+	test.AssertError(t, err, "Generated OCSP for cert with bad signature")
+
 	// Load multiple issuers, including the old issuer, and ensure OCSP is still
 	// signed correctly.
 	newIssuerCert, err := core.LoadCert("../test/test-ca2.pem")
@@ -543,16 +543,14 @@ func TestOCSP(t *testing.T) {
 	parsedNewCert, err := x509.ParseCertificate(newCert.DER)
 	test.AssertNotError(t, err, "Failed to parse newCert")
 
-	newIssuerID := int64(issuercerts.FromCert(newIssuers[0].Cert).ID())
-	newSerial := core.SerialToString(parsedNewCert.SerialNumber)
+	err = parsedNewCert.CheckSignatureFrom(newIssuerCert)
+	t.Logf("check sig: %s", err)
 
 	// ocspResp2 is a second OCSP response for `cert` (issued by caCert), and
 	// should be signed by caCert.
 	ocspResp2, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
-		IssuerID: &newIssuerID,
-		Serial:   &newSerial,
-		CertDER:  append([]byte(nil), cert.DER...),
-		Status:   &status,
+		CertDER: append([]byte(nil), cert.DER...),
+		Status:  &status,
 	})
 	test.AssertNotError(t, err, "Failed to sign second OCSP response")
 	_, err = ocsp.ParseResponse(ocspResp2.Response, caCert)
@@ -561,10 +559,8 @@ func TestOCSP(t *testing.T) {
 	// newCertOcspResp is an OCSP response for `newCert` (issued by newIssuer),
 	// and should be signed by newIssuer.
 	newCertOcspResp, err := ca.GenerateOCSP(ctx, &caPB.GenerateOCSPRequest{
-		IssuerID: &newIssuerID,
-		Serial:   &newSerial,
-		CertDER:  newCert.DER,
-		Status:   &status,
+		CertDER: newCert.DER,
+		Status:  &status,
 	})
 	test.AssertNotError(t, err, "Failed to generate OCSP")
 	parsedNewCertOcspResp, err := ocsp.ParseResponse(newCertOcspResp.Response, newIssuerCert)
@@ -1257,6 +1253,7 @@ func TestIssuePrecertificateLinting(t *testing.T) {
 func TestGenerateOCSPWithIssuerID(t *testing.T) {
 	testCtx := setup(t)
 	sa := &mockSA{}
+	_ = features.Set(map[string]bool{"StoreIssuerInfo": true})
 	ca, err := NewCertificateAuthorityImpl(
 		testCtx.caConfig,
 		sa,
@@ -1269,7 +1266,7 @@ func TestGenerateOCSPWithIssuerID(t *testing.T) {
 		nil)
 	test.AssertNotError(t, err, "Failed to create CA")
 
-	// req contains bad IssuerID
+	// GenerateOCSP with feature enabled + req contains bad IssuerID
 	issuerID := int64(666)
 	serial := "DEADDEADDEADDEADDEADDEADDEADDEADDEAD"
 	status := string(core.OCSPStatusGood)
@@ -1280,22 +1277,22 @@ func TestGenerateOCSPWithIssuerID(t *testing.T) {
 	})
 	test.AssertError(t, err, "GenerateOCSP didn't fail with invalid IssuerID")
 
-	// req contains good IssuerID
-	issuerID = int64(issuercerts.FromCert(ca.defaultIssuer.cert).ID())
+	// GenerateOCSP with feature enabled + req contains good IssuerID
+	issuerID = idForIssuer(ca.defaultIssuer.cert)
 	_, err = ca.GenerateOCSP(context.Background(), &caPB.GenerateOCSPRequest{
 		IssuerID: &issuerID,
 		Serial:   &serial,
 		Status:   &status,
 	})
 	test.AssertNotError(t, err, "GenerateOCSP failed")
 
-	// req doesn't contain IssuerID or Serial
+	// GenerateOCSP with feature enabled + req doesn't contain IssuerID
 	issueReq := caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID}
 	cert, err := ca.IssuePrecertificate(ctx, &issueReq)
 	test.AssertNotError(t, err, "Failed to issue")
 	_, err = ca.GenerateOCSP(context.Background(), &caPB.GenerateOCSPRequest{
 		CertDER: cert.DER,
 		Status:  &status,
 	})
-	test.AssertError(t, err, "Expected error from GenerateOCSP")
+	test.AssertNotError(t, err, "GenerateOCSP failed")
 }