First draft of ACME Renewal Info (letsencrypt#5691)

aarongable · web-flow · commit 18f556201adf · 2021-10-25T14:55:25.000-07:00
Add a new feature flag to control whether or not the experimental ARI information is exposed. Add a new entry to the Directory object which provides the base URL for ARI requests. Add a new handler to the WFE which parses incoming requests and returns reasonable renewalInfo. Part of letsencrypt#5674
diff --git a/core/objects.go b/core/objects.go
@@ -511,3 +511,15 @@ type SCTDERs [][]byte
 // CertDER is a convenience type that helps differentiate what the
 // underlying byte slice contains
 type CertDER []byte
+
+// SuggestedWindow is a type exposed inside the RenewalInfo resource.
+type SuggestedWindow struct {
+	Start time.Time `json:"start"`
+	End   time.Time `json:"end"`
+}
+
+// RenewalInfo is a type which is exposed to clients which query the renewalInfo
+// endpoint specified in draft-aaron-ari.
+type RenewalInfo struct {
+	SuggestedWindow SuggestedWindow `json:"suggestedWindow"`
+}
diff --git a/features/featureflag_string.go b/features/featureflag_string.go
diff --git a/features/features.go b/features/features.go
@@ -49,6 +49,9 @@ const (
 	// ECDSAForAll enables all accounts, regardless of their presence in the CA's
 	// ecdsaAllowedAccounts config value, to get issuance from ECDSA issuers.
 	ECDSAForAll
+	// ServeRenewalInfo exposes the renewalInfo endpoint in the directory and for
+	// GET requests. WARNING: This feature is a draft and highly unstable.
+	ServeRenewalInfo
 )
 
 // List of features and their default value, protected by fMu
@@ -70,6 +73,7 @@ var features = map[FeatureFlag]bool{
 	NonCFSSLSigner:           false,
 	ECDSAForAll:              false,
 	StreamlineOrderAndAuthzs: false,
+	ServeRenewalInfo:         false,
 }
 
 var fMu = new(sync.RWMutex)
diff --git a/wfe2/wfe.go b/wfe2/wfe.go
@@ -67,6 +67,8 @@ const (
 	getAuthzPath     = getAPIPrefix + "authz-v3/"
 	getChallengePath = getAPIPrefix + "chall-v3/"
 	getCertPath      = getAPIPrefix + "cert/"
+
+	renewalInfoPath = getAPIPrefix + "draft-aaron-ari/renewalInfo/"
 )
 
 var errIncompleteGRPCResponse = errors.New("incomplete gRPC response message")
@@ -395,6 +397,11 @@ func (wfe *WebFrontEndImpl) Handler(stats prometheus.Registerer) http.Handler {
 	wfe.HandleFunc(m, getChallengePath, wfe.Challenge, "GET")
 	wfe.HandleFunc(m, getCertPath, wfe.Certificate, "GET")
 
+	// Endpoint for draft-aaron-ari
+	if features.Enabled(features.ServeRenewalInfo) {
+		wfe.HandleFunc(m, renewalInfoPath, wfe.RenewalInfo, "GET")
+	}
+
 	// We don't use our special HandleFunc for "/" because it matches everything,
 	// meaning we can wind up returning 405 when we mean to return 404. See
 	// https://github.com/letsencrypt/boulder/issues/717
@@ -467,6 +474,10 @@ func (wfe *WebFrontEndImpl) Directory(
 		"keyChange":  rolloverPath,
 	}
 
+	if features.Enabled(features.ServeRenewalInfo) {
+		directoryEndpoints["renewalInfo"] = renewalInfoPath
+	}
+
 	if request.Method == http.MethodPost {
 		acct, prob := wfe.validPOSTAsGETForAccount(request, ctx, logEvent)
 		if prob != nil {
@@ -2350,6 +2361,62 @@ func (wfe *WebFrontEndImpl) FinalizeOrder(ctx context.Context, logEvent *web.Req
 	}
 }
 
+// RenewalInfo is used to get information about the suggested renewal window
+// for the given certificate. It only accepts unauthenticated GET requests.
+func (wfe *WebFrontEndImpl) RenewalInfo(ctx context.Context, logEvent *web.RequestEvent, response http.ResponseWriter, request *http.Request) {
+	if !features.Enabled(features.ServeRenewalInfo) {
+		wfe.sendError(response, logEvent, probs.NotFound("Feature not enabled"), nil)
+		return
+	}
+
+	uid := strings.SplitN(request.URL.Path, "/", 3)
+	if len(uid) != 3 {
+		wfe.sendError(response, logEvent, probs.Malformed("Path did not include exactly issuerKeyHash, issuerNameHash, and serialNumber"), nil)
+		return
+	}
+
+	// For now, discard issuerKeyHash and issuerNameHash, because *we* know
+	// (Boulder implementation-specific) that we do not re-use the same serial
+	// number across multiple different issuers.
+	serial := uid[2]
+	if !core.ValidSerial(serial) {
+		wfe.sendError(response, logEvent, probs.NotFound("Certificate not found"), nil)
+		return
+	}
+	logEvent.Extra["RequestedSerial"] = serial
+	beeline.AddFieldToTrace(ctx, "request.serial", serial)
+
+	// We use GetCertificate, not GetPrecertificate, because we don't intend to
+	// serve ARI for certs that never made it past the precert stage.
+	cert, err := wfe.SA.GetCertificate(ctx, &sapb.Serial{Serial: serial})
+	if err != nil {
+		if errors.Is(err, berrors.NotFound) {
+			wfe.sendError(response, logEvent, probs.NotFound("Certificate not found"), nil)
+		} else {
+			wfe.sendError(response, logEvent, probs.ServerInternal("Unable to get certificate"), err)
+		}
+		return
+	}
+
+	// This is a very simple renewal calculation: Calculate a point 2/3rds of the
+	// way through the validity period, then give a 2-day window around that.
+	validity := time.Unix(0, cert.Expires).Add(time.Second).Sub(time.Unix(0, cert.Issued))
+	renewalOffset := time.Duration(int64(0.33 * float64(validity.Seconds())))
+	idealRenewal := time.Unix(0, cert.Expires).UTC().Add(-renewalOffset)
+	ri := core.RenewalInfo{
+		SuggestedWindow: core.SuggestedWindow{
+			Start: idealRenewal.Add(-24 * time.Hour),
+			End:   idealRenewal.Add(24 * time.Hour),
+		},
+	}
+
+	err = wfe.writeJsonResponse(response, logEvent, http.StatusOK, ri)
+	if err != nil {
+		wfe.sendError(response, logEvent, probs.ServerInternal("Error marshalling renewalInfo"), err)
+		return
+	}
+}
+
 func extractRequesterIP(req *http.Request) (net.IP, error) {
 	ip := net.ParseIP(req.Header.Get("X-Real-IP"))
 	if ip != nil {
