Merge branch main into new-authz-req-cleanup

cmd/cert-checker/main.go

@@ -312,7 +312,7 @@ func (c *certChecker) checkValidations(ctx context.Context, cert core.Certificat
 	// Any authorization for a given name is sufficient.
 	nameToAuthz := make(map[string]*corepb.Authorization)
 	for _, m := range authzs {
-		nameToAuthz[m.Identifier] = m
+		nameToAuthz[m.DnsName] = m
 	}
 
 	var errors []error

core/objects.go

@@ -125,7 +125,7 @@ type ValidationRecord struct {
 	URL string `json:"url,omitempty"`
 
 	// Shared
-	Hostname          string   `json:"hostname,omitempty"`
+	DnsName           string   `json:"hostname,omitempty"`
 	Port              string   `json:"port,omitempty"`
 	AddressesResolved []net.IP `json:"addressesResolved,omitempty"`
 	AddressUsed       net.IP   `json:"addressUsed,omitempty"`
@@ -177,14 +177,6 @@ type Challenge struct {
 	// by all current challenges (http-01, tls-alpn-01, and dns-01).
 	Token string `json:"token,omitempty"`
 
-	// ProvidedKeyAuthorization used to carry the expected key authorization from
-	// the RA to the VA. However, since this field is never presented to the user
-	// via the ACME API, it should not be on this type.
-	//
-	// Deprecated: use vapb.PerformValidationRequest.ExpectedKeyAuthorization instead.
-	// TODO(#7514): Remove this.
-	ProvidedKeyAuthorization string `json:"keyAuthorization,omitempty"`
-
 	// Contains information about URLs used or redirected to and IPs resolved and
 	// used
 	ValidationRecord []ValidationRecord `json:"validationRecord,omitempty"`
@@ -217,7 +209,7 @@ func (ch Challenge) RecordsSane() bool {
 		for _, rec := range ch.ValidationRecord {
 			// TODO(#7140): Add a check for ResolverAddress == "" only after the
 			// core.proto change has been deployed.
-			if rec.URL == "" || rec.Hostname == "" || rec.Port == "" || rec.AddressUsed == nil ||
+			if rec.URL == "" || rec.DnsName == "" || rec.Port == "" || rec.AddressUsed == nil ||
 				len(rec.AddressesResolved) == 0 {
 				return false
 			}
@@ -231,7 +223,7 @@ func (ch Challenge) RecordsSane() bool {
 		}
 		// TODO(#7140): Add a check for ResolverAddress == "" only after the
 		// core.proto change has been deployed.
-		if ch.ValidationRecord[0].Hostname == "" || ch.ValidationRecord[0].Port == "" ||
+		if ch.ValidationRecord[0].DnsName == "" || ch.ValidationRecord[0].Port == "" ||
 			ch.ValidationRecord[0].AddressUsed == nil || len(ch.ValidationRecord[0].AddressesResolved) == 0 {
 			return false
 		}
@@ -241,7 +233,7 @@ func (ch Challenge) RecordsSane() bool {
 		}
 		// TODO(#7140): Add a check for ResolverAddress == "" only after the
 		// core.proto change has been deployed.
-		if ch.ValidationRecord[0].Hostname == "" {
+		if ch.ValidationRecord[0].DnsName == "" {
 			return false
 		}
 		return true

core/objects_test.go

@@ -37,7 +37,7 @@ func TestRecordSanityCheckOnUnsupportedChallengeType(t *testing.T) {
 	rec := []ValidationRecord{
 		{
 			URL:               "http://localhost/test",
-			Hostname:          "localhost",
+			DnsName:           "localhost",
 			Port:              "80",
 			AddressesResolved: []net.IP{{127, 0, 0, 1}},
 			AddressUsed:       net.IP{127, 0, 0, 1},

core/proto/core.proto

@@ -7,19 +7,18 @@ import "google/protobuf/timestamp.proto";
 
 message Challenge {
   // Next unused field number: 13
+  reserved 4, 5, 8, 11;
   int64 id = 1;
+  // Fields specified by RFC 8555, Section 8.
   string type = 2;
+  string url = 9;
   string status = 6;
-  string uri = 9;
+  google.protobuf.Timestamp validated = 12;
+  ProblemDetails error = 7;
+  // Fields specified by individual validation methods.
   string token = 3;
-  reserved 4; // Previously accountKey
-  // TODO(#7514): Remove this.
-  string keyAuthorization = 5;
+  // Additional fields for our own record keeping.
   repeated ValidationRecord validationrecords = 10;
-  ProblemDetails error = 7;
-  reserved 8; // Unused and accidentally skipped during initial commit.
-  reserved 11; // Previously validatedNS
-  google.protobuf.Timestamp validated = 12;
 }
 
