letsencrypt / boulder / 13177
66%
master: 66%

LAST BUILD BRANCH: ocsp-fail-stops-issuances
DEFAULT BRANCH: master
Ran
Jobs 1
Files 114
Run time 12s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.256% (-0.05%) from 65.309%
13177

push

travis-pro

web-flow 
RA: Multi-issuer support for OCSP purging (#5160)

The RA is responsible for contacting Akamai to purge cached OCSP
responses when a certificate is revoked and fresh OCSP responses need to
be served ASAP. In order to do so, it needs to construct the same OCSP
URLs that clients would construct, and that Akamai would cache. In order
to do that, it needs access to the issuing certificate to compute a hash
across its Subject Info and Public Key.

Currently, the RA holds a single issuer certificate in memory, and uses
that cert to compute all OCSP URLs, on the assumption that all certs
we're being asked to revoke were issued by the same issuer.

In order to support issuance from multiple intermediates at the same
time (e.g. RSA and ECDSA), and to support rollover between different
issuers of the same type (we may need to revoke certs issued by two
different issuers for the 90 days in which their end-entity certs
overlap), this commit changes the configuration to provide a list of
issuer certificates instead.

In order to support efficient lookup of issuer certs, this change also
introduces a new concept, the Chain ID. The Chain ID is a truncated hash
across the raw bytes of either the Issuer Info or the Subject Info of a
given cert. As such, it can be used to confirm issuer/subject
relationships between certificates. In the future, this may be a
replacement for our current IssuerID (a truncated hash over the whole
issuer certificate), but for now it is used to map revoked certs to
their issuers inside the RA.

Part of #5120

13277 of 20346 relevant lines covered (65.26%)

0.73 hits per line

Jobs
ID Job ID Ran Files Coverage
7 13177.7 (RUN="coverage" CONTAINER="netaccess") 0
65.26
 Travis Job 13177.7
Source Files on build 13177
Detailed source file information is not available for this build.