Merge branch 'main' into multiplat

Author: sheurich

ca/ca.go

@@ -82,8 +82,7 @@ type certProfileWithID struct {
 	profile *issuance.Profile
 }
 
-// caMetrics holds various metrics which are shared between caImpl, ocspImpl,
-// and crlImpl.
+// caMetrics holds various metrics which are shared between caImpl and crlImpl.
 type caMetrics struct {
 	signatureCount *prometheus.CounterVec
 	signErrorCount *prometheus.CounterVec
@@ -132,7 +131,6 @@ func (m *caMetrics) noteSignError(err error) {
 }
 
 // certificateAuthorityImpl represents a CA that signs certificates.
-// It can sign OCSP responses as well, but only via delegation to an ocspImpl.
 type certificateAuthorityImpl struct {
 	capb.UnsafeCertificateAuthorityServer
 	sa           sapb.StorageAuthorityCertificateClient
@@ -155,7 +153,7 @@ var _ capb.CertificateAuthorityServer = (*certificateAuthorityImpl)(nil)
 
 // makeIssuerMaps processes a list of issuers into a set of maps for easy
 // lookup either by key algorithm (useful for picking an issuer for a precert)
-// or by unique ID (useful for final certs, OCSP, and CRLs). If two issuers with
+// or by unique ID (useful for final certs and CRLs). If two issuers with
 // the same unique ID are encountered, an error is returned.
 func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
 	issuersByAlg := make(map[x509.PublicKeyAlgorithm][]*issuance.Issuer, 2)
@@ -203,8 +201,7 @@ func makeCertificateProfilesMap(profiles map[string]*issuance.ProfileConfig) (ma
 }
 
 // NewCertificateAuthorityImpl creates a CA instance that can sign certificates
-// from any number of issuance.Issuers according to their profiles, and can sign
-// OCSP (via delegation to an ocspImpl and its issuers).
+// from any number of issuance.Issuers and for any number of profiles.
 func NewCertificateAuthorityImpl(
 	sa sapb.StorageAuthorityCertificateClient,
 	sctService rapb.SCTProviderClient,
@@ -294,11 +291,6 @@ func (ca *certificateAuthorityImpl) issuePrecertificate(ctx context.Context, cer
 		return nil, err
 	}
 
-	_, err = ca.sa.SetCertificateStatusReady(ctx, &sapb.Serial{Serial: serialHex})
-	if err != nil {
-		return nil, err
-	}
-
 	return precertDER, nil
 }
 
@@ -572,7 +564,6 @@ func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context
 		RegID:        issueReq.RegistrationID,
 		Issued:       timestamppb.New(ca.clk.Now()),
 		IssuerNameID: int64(issuer.NameID()),
-		OcspNotReady: true,
 	})
 	if err != nil {
 		return nil, nil, err

docs/CONTRIBUTING.md

@@ -359,7 +359,7 @@ truncation, and performs it for SELECT queries as well as INSERT and UPDATE.
 # Release Process
 
 The current Boulder release process is described in
-[release.md](https://github.com/letsencrypt/boulder/docs/release.md). New
+[release.md](https://github.com/letsencrypt/boulder/blob/main/docs/release.md). New
 releases are tagged weekly, and artifacts are automatically produced for each
 release by GitHub Actions.
 

test/integration/cert_storage_failed_test.go

@@ -60,9 +60,8 @@ func getPrecertByName(db *sql.DB, reversedName string) (*x509.Certificate, error
 
 // TestIssuanceCertStorageFailed tests what happens when a storage RPC fails
 // during issuance. Specifically, it tests that case where we successfully
-// prepared and stored a linting certificate plus metadata, but after
-// issuing the precertificate we failed to mark the certificate as "ready"
-// to serve an OCSP "good" response.
+// prepared and stored a linting certificate plus metadata, but failed to store
+// the corresponding final certificate after issuance completed.
 //
 // To do this, we need to mess with the database, because we want to cause
 // a failure in one specific query, without control ever returning to the
@@ -83,28 +82,26 @@ func TestIssuanceCertStorageFailed(t *testing.T) {
 	_, err = db.ExecContext(ctx, `DROP TRIGGER IF EXISTS fail_ready`)
 	test.AssertNotError(t, err, "failed to drop trigger")
 
-	// Make a specific update to certificateStatus fail, for this test but not others.
+	// Make a specific insert into certificates fail, for this test but not others.
 	// To limit the effect to this one test, we make the trigger aware of a specific
-	// hostname used in this test. Since the UPDATE to the certificateStatus table
+	// hostname used in this test. Since the INSERT to the certificates table
 	// doesn't include the hostname, we look it up in the issuedNames table, keyed
-	// off of the serial being updated.
-	// We limit this to UPDATEs that set the status to "good" because otherwise we
-	// would fail to revoke the certificate later.
+	// off of the serial.
 	// NOTE: CREATE and DROP TRIGGER do not work in prepared statements. Go's
 	// database/sql will automatically try to use a prepared statement if you pass
 	// any arguments to Exec besides the query itself, so don't do that.
 	_, err = db.ExecContext(ctx, `
 		CREATE TRIGGER fail_ready
-		BEFORE UPDATE ON certificateStatus
+		BEFORE INSERT ON certificates
 		FOR EACH ROW BEGIN
 		DECLARE reversedName1 VARCHAR(255);
 		SELECT reversedName
 		    INTO reversedName1
 			FROM issuedNames
 			WHERE serial = NEW.serial
 			    AND reversedName LIKE "com.wantserror.%";
-		IF NEW.status = "good" AND reversedName1 != "" THEN
-			SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Pretend there was an error updating the certificateStatus';
+		IF reversedName1 != "" THEN
+			SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Pretend there was an error inserting into certificates';
 		END IF;
 		END
 	`)
@@ -117,7 +114,7 @@ func TestIssuanceCertStorageFailed(t *testing.T) {
 
 	// ---- Test revocation by serial ----
 	revokeMeDomain := "revokeme.wantserror.com"
-	// This should fail because the trigger prevented setting the certificate status to "ready"
+	// This should fail because the trigger prevented storing the final certificate.
 	_, err = authAndIssue(nil, certKey, []acme.Identifier{{Type: "dns", Value: revokeMeDomain}}, true, "")
 	test.AssertError(t, err, "expected authAndIssue to fail")
 
@@ -140,7 +137,7 @@ func TestIssuanceCertStorageFailed(t *testing.T) {
 
 	// ---- Test revocation by key ----
 	blockMyKeyDomain := "blockmykey.wantserror.com"
-	// This should fail because the trigger prevented setting the certificate status to "ready"
+	// This should fail because the trigger prevented storing the final certificate.
 	_, err = authAndIssue(nil, certKey, []acme.Identifier{{Type: "dns", Value: blockMyKeyDomain}}, true, "")
 	test.AssertError(t, err, "expected authAndIssue to fail")