letsencrypt
Refactor //issuance to support OCSP
When we issue a certificate, we call issuance.Issuer{}.Issue(). This method double-checks that the certificate profile stored on the Issuer is valid, combines that with a tightly-constrained IssuanceRequest, performs pre-issuance linting, and then finally creates the certificate.
When we issue an OCSP response, we call ocsp.CreateResponse(issuance.Issuer{}.Signer). This simply extracts the underlying signer from an existing Issuer and passes it in to the stdlib's ocsp-generation routine. Although the surrounding function does use various configuration parameters to construct an ocsp response template, this means that our construction and enforcement of the OCSP profile is less centralized and auditable.
Similarly, when we issue a CRL, we call x509.CreateRevocationList(issuance.Issuer{}.Signer. All of the CRL configuration and "profile" logic is contained in the CRL-specific file, not built in to the Issuer itself.
There's nothing inherently wrong with having OCSP and CRL profile configuration happen in OCSP- and CRL-specific files. But it means that any work we do in the //issuance package (such as restricting how or from where keys can be loaded, or enforcing that all signatures be validated before they're returned) isn't necessarily shared by those codepaths. It might be nice to have all issuance go through Issuer.IssueCert(), Issuer.IssueOCSP(), and Issuer.IssueCRL(), or something like that.
The work for CRLs is being tracked in https://github.com/letsencrypt/boulder/issues/7159 Updating this ticket to only track the work for OCSP.