 message ValidationRecord {
@@ -90,33 +89,36 @@ message Registration {
 
 message Authorization {
   // Next unused field number: 10
+  reserved 5, 7, 8;
   string id = 1;
-  string identifier = 2;
   int64 registrationID = 3;
+  // Fields specified by RFC 8555, Section 7.1.4
+  string dnsName = 2;
   string status = 4;
-  reserved 5; // Previously expiresNS
   google.protobuf.Timestamp expires = 9;
   repeated core.Challenge challenges = 6;
-  reserved 7; // previously ACMEv1 combinations
-  reserved 8; // previously v2
+  // We do not directly represent the "wildcard" field, instead inferring it
+  // from the identifier value.
 }
 
 message Order {
   // Next unused field number: 15
+  reserved 3, 6, 10;
   int64 id = 1;
   int64 registrationID = 2;
-  reserved 3; // Previously expiresNS
+  // Fields specified by RFC 8555, Section 7.1.3
+  // Note that we do not respect notBefore and notAfter, and we infer the
+  // finalize and certificate URLs from the id and certificateSerial fields.
+  string status = 7;
   google.protobuf.Timestamp expires = 12;
+  repeated string dnsNames = 8;
   ProblemDetails error = 4;
+  repeated int64 v2Authorizations = 11;
   string certificateSerial = 5;
-  reserved 6; // previously authorizations, deprecated in favor of v2Authorizations
-  string status = 7;
-  repeated string names = 8;
-  bool beganProcessing = 9;
-  reserved 10; // Previously createdNS
+  // Additional fields for our own record-keeping.
   google.protobuf.Timestamp created = 13;
-  repeated int64 v2Authorizations = 11;
   string certificateProfileName = 14;
+  bool beganProcessing = 9;
 }
 
 message CRLEntry {

grpc/pb-marshalling.go

@@ -83,7 +83,6 @@ func ChallengeToPB(challenge core.Challenge) (*corepb.Challenge, error) {
 		Type:              string(challenge.Type),
 		Status:            string(challenge.Status),
 		Token:             challenge.Token,
-		KeyAuthorization:  challenge.ProvidedKeyAuthorization,
 		Error:             prob,
 		Validationrecords: recordAry,
 		Validated:         validated,
@@ -124,9 +123,6 @@ func PBToChallenge(in *corepb.Challenge) (challenge core.Challenge, err error) {
 		ValidationRecord: recordAry,
 		Validated:        validated,
 	}
-	if in.KeyAuthorization != "" {
-		ch.ProvidedKeyAuthorization = in.KeyAuthorization
-	}
 	return ch, nil
 }
 
@@ -145,7 +141,7 @@ func ValidationRecordToPB(record core.ValidationRecord) (*corepb.ValidationRecor
 		return nil, err
 	}
 	return &corepb.ValidationRecord{
-		Hostname:          record.Hostname,
+		Hostname:          record.DnsName,
 		Port:              record.Port,
 		AddressesResolved: addrs,
 		AddressUsed:       addrUsed,
@@ -173,7 +169,7 @@ func PBToValidationRecord(in *corepb.ValidationRecord) (record core.ValidationRe
 		return
 	}
 	return core.ValidationRecord{
-		Hostname:          in.Hostname,
+		DnsName:           in.Hostname,
 		Port:              in.Port,
 		AddressesResolved: addrs,
 		AddressUsed:       addrUsed,
@@ -318,7 +314,7 @@ func AuthzToPB(authz core.Authorization) (*corepb.Authorization, error) {
 
