Update boulder to release-2023-12-11 (#27)

This un-forks crypto/x509 with the CRL changes boulder upstreamed.
letsencrypt · Dec 20, 2023 · edad2ec · edad2ec
1 parent a8c15a3
commit edad2ec
Show file tree

Hide file tree

Showing 7 changed files with 142 additions and 86 deletions.
diff --git a/checker/checker.go b/checker/checker.go
@@ -17,7 +17,6 @@ import (
 
 	"github.com/letsencrypt/boulder/core"
 	"github.com/letsencrypt/boulder/crl/checker"
-	"github.com/letsencrypt/boulder/crl/crl_x509"
 
 	"github.com/letsencrypt/crl-monitor/checker/earlyremoval"
 	"github.com/letsencrypt/crl-monitor/checker/expiry"
@@ -134,11 +133,11 @@ func (c *Checker) Check(ctx context.Context, bucket, object string, startingVers
 		return err
 	}
 
-	crl, err := crl_x509.ParseRevocationList(crlDER)
+	crl, err := x509.ParseRevocationList(crlDER)
 	if err != nil {
 		return fmt.Errorf("error parsing current crl: %v", err)
 	}
-	log.Printf("loaded CRL number %d (len %d) from %s version %s", crl.Number, len(crl.RevokedCertificates), object, version)
+	log.Printf("loaded CRL number %d (len %d) from %s version %s", crl.Number, len(crl.RevokedCertificateEntries), object, version)
 
 	issuer, err := c.issuerForObject(object)
 	if err != nil {
@@ -162,11 +161,11 @@ func (c *Checker) Check(ctx context.Context, bucket, object string, startingVers
 		return err
 	}
 
-	prev, err := crl_x509.ParseRevocationList(prevDER)
+	prev, err := x509.ParseRevocationList(prevDER)
 	if err != nil {
 		return fmt.Errorf("error parsing previous crl: %v", err)
 	}
-	log.Printf("loaded previous CRL number %d (len %d) from version %s", prev.Number, len(prev.RevokedCertificates), prevVersion)
+	log.Printf("loaded previous CRL number %d (len %d) from version %s", prev.Number, len(prev.RevokedCertificateEntries), prevVersion)
 
 	earlyRemoved, err := earlyremoval.Check(ctx, c.fetcher, c.maxFetch, prev, crl)
 	if err != nil {
@@ -188,13 +187,13 @@ func (c *Checker) Check(ctx context.Context, bucket, object string, startingVers
 
 // lookForSeenCerts removes any certs in this CRL from the database, as they've now appeared in a CRL.
 // We expect the database to be much smaller than CRLs, so we load the entire database into memory.
-func (c *Checker) lookForSeenCerts(ctx context.Context, crl *crl_x509.RevocationList) error {
+func (c *Checker) lookForSeenCerts(ctx context.Context, crl *x509.RevocationList) error {
 	unseenCerts, err := c.db.GetAllCerts(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to read from db: %v", err)
 	}
 	var seenSerials [][]byte
-	for _, seen := range crl.RevokedCertificates {
+	for _, seen := range crl.RevokedCertificateEntries {
 		if metadata, ok := unseenCerts[db.NewCertKey(seen.SerialNumber).SerialString()]; ok {
 			seenSerials = append(seenSerials, metadata.SerialNumber)
 		}

diff --git a/checker/checker_test.go b/checker/checker_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/letsencrypt/boulder/core"
+
 	expirymock "github.com/letsencrypt/crl-monitor/checker/expiry/mock"
 	"github.com/letsencrypt/crl-monitor/checker/testdata"
 	"github.com/letsencrypt/crl-monitor/db"
@@ -74,7 +75,7 @@ func TestCheck(t *testing.T) {
 	ctx := context.Background()
 
 	// Watch the first revoked cert's serial
-	serial := testdata.CRL1.RevokedCertificates[0].SerialNumber
+	serial := testdata.CRL1.RevokedCertificateEntries[0].SerialNumber
 	require.NoError(t, checker.db.AddCert(ctx, &x509.Certificate{SerialNumber: serial}, testdata.Now))
 	shouldNotBeSeen := big.NewInt(12345)
 	require.NoError(t, checker.db.AddCert(ctx, &x509.Certificate{SerialNumber: shouldNotBeSeen}, testdata.Now))

diff --git a/checker/earlyremoval/check.go b/checker/earlyremoval/check.go
@@ -2,13 +2,13 @@ package earlyremoval
 
 import (
 	"context"
+	"crypto/x509"
 	"log"
 	"math/big"
 	"math/rand"
 	"time"
 
