boulder

boulder copied to clipboard

bad-key-revoker loops through the blockedKeys table periodically looking for any key that have been newly added (`extantCertificatesChecked` = false). It then searches the database for all certificates with that key...

jsha

Blocking/revoking compromised keys provided as a file can only be done in serial. Add an option which allows us to process key files in a batch mode, processed with configurable...

beautifulentropy

**Summary:** The Go security team has just released a new [database of known security vulnerabilities in importable public packages](https://go.dev/blog/vuln), and an associated [tool to check if you call the affected...

aarongable

consider using a command line parsing library

1

Right now we depend solely on Go's built-in `flag` package. That's because so far our command line processing needs haven't been enough to justify a dependency for processing flags. However,...

jsha

zlint now has a close-primes checker: https://github.com/zmap/zlint/pull/674 we should update our dependency on zlint to a version that contains this new lint, and then consider removing our own one-off check:...

aarongable

Refactor //issuance to support OCSP

1

When we issue a certificate, we call [`issuance.Issuer{}.Issue()`](https://github.com/letsencrypt/boulder/blob/0340b574d903ce23a681feade84b389ab9bd6ae1/issuance/issuance.go#L605). This method double-checks that the certificate profile stored on the Issuer is valid, combines that with a tightly-constrained IssuanceRequest, performs pre-issuance linting,...

aarongable

Update certificate-transparency-go to latest commit

6

To update ct-go we should first update the related deps the upgrade will bump: - [x] github.com/golang/mock - https://github.com/letsencrypt/boulder/pull/4621 - [x] gopkg.in/yaml.v2 - https://github.com/letsencrypt/boulder/pull/4622 - [x] golang.org/x/net - https://github.com/letsencrypt/boulder/pull/4623 -...

cpu

Enable strict mode when parsing yaml

2

The library can now reject duplicate keys in strict mode: https://github.com/go-yaml/yaml/pull/307

jsha

After the following conditions have been met: * the ROCSPStage3 flag is enabled everywhere * all ocsp-responder instances have an SAService config stanza * all ocsp-responder instances no longer have...

aarongable

After the ROCSP deployment is complete and all of the ROCSPStageX flags have been enabled in both Staging and in Prod, it will be time to clean up the various...

aarongable