 	return &corepb.Authorization{
 		Id:             authz.ID,
-		Identifier:     authz.Identifier.Value,
+		DnsName:        authz.Identifier.Value,
 		RegistrationID: authz.RegistrationID,
 		Status:         string(authz.Status),
 		Expires:        expires,
@@ -342,7 +338,7 @@ func PBToAuthz(pb *corepb.Authorization) (core.Authorization, error) {
 	}
 	authz := core.Authorization{
 		ID:             pb.Id,
-		Identifier:     identifier.ACMEIdentifier{Type: identifier.DNS, Value: pb.Identifier},
+		Identifier:     identifier.ACMEIdentifier{Type: identifier.DNS, Value: pb.DnsName},
 		RegistrationID: pb.RegistrationID,
 		Status:         core.AcmeStatus(pb.Status),
 		Expires:        expires,
@@ -366,7 +362,7 @@ func orderValid(order *corepb.Order) bool {
 // `order.CertificateSerial` to be nil such that it can be used in places where
 // the order has not been finalized yet.
 func newOrderValid(order *corepb.Order) bool {
-	return !(order.RegistrationID == 0 || order.Expires == nil || len(order.Names) == 0)
+	return !(order.RegistrationID == 0 || order.Expires == nil || len(order.DnsNames) == 0)
 }
 
 func CertToPB(cert core.Certificate) *corepb.Certificate {

grpc/pb-marshalling_test.go

@@ -55,11 +55,10 @@ func TestChallenge(t *testing.T) {
 	test.AssertNotError(t, err, "Failed to unmarshal test key")
 	validated := time.Now().Round(0).UTC()
 	chall := core.Challenge{
-		Type:                     core.ChallengeTypeDNS01,
-		Status:                   core.StatusValid,
-		Token:                    "asd",
-		ProvidedKeyAuthorization: "keyauth",
-		Validated:                &validated,
+		Type:      core.ChallengeTypeDNS01,
+		Status:    core.StatusValid,
+		Token:     "asd",
+		Validated: &validated,
 	}
 
 	pb, err := ChallengeToPB(chall)
@@ -73,7 +72,7 @@ func TestChallenge(t *testing.T) {
 	ip := net.ParseIP("1.1.1.1")
 	chall.ValidationRecord = []core.ValidationRecord{
 		{
-			Hostname:          "example.com",
+			DnsName:           "example.com",
 			Port:              "2020",
 			AddressesResolved: []net.IP{ip},
 			AddressUsed:       ip,
@@ -98,11 +97,10 @@ func TestChallenge(t *testing.T) {
 	test.AssertEquals(t, err, ErrMissingParameters)
 