 	"github.com/letsencrypt/boulder/crl/checker"
-	"github.com/letsencrypt/boulder/crl/crl_x509"
 )
 
 type Fetcher interface {
@@ -52,7 +52,7 @@ func sample[T any](input []T, max int) []T {
 }
 
 // Check for early removal.  If maxFetch is greater than 0, only check that many serials
-func Check(ctx context.Context, fetcher Fetcher, maxFetch int, prev *crl_x509.RevocationList, crl *crl_x509.RevocationList) ([]EarlyRemoval, error) {
+func Check(ctx context.Context, fetcher Fetcher, maxFetch int, prev *x509.RevocationList, crl *x509.RevocationList) ([]EarlyRemoval, error) {
 	diff, err := checker.Diff(prev, crl)
 	if err != nil {
 		return nil, err

diff --git a/checker/earlyremoval/check_test.go b/checker/earlyremoval/check_test.go
@@ -2,14 +2,14 @@ package earlyremoval
 
 import (
 	"context"
+	"crypto/x509"
 	"math/big"
 	"math/rand"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/letsencrypt/boulder/crl/crl_x509"
 	"github.com/letsencrypt/crl-monitor/checker/expiry/mock"
 	"github.com/letsencrypt/crl-monitor/checker/testdata"
 )
@@ -26,8 +26,8 @@ func TestCheck(t *testing.T) {
 
 	for _, tt := range []struct {
 		name     string
-		prev     *crl_x509.RevocationList
-		crl      *crl_x509.RevocationList
+		prev     *x509.RevocationList
+		crl      *x509.RevocationList
 		expected []EarlyRemoval
 	}{
 		{name: "no removals", prev: &testdata.CRL1, crl: &testdata.CRL2},
@@ -49,8 +49,8 @@ func TestCheck(t *testing.T) {
 
 	for _, tt := range []struct {
 		expectedError string
-		prev          *crl_x509.RevocationList
-		crl           *crl_x509.RevocationList
+		prev          *x509.RevocationList
+		crl           *x509.RevocationList
 	}{
 		{expectedError: "unknown serial 3", prev: &testdata.CRL4, crl: &testdata.CRL5},
 		{expectedError: "old CRL does not precede new CRL", prev: &testdata.CRL2, crl: &testdata.CRL1},

diff --git a/checker/testdata/testdata.go b/checker/testdata/testdata.go
@@ -13,63 +13,61 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/require"
-
-	"github.com/letsencrypt/boulder/crl/crl_x509"
 )
 
 var Now = time.Now()
 
 // CRL1 is the start of a series of CRLs for testing, starting with 3 serials
-var CRL1 = crl_x509.RevocationList{
+var CRL1 = x509.RevocationList{
 	ThisUpdate: Now,
 	NextUpdate: Now.Add(24 * time.Hour),
 	Number:     big.NewInt(1),
-	RevokedCertificates: []crl_x509.RevokedCertificate{
+	RevokedCertificateEntries: []x509.RevocationListEntry{
 		{SerialNumber: big.NewInt(1), RevocationTime: Now},
 		{SerialNumber: big.NewInt(2), RevocationTime: Now},
 		{SerialNumber: big.NewInt(3), RevocationTime: Now},
 	},
 }
 
 // CRL2 has the same 3 serials as CRL1
-var CRL2 = crl_x509.RevocationList{
+var CRL2 = x509.RevocationList{
 	ThisUpdate: Now.Add(2 * time.Hour),
 	NextUpdate: Now.Add(24 * time.Hour),
 	Number:     big.NewInt(2),
-	RevokedCertificates: []crl_x509.RevokedCertificate{
+	RevokedCertificateEntries: []x509.RevocationListEntry{
 		{SerialNumber: big.NewInt(1), RevocationTime: Now},
 		{SerialNumber: big.NewInt(2), RevocationTime: Now},
 		{SerialNumber: big.NewInt(3), RevocationTime: Now},
 	},
 }
 
