RA: compute CRL shard upon revocation

letsencrypt · Nov 2, 2023 · 171c3d1 · 171c3d1
1 parent 1d31a22
commit 171c3d1
Show file tree

Hide file tree

Showing 7 changed files with 272 additions and 86 deletions.
diff --git a/cmd/admin-revoker/main_test.go b/cmd/admin-revoker/main_test.go
@@ -488,6 +488,9 @@ func setup(t *testing.T) testCtx {
 		nil,
 		&mockPurger{},
 		[]*issuance.Certificate{issuer},
+		"http://c.boulder.test",
+		10,
+		24*time.Hour,
 	)
 	ra.SA = isa.SA{Impl: ssa}
 	ra.OCSP = &mockOCSPA{}

diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
@@ -90,6 +90,25 @@ type Config struct {
 		// generate OCSP URLs to purge during revocation.
 		IssuerCerts []string `validate:"min=1,dive,required"`
 
+		// CRLDPBase is the piece of the CRL Distribution Point URI which is common
+		// across all issuers and shards. It must use the http:// scheme, and must
+		// not end with a slash. Example: "http://prod.c.lencr.org".
+		// Warning: This value must exactly match the CA config.
+		// TODO(#7904): Make this mandatory once the configs are in place.
+		CRLDPBase string `validate:"omitempty,url,startswith=http://,endsnotwith=/"`
+
+		// CRLNumShards is the number of shards into which each issuer's "full and
+		// complete" CRL is split.
+		// Warning: This value must exactly match the crl-updater config.
+		// TODO(#7904): Make this mandatory once the configs are in place.
+		CRLNumShards int `validate:"omitempty,min=1"`
+
+		// CRLShardWidth is the amount of time (width on a timeline) that a single
+		// shard covers.
+		// Warning: This value must exactly match the crl-updater config.
+		// TODO(#7904): Make this mandatory once the configs are in place.
+		CRLShardWidth config.Duration `validate:"-"`
+
 		Features map[string]bool
 	}
 
@@ -244,6 +263,9 @@ func main() {
 		ctp,
 		apc,
 		issuerCerts,
+		c.RA.CRLDPBase,
+		c.RA.CRLNumShards,
+		c.RA.CRLShardWidth.Duration,
 	)
 	defer rai.DrainFinalize()
 

diff --git a/ra/proto/ra.pb.go b/ra/proto/ra.pb.go
diff --git a/ra/proto/ra.proto b/ra/proto/ra.proto
@@ -54,16 +54,18 @@ message RevokeCertByKeyRequest {
 }
 
 message AdministrativelyRevokeCertificateRequest {
-  // The `cert` field may be omitted. If it is omitted,
-  // the revocation reason (`code`) must not be keyCompromise,
-  // and purging the Akamai cache will not happen because the
-  // base URL for the certificate's OCSP server is not known.
+  // The `cert` field may be omitted. If it is omitted, the revocation reason
+  // (`code`) must not be keyCompromise, the crlShard field must be populated,
+  // and purging the Akamai cache will not happen because the base URL for the
+  // certificate's OCSP server is not known.
   bytes cert = 1;
   // The `serial` field is required.
   string serial = 4;
   int64 code = 2;
   string adminName = 3;
   bool skipBlockKey = 5;
+  // The `crlShard` field is required if the `cert` field is omitted.
+  int64 crlShard = 6;
 }
 
 message NewOrderRequest {