 	challNilValidation := core.Challenge{
-		Type:                     core.ChallengeTypeDNS01,
-		Status:                   core.StatusValid,
-		Token:                    "asd",
-		ProvidedKeyAuthorization: "keyauth",
-		Validated:                nil,
+		Type:      core.ChallengeTypeDNS01,
+		Status:    core.StatusValid,
+		Token:     "asd",
+		Validated: nil,
 	}
 	pb, err = ChallengeToPB(challNilValidation)
 	test.AssertNotError(t, err, "ChallengeToPB failed")
@@ -115,7 +113,7 @@ func TestChallenge(t *testing.T) {
 func TestValidationRecord(t *testing.T) {
 	ip := net.ParseIP("1.1.1.1")
 	vr := core.ValidationRecord{
-		Hostname:          "exampleA.com",
+		DnsName:           "exampleA.com",
 		Port:              "80",
 		AddressesResolved: []net.IP{ip},
 		AddressUsed:       ip,
@@ -136,7 +134,7 @@ func TestValidationRecord(t *testing.T) {
 func TestValidationResult(t *testing.T) {
 	ip := net.ParseIP("1.1.1.1")
 	vrA := core.ValidationRecord{
-		Hostname:          "exampleA.com",
+		DnsName:           "exampleA.com",
 		Port:              "443",
 		AddressesResolved: []net.IP{ip},
 		AddressUsed:       ip,
@@ -145,7 +143,7 @@ func TestValidationResult(t *testing.T) {
 		ResolverAddrs:     []string{"resolver:5353"},
 	}
 	vrB := core.ValidationRecord{
-		Hostname:          "exampleB.com",
+		DnsName:           "exampleB.com",
 		Port:              "443",
 		AddressesResolved: []net.IP{ip},
 		AddressUsed:       ip,
@@ -229,16 +227,14 @@ func TestAuthz(t *testing.T) {
 	exp := time.Now().AddDate(0, 0, 1).UTC()
 	identifier := identifier.ACMEIdentifier{Type: identifier.DNS, Value: "example.com"}
 	challA := core.Challenge{
-		Type:                     core.ChallengeTypeDNS01,
-		Status:                   core.StatusPending,
-		Token:                    "asd",
-		ProvidedKeyAuthorization: "keyauth",
+		Type:   core.ChallengeTypeDNS01,
+		Status: core.StatusPending,
+		Token:  "asd",
 	}
 	challB := core.Challenge{
-		Type:                     core.ChallengeTypeDNS01,
-		Status:                   core.StatusPending,
-		Token:                    "asd2",
-		ProvidedKeyAuthorization: "keyauth4",
+		Type:   core.ChallengeTypeDNS01,
+		Status: core.StatusPending,
+		Token:  "asd2",
 	}
 	inAuthz := core.Authorization{
 		ID:             "1",
@@ -302,7 +298,7 @@ func TestOrderValid(t *testing.T) {
 				Expires:           timestamppb.New(expires),
 				CertificateSerial: "",
 				V2Authorizations:  []int64{},
-				Names:             []string{"example.com"},
+				DnsNames:          []string{"example.com"},
 				BeganProcessing:   false,
 				Created:           timestamppb.New(created),
 			},
@@ -315,7 +311,7 @@ func TestOrderValid(t *testing.T) {
 				RegistrationID:   1,
 				Expires:          timestamppb.New(expires),
 				V2Authorizations: []int64{},
-				Names:            []string{"example.com"},
+				DnsNames:         []string{"example.com"},
 				BeganProcessing:  false,
 				Created:          timestamppb.New(created),
 			},
@@ -333,7 +329,7 @@ func TestOrderValid(t *testing.T) {
 				Expires:           timestamppb.New(expires),
 				CertificateSerial: "",
 				V2Authorizations:  []int64{},
-				Names:             []string{"example.com"},
+				DnsNames:          []string{"example.com"},
 				BeganProcessing:   false,
 			},
 		},
@@ -345,7 +341,7 @@ func TestOrderValid(t *testing.T) {
 				Expires:           timestamppb.New(expires),
 				CertificateSerial: "",
 				V2Authorizations:  []int64{},
-				Names:             []string{"example.com"},
+				DnsNames:          []string{"example.com"},
 				BeganProcessing:   false,
 			},
 		},
@@ -357,7 +353,7 @@ func TestOrderValid(t *testing.T) {
 				Expires:           nil,
 				CertificateSerial: "",
 				V2Authorizations:  []int64{},
-				Names:             []string{"example.com"},
+				DnsNames:          []string{"example.com"},
 				BeganProcessing:   false,
 			},
 		},
@@ -369,7 +365,7 @@ func TestOrderValid(t *testing.T) {
 				Expires:           timestamppb.New(expires),
 				CertificateSerial: "",
 				V2Authorizations:  []int64{},
-				Names:             []string{},
+				DnsNames:          []string{},
 				BeganProcessing:   false,
 			},
 		},

mocks/sa.go

@@ -350,7 +350,7 @@ func (sa *StorageAuthority) NewOrderAndAuthzs(_ context.Context, req *sapb.NewOr
 		// Fields from the input new order request.
 		RegistrationID:   req.NewOrder.RegistrationID,
 		Expires:          req.NewOrder.Expires,
-		Names:            req.NewOrder.Names,
+		DnsNames:         req.NewOrder.DnsNames,
 		V2Authorizations: req.NewOrder.V2Authorizations,
 		// Mock new fields generated by the database transaction.
 		Id:      rand.Int64(),
@@ -394,7 +394,7 @@ func (sa *StorageAuthorityReadOnly) GetOrder(_ context.Context, req *sapb.OrderR
 		RegistrationID:         1,
 		Created:                timestamppb.New(created),
 		Expires:                timestamppb.New(exp),
-		Names:                  []string{"example.com"},
+		DnsNames:               []string{"example.com"},
 		Status:                 string(core.StatusValid),
 		V2Authorizations:       []int64{1},
 		CertificateSerial:      "serial",
@@ -470,7 +470,7 @@ func (sa *StorageAuthorityReadOnly) GetValidAuthorizations2(ctx context.Context,
 	}
 	expiryCutoff := req.ValidUntil.AsTime()
 	auths := &sapb.Authorizations{}
-	for _, name := range req.Domains {
+	for _, name := range req.DnsNames {
 		exp := expiryCutoff.AddDate(100, 0, 0)
 		authzPB, err := bgrpc.AuthzToPB(core.Authorization{
 			Status:         core.StatusValid,