 // CRL3 removes the first cert correctly: It was expired in CRL 2
-var CRL3 = crl_x509.RevocationList{
+var CRL3 = x509.RevocationList{
 	ThisUpdate: Now.Add(3 * time.Hour),
 	NextUpdate: Now.Add(24 * time.Hour),
 	Number:     big.NewInt(3),
-	RevokedCertificates: []crl_x509.RevokedCertificate{
+	RevokedCertificateEntries: []x509.RevocationListEntry{
 		{SerialNumber: big.NewInt(2), RevocationTime: Now},
 		{SerialNumber: big.NewInt(3), RevocationTime: Now},
 	},
 }
 
 // CRL4 incorrectly removes serial 2, which has expired after CRL 3
-var CRL4 = crl_x509.RevocationList{
+var CRL4 = x509.RevocationList{
 	ThisUpdate: Now.Add(4 * time.Hour),
 	NextUpdate: Now.Add(24 * time.Hour),
 	Number:     big.NewInt(4),
-	RevokedCertificates: []crl_x509.RevokedCertificate{
+	RevokedCertificateEntries: []x509.RevocationListEntry{
 		{SerialNumber: big.NewInt(3), RevocationTime: Now},
 	},
 }
 
 // CRL5 removes a cert our mock fetcher doesn't know about
-var CRL5 = crl_x509.RevocationList{
-	ThisUpdate:          Now.Add(5 * time.Hour),
-	NextUpdate:          Now.Add(24 * time.Hour),
-	Number:              big.NewInt(5),
-	RevokedCertificates: nil,
+var CRL5 = x509.RevocationList{
+	ThisUpdate:                Now.Add(5 * time.Hour),
+	NextUpdate:                Now.Add(24 * time.Hour),
+	Number:                    big.NewInt(5),
+	RevokedCertificateEntries: nil,
 }
 
 func MakeIssuer(t *testing.T) (*x509.Certificate, crypto.Signer) {
@@ -93,12 +91,12 @@ func MakeIssuer(t *testing.T) (*x509.Certificate, crypto.Signer) {
 }
 
 // MakeCRL takes a revocation list and issuer to sign it.  It returns a DER encoded CRL.
-func MakeCRL(t *testing.T, input *crl_x509.RevocationList, idp string, issuer *x509.Certificate, key crypto.Signer) []byte {
+func MakeCRL(t *testing.T, input *x509.RevocationList, idp string, issuer *x509.Certificate, key crypto.Signer) []byte {
 	ext, err := makeIDPExt(idp)
 	require.NoError(t, err)
 
 	input.ExtraExtensions = append(input.ExtraExtensions, *ext)
-	der, err := crl_x509.CreateRevocationList(rand.Reader, input, issuer, key)
+	der, err := x509.CreateRevocationList(rand.Reader, input, issuer, key)
 	require.NoError(t, err)
 	return der
 }

diff --git a/go.mod b/go.mod
@@ -1,6 +1,8 @@
 module github.com/letsencrypt/crl-monitor
 
-go 1.19
+go 1.21
+
+toolchain go1.21.4
 
 require (
 	github.com/aws/aws-lambda-go v1.43.0
@@ -10,7 +12,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.26.6
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.47.6
 	github.com/caddyserver/certmagic v0.20.0
-	github.com/letsencrypt/boulder v0.0.0-20221205200957-f089aa5d5f1e
+	github.com/letsencrypt/boulder v0.0.0-20231211192339-8cd1e60abfcd
 	github.com/libdns/route53 v1.3.3
 	github.com/mholt/acmez v1.2.0
 	github.com/stretchr/testify v1.8.4
@@ -37,33 +39,27 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.26.5 // indirect
 	github.com/aws/smithy-go v1.19.0 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/go-sql-driver/mysql v1.6.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/miekg/dns v1.1.57 // indirect
 	github.com/pelletier/go-toml v1.9.3 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.8.0 // indirect
-	github.com/weppos/publicsuffix-go v0.20.1-0.20221031080346-e4081aa8a6de // indirect
+	github.com/weppos/publicsuffix-go v0.30.1-0.20230620154423-38c92ad2d5c6 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
-	github.com/zmap/zcrypto v0.0.0-20220402174210-599ec18ecbac // indirect
-	github.com/zmap/zlint/v3 v3.4.0 // indirect
+	github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300 // indirect
+	github.com/zmap/zlint/v3 v3.5.0 // indirect
 	golang.org/x/crypto v0.17.0 // indirect
 	golang.org/x/mod v0.14.0 // indirect
 	golang.org/x/net v0.19.0 // indirect
 	golang.org/x/sys v0.15.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/tools v0.16.1 // indirect
-	google.golang.org/grpc v1.56.